Overview

overview

7

Static

static

3

OfficeSetup.exe

windows7-x64

1

OfficeSetup.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1050s
  • max time network
    1056s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2024, 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OfficeSetup.exe

  • Size

    7.4MB

  • MD5

    6734e19c42beb0510fa977292a1c787a

  • SHA1

    148cf04c21c63d8c8df6cf059531f5e58c0fd736

  • SHA256

    839940b0be153d81eca12a4ed058699289d7787a2fc03dcf6784371c36e5fae6

  • SHA512

    078cfc6889aff05eb7ff3f9881f632e9a50a34aa79a5dab9d1ba75784a6d6da671c821a63e8b4d59fa3e9d299bd6662dd50ea446b53c02ac19bd0139e799b3ab

  • SSDEEP

    196608:YHQAM/ITOdm1YS8kQJPrNfcJwsIkKJkaoJGf8v24taI6HMaJTtGbM:/T/8OdF/kQhrDkz2r

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 35 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks system information in the registry 2 TTPs 8 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OfficeSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\OfficeSetup.exe"
    1⤵
    • Checks computer location settings
    • Checks system information in the registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.17425.20176 mediatype=CDN sourcetype=CDN O365ProPlusRetail.excludedapps=teams,groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True scenario=CLIENTUPDATE
      2⤵
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:2832
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.17425.20176 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=teams,groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks system information in the registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4244
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks system information in the registry
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4360
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks system information in the registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1856
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3604
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:5484

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\APPVPOLICY.dll
        Filesize

        1.0MB

        MD5

        20ae1459b18c035d187ebd44d6fe23c2

        SHA1

        9fd7012e099ab2c8a39341e7260f050e6c997a6d

        SHA256

        f694caa849ce8b91e5ff374af38c8fc13af15b477b6f3401a13056da11d6f818

        SHA512

        978ab47b667ca96cb16c02a19692433d1dd46f1209a4fc17e6ebab026b3a665b98298ef1df877faf77d3fd460f052da80c2e6d1ed40cbcb2da97bb648700e585

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvApi.dll
        Filesize

        405KB

        MD5

        69d9cc8fcfb951ec44c7d9f26bcb3499

        SHA1

        243b233b74a96d2676a0a2c3dec02904944c97cb

        SHA256

        0167466a80c29b10f0cfda34c745930d96a1117d6a9b7838efd6ae77156df495

        SHA512

        18c588224cd6e5a3b82d27c98f6f92bcf6efb111b11f0c6695ecd9ea1b0dfebf1e5575a4d0fa1e193890a3d7409a041fa5f1322262da095a9f16e5b284a48eab

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll
        Filesize

        1.0MB

        MD5

        c9f1a48e9594a1e00a754d0bf50fa6cd

        SHA1

        c07ac2f5d10c007e33a76261dd4b9f5a7ca9a67e

        SHA256

        b9ce70c3b1a73efe80753a05d93d1f84d43456095e1f72358a7cc5c48444d0b3

        SHA512

        3a1edfdce7884558a9ad728e897ef0b3268c18f68b79441fe6eaa4505cbb9ba757b9907ece46781d09e57e32c949e64c973e4ac848bfe9b88c53777e0c05bbff

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll
        Filesize

        829KB

        MD5

        ddc59d3df358f9372708531b977848c3

        SHA1

        e1a0f9b58dc5579bbd5845bb6d3a7da3b5d8b7da

        SHA256

        fedc8cf10ab72e7a0ec3a493356157028fe16d2ae97f73dead28fffde1b7c935

        SHA512

        4b75fe159eeadd71fea2e3b569796ce547808bff5c183d271e3d2aed7ef11311121f7ec768bcbc1c0354b771f971aa2b46836a8a6c2b0c1d2f8b21922943dbd3

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\IntegratedOffice.exe
        Filesize

        5.1MB

        MD5

        75e46c342e51ddcfd2b0ad7b18a47e61

        SHA1

        bfc1042128cdd9ba73e7954cf5327ddc2cbb3459

        SHA256

        96b47d7d0d8d3b12075b7a0d13f90a7c2df032a265511790c00b7ab4f004990b

        SHA512

        1a26ca09ea8a3130fa1b9509349ac7d94469d8fc96d6b816b2638f449910955efc3238af5004bc10e1bf7149b15b9f4dd2f372d483f7cd99b41acf2cc247a036

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\MSIX.dll
        Filesize

        2.0MB

        MD5

        47a05aec297a3193754eab4e6b46afd1

        SHA1

        6f65a187c73e2e55feec7300230e8a59326b09f5

        SHA256

        06bf1de1fda59eea875ff942ed1c2e8399b31efc2e3ca6fed1348c56b5defba3

        SHA512

        ddcac38d8af0b5d50ace0c09ecc7a1a62aa5ae20b6e2480237dc6029d74664229690208c5cbe401ba8b3168016cb52ec6c650f51301d680d448437404e0ac84c

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\MSVCP140.dll
        Filesize

        559KB

        MD5

        c3d497b0afef4bd7e09c7559e1c75b05

        SHA1

        295998a6455cc230da9517408f59569ea4ed7b02

        SHA256

        1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

        SHA512

        d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\VCRUNTIME140_1.dll
        Filesize

        48KB

        MD5

        eb49c1d33b41eb49dfed58aafa9b9a8f

        SHA1

        61786eb9f3f996d85a5f5eea4c555093dd0daab6

        SHA256

        6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

        SHA512

        d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\appvisvsubsystems32.dll
        Filesize

        1.3MB

        MD5

        75e832bb1529d87a88ef49034e381930

        SHA1

        9b8a52c3c9b3a88c3bdd3b5f5aeb0aecc3df67e8

        SHA256

        4a7ac11ff22d5d842c47be8df6ca98f99c7d48e7ab2f638ccd01eae253e424b0

        SHA512

        6e285a0484d57f6de0ca78a24fb46d9626741d764356d12e2ea6fab32e00a3f285ea0722b89b5a63c11179a5d1ed2a065f97b9399f63f67981fad01967ae654e

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\repoman.dll
        Filesize

        5.7MB

        MD5

        ec3f98182da4d10c0f4a3f7a01ee50cf

        SHA1

        380b71faa9cccd1a2e7d5e8cf2d1100f60c3b29d

        SHA256

        2dc9ab16e59688e50f04928fe098fc40d693c6454d1d9e0404df912254f1e132

        SHA512

        a13285b00f7b8a13704944312a736b020b3d1e3f9753b582cc26fed0db0ec5a2f6f19a07341b21f693451b33c933694605274beaca81ce25827c9fe2e34b8d8e

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll
        Filesize

        532KB

        MD5

        c020ac63dd9de96a169fc1b3bcc014a5

        SHA1

        66c037d5e4e9bfb1aebbfdf9d4b15eee0f852929

        SHA256

        76c20553c8072c3ad729904b27e9c10692fa0e91db06f359bd49e868ef323010

        SHA512

        7698adb46c7c5da979bc667cd7b74c8fadcba154d946264f5f5337ca618a67fc675ce708669884f774fc87811cd3e1671fa5e2d15a7fc12a539389322892a65f

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll
        Filesize

        597KB

        MD5

        647a0967315ed80dd590fe111f38bed7

        SHA1

        f311845d591fcab6c9b086f519e6f83b52ba960d

        SHA256

        95a069ff97824a004d4fada58a23c78b775db72de5570a05977355149df67cb6

        SHA512

        0178a3f488e6972ca87a56fcb4bad16679df88149ae265e29c8a2aac3bea75de1cce5e82575de0eef4303bfdbab2593d96e5074f10a7561c83cde22972590d7e

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll
        Filesize

        297KB

        MD5

        94d6fb63e0fcc7db6ce26674e61a06f6

        SHA1

        34d019f759db4649d89f584437804597b5d02395

        SHA256

        53090adc6e512a6cc52fdd7640736b9352537e757520db7b808857f179bfb3a3

        SHA512

        83a4a927a10fa5210f54908c43c6d68a09ef1aae0aaac40538b4f9252bc01f7b2e3f3e56fe2ee89f0f739918f2559e6af63f58af914f68ba97927245324d7843

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll
        Filesize

        1.6MB

        MD5

        df8403e03a06679d9077a4161849671e

        SHA1

        6635f842092ba46af0520ce0fdb978c6b12a7be7

        SHA256

        49738cd60073b83e07957faaf57ac2fee48fb44eb9a69d9a96591b9fb045d06c

        SHA512

        433a869ba671361f7a72601cf9f47dd560aff5abdb69557ae8cf9d7572646a762e711e7f3dba32f5c04b2e8865c8bc29227cd5197a7cb0762131e8baf4ec8b18

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll
        Filesize

        189KB

        MD5

        5cb3f3f7d8d9afe46bf220b1076f7272

        SHA1

        f6ba4dd48e9deddf6094c9f5fb1bcf761e9e31d7

        SHA256

        97119e4ac0b990aabdcb218dce06c2752bf4e37ad7139390cbfd466b1b67889c

        SHA512

        42f8813eb73e1757e200d18e5ae7ee381000466cb9eee11d11993b81ff9b2364995dc293e3109f7e1cb35a2081b0ccc46942afcd03ba24cccbdac61313187f1f

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll
        Filesize

        569KB

        MD5

        15f5792844af082587747a09f1123a0d

        SHA1

        558999ff58818971f96dfff4f433afa596794ba7

        SHA256

        e5188cf139c4af572588fe794b7392479a0bf59aef86666a0a22db121e41da9d

        SHA512

        7de7f740bab5dcafb9f502853963547c7e50993404535dbcd39b88a586a2bf31b50f1eebe4682ee5fa458a00948af44dc104daa0b595c2c02d6901a81beab24f

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll
        Filesize

        985KB

        MD5

        b992640abf4ea6cdac53d8b38076f845

        SHA1

        ed480fe74fb663e0192098c99a822022b380481c

        SHA256

        f945dddd970b1bd95c6f713f3a1797a2f0772bbaaee0803f43e39fd748d4502a

        SHA512

        a3b1beef8df9a0f14eda0cd6d01895bd17c346fd930284806cea6657b3c73df8899c699484742a45753dc0cd85b4b92e7e5b6d31b4f94ccc9865959f28fbc0d9

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll
        Filesize

        50KB

        MD5

        331f05e490914da44395950a1a57755e

        SHA1

        c1961dc9fa4b58393187d32afd4bb6a44828de03

        SHA256

        2072908383ee3b1bc47041600a40ccf92a64ec3046808cd62c61cb408da98e07

        SHA512

        2edd9e0fac061934dcde4b15b39a016bd0b70346b2e830bb06067383252fe349e54f3101cfa26e3498cd0714c541deff9047ca7e7f77f6b575af9a0359334330

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll
        Filesize

        2.8MB

        MD5

        530ee57634fcfcbbf83a1280d7734abc

        SHA1

        6121081dd0e415d8925a4147e7fa6fd434efab85

        SHA256

        702758ed69a603bffbcf007699ca8049297da1e3685cd36c67fed7f429a473c4

        SHA512

        d33c3a4299814aad12f88b51a0e451bcebd327c56e5a71555b4cdfc84b78dc097947994f1470331f805a5ac534e605364a0215a4486b0cf595850988439d41ca

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
        Filesize

        27.1MB

        MD5

        d80c0e89cf4ed13bedeedc1d023cf1cb

        SHA1

        7775de9c1b7044c211f6634507ce5b54e6d50a59

        SHA256

        0632794ea40f575ee8ee692f0e48520e403d25ccd95de224095f3e1717aa2aaf

        SHA512

        d6868381dda84b299bdf7b1bafef9ed08617626391bdcb1110e58e650ff402b409b02834e244472fb125726a27f3e9bdc372ea213b70de3042acd874f5b9c573

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
        Filesize

        13.6MB

        MD5

        2ee3851baaa3c7c9f685902605e6259d

        SHA1

        8a0cb1905d005bbdf4f676b4e21afbe1bc88575d

        SHA256

        8e60d450460a0a2ffe9f501342c7a3ad357dbb5daa121eabab05810c3381d00b

        SHA512

        8428f8149fc034accc3d37459b55a8eedb5c85ba0c06d16dae6da67f08f9c88aa94f5e9c4635162c1dcd336b7d536983f60d0381f63b90c4117049995b79cb9d

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.17425.20176\i640.hash
        Filesize

        106B

        MD5

        c42769fc58a705ab16044804cd33de08

        SHA1

        ea1e6c0774ad18ae80b69105684df800e59002a3

        SHA256

        87f6b9a4eb6fe138ce34632445034b1426724ac65893b5f0c2d3df1b09844d02

        SHA512

        74434e1345628d439a40ede16dc59c91b4c582f5867ea0ef42e8c36dc4284a7327ee722a644fc0af47ca595c716ae2b2381f30574e10b323f5e6c6c7ea076ad9

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll
        Filesize

        315KB

        MD5

        9485d003573e0eaf7952ab23cc82ef7b

        SHA1

        75b1dcafc21ddc7c3877caeac06bb04ebf09ea40

        SHA256

        5e0e8eac57b86e2de7ca7d6e8d34dddea602ce3660208fb53947a027635d59a1

        SHA512

        50bfdcc4f889cd40fe1b79bd3b32515c18836bc533d5590c95ecf4af5041df61c87df6ad87ef9323e19771de00d7d483fecd07fb7674df380be8839f6ff3256a

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat
        Filesize

        31KB

        MD5

        36957c7c690a6238b9d06f7ac2bbb09e

        SHA1

        0e13ccb55b2453ac0b6ddfeb4b61a2db656b2407

        SHA256

        78a1951162274ea528a5e5aa7858093cd51ad3da66c5b8aac6155b49992a396c

        SHA512

        2ac34da18adc5cfa433b259e2563695418186d393cfe174b88c24d2d64c678ac82cbebd3bbde82703c9307c586c1edab3f305bb862299feb544b94b890118c46

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll
        Filesize

        116KB

        MD5

        e9b690fbe5c4b96871214379659dd928

        SHA1

        c199a4beac341abc218257080b741ada0fadecaf

        SHA256

        a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

        SHA512

        00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

        Download Submit

      • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F1EF857C-9E36-4EEE-92CE-77344C0A2D59\en-us.16\MasterDescriptor.en-us.xml
        Filesize

        36KB

        MD5

        72fb563248d442e416eae516094458dd

        SHA1

        d206ad65cfe79d52bf3d0845cbe35585cf7e365b

        SHA256

        7680d0929bafd13ef271a853659afbbf313dd2fb69381f7eb00fe08d38615fe4

        SHA512

        0161a2faef57ed1d704dcb1f89e4d794a563c8900acc0494c8a56e9645637fbd30930c916c261353b399282b256c40e687acf9ef875483bec4cdc0666c4a2639

        Download Submit

      • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F1EF857C-9E36-4EEE-92CE-77344C0A2D59\en-us.16\stream.x64.en-us.dat.cat
        Filesize

        78KB

        MD5

        8551c9ac4f3ec1d6bf80d23396fed971

        SHA1

        c01110845fd2e9b631b0751981c92d90e89d2714

        SHA256

        9115dcf7978a71ecdfc4cae690f4e7c43ffab7a3711177139601bb252d1e119f

        SHA512

        b20daf2312e82e8b6ef2e21d47606d1a617577565108666ffdd757e370daf688351915d2c43ece57ee00e910be53f723875ad9d4562622fa297f700216c69a7a

        Download Submit

      • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F1EF857C-9E36-4EEE-92CE-77344C0A2D59\sd640.delta02.cab_extractOfficeC2RF3961C26-93B9-462B-B0BC-BEE70ECA715D\MasterDescriptor.x-none.xml
        Filesize

        31KB

        MD5

        e640a6b8af4361a79ba887d1af5993fa

        SHA1

        029cef189a38ff85b6ae456cbfea59b70cc3b725

        SHA256

        09582ad3d949825978c4289654598a20a7ad8128606a1bb4cc33b3c8e931d290

        SHA512

        85f37aebc49e594aa6a4564c8a83234be207f86ad5b7fe00e612f7a58e980da84c31fdbaabd63932e6218479fc85b89b0315b52ac53d375959c5e07dece17c44

        Download Submit

      • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F1EF857C-9E36-4EEE-92CE-77344C0A2D59\sd640.delta03.cab_extractOfficeC2RB574C7D7-AD7A-4AC2-8999-F1890A753448\stream.x64.x-none.delta03.hash
        Filesize

        128B

        MD5

        c96676c4e935552d7b23caf0844acbb2

        SHA1

        e51181e2d5aecc64b2156e0b7f5c2ae721062e27

        SHA256

        d9dd0a2e99b95e0916575fd4f0014fd44981beb2d99b3af82b14bf29d227c21f

        SHA512

        9f4b50a63c0ab504060f0ab911561afecfe75f5b9582ff1039558a6088f42d89e4dcbd1e2b45f61ce881513ceb33ab42d57f568cd77445669439e52383511a08

        Download Submit

      • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F1EF857C-9E36-4EEE-92CE-77344C0A2D59\sd640.delta03.cab_extractOfficeC2RB574C7D7-AD7A-4AC2-8999-F1890A753448\stream.x64.x-none.delta03.man.dat
        Filesize

        22KB

        MD5

        e48beb9e1c747f4c5119e72d2382040e

        SHA1

        21a7956474881402e26731995807cc84931d19bd

        SHA256

        c764726c73ed0bbdb2ed814d7f0d88fd37a7ecdb87024a8bbbb1bb3be5fcc122

        SHA512

        c3dc143ac4e6a50faf7eb5fe4018803dbc7669cbe4c75a4a98bb194004007d0847fb37ac235bc54fef12a85332bda01063f51e7c6dfbe49893a8a361e6c381ad

        Download Submit

      • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F1EF857C-9E36-4EEE-92CE-77344C0A2D59\sd641033.delta03.cab_extractOfficeC2RCE295DDC-829A-4A69-A647-7BC72E2D2AFD\stream.x64.en-us.delta03.hash
        Filesize

        128B

        MD5

        840946710eb8ccfaf98f31f776eaace0

        SHA1

        fa917c58d32105c1d4ba3ea47c34f81a2030484d

        SHA256

        811bddaaa9839c2f19d165bf7e89f8693736c7a3d16a8da26d1a9e28fdc611a0

        SHA512

        2f9d1d2d5c6847aaaad6cf9f534bbae5d7d434eeec5a636c3d44bb715e0dc504658145e9944978d72cd0e315d9adfe79fa15976d9b248bc892eea40d8945cae6

        Download Submit

      • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F1EF857C-9E36-4EEE-92CE-77344C0A2D59\sd641033.delta03.cab_extractOfficeC2RCE295DDC-829A-4A69-A647-7BC72E2D2AFD\stream.x64.en-us.delta03.man.dat
        Filesize

        15KB

        MD5

        9172c7830ebc7049d4a1830624a0bf46

        SHA1

        694c6df4b1233838e50304a3a9c23d89752cb602

        SHA256

        0ac5fd10987aa4eac096535d9004d9194c95d40dc69a0d8c0ec08ba4f2f67264

        SHA512

        4db0343eb82837b8eb5b5d23100ea90c6233307b24941c856fcd4e163becd36b545c62df1bfbed4222cc16d08f8e7dd30c7ba6a29748c8fd75020ddd235e7d3c

        Download Submit

      • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F1EF857C-9E36-4EEE-92CE-77344C0A2D59\x-none.16\MasterDescriptor.x-none.xml
        Filesize

        36KB

        MD5

        6e08be42bc44430589bfd4ef6efcb7a9

        SHA1

        310fe6029cc423da9317b5735d06455d7c68b5fb

        SHA256

        cdfe176584414d4f76730d283ac657d807d4f6fb5f382520bee8e296d2dcc68e

        SHA512

        50d24c53b14b9cb8f8d6b102971be1588a57d0cc2fdee110ca6c70eff59c3461f5ae8ca14a8c5facdc7f8669c0bc58a03360b3fa10777041c91a9f879dd364a3

        Download Submit

      • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F1EF857C-9E36-4EEE-92CE-77344C0A2D59\x-none.16\stream.x64.x-none.dat.cat
        Filesize

        641KB

        MD5

        335082845f2f7f4534dc809ce8023d7f

        SHA1

        d83c0da25fb437981d6085cc0fc41c950cea4307

        SHA256

        e6ebff4a02303dc9eb9355c6b61013a032f89064b15d4c994bd122b3369da685

        SHA512

        6670affec93d5bd477036f3e8c670f993d8a0eeb3d0695a80a13f77d3a7d4da03753f74dd5a651f889a9397b5cbe5e5ac44091d30a1d9cb9c50d7b8803054445

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3950571B-C4ED-4FAD-82D4-D0C054ADBEF8
        Filesize

        162KB

        MD5

        edab31e5f853fc9f42444cc0c695e8ca

        SHA1

        54b60e8ae5754b188729ab848d9e536d9f19f04c

        SHA256

        e5d4ff06b27cda60acec791d6454679635e21c33c6d8dbddd4e3e052f888fbdd

        SHA512

        39ab69cb62bf4c7ec691aa4738daf4fb57a3114da3481c13b686aed4702601a984d3d431738e4cdde4340b196753b6407c027cd26fc89c42c1d98eb49875acbf

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db
        Filesize

        24KB

        MD5

        8665de22b67e46648a5a147c1ed296ca

        SHA1

        b289a96fee9fa77dd8e045ae8fd161debd376f48

        SHA256

        b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

        SHA512

        bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\OFFICE~1\i640.cab
        Filesize

        32.0MB

        MD5

        0c35b027efd1f9989218458955bfeb65

        SHA1

        b306d2c4404fa6233f7a75d2d20ff3b276edcc37

        SHA256

        f8b12545547fae5a120d2d6ec06a8c0e157c0f9726934da55800cd92bf069697

        SHA512

        3dd10d74bb3dd42316778dba699d8916f50680d85ec8e859a2c4721ae5a6417f0ac21b6e9c0e17ff74bb307136267c91eee0401a97cd7badeaff08a00a568496

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\OfficeC2RF8FA808E-A987-466B-BAEF-9B6D8ED162C3\VersionDescriptor.xml
        Filesize

        25KB

        MD5

        f90bb7d675b52ca5fe6b8494cd1e1bfb

        SHA1

        a676e3fa737de0e1734a98ce295eb58d130352b3

        SHA256

        987eef8a72ba4088b9910503eacd4da8e937ec7bbd05fd207a7c2d83e1e2be37

        SHA512

        33ebc6d4c3c8927923ee9c8fc471666d290bfe10925e73c87c3b74c072f7a29922aec9ff12181b8af5f0550578be21c17440a057fcff34aadbc39fbd67896976

        Download Submit

      • C:\Windows\Temp\OFFICE~1\d640.cab
        Filesize

        9KB

        MD5

        5e243f4abaa028970bac382cdbfd226b

        SHA1

        044cfed8df8d4eaeb5a546aef20726caa737af6b

        SHA256

        29d93f00ee0f23cd6b99411f2286a5fcf70df34703d7876dfd0b3c3b953abbf9

        SHA512

        0a526e7c4c85f3334a065727051ac4523b7d9fd92b8fb1df6c725e7a22ae56703fdc02636ba0f7732ef5668f10a4ae2074f48d3194b8f5e20d459dfe16a37e16

        Download Submit

      • C:\Windows\Temp\OFFICE~1\d641033.cab
        Filesize

        9KB

        MD5

        169a54509a2013a203bf258c1392e419

        SHA1

        c15d2aa84c52ae1e73ea1f8a94255f4cd28d91d2

        SHA256

        f8c6d765c758ceea0b1f3b7c71f0a3063d8120781df2644b3c19e0cca42e13d8

        SHA512

        0a5e1ebf635278f74abf18640c9102d1d3521c56dcbb29656f8a5344954a4b2d295f210bca3a0a324948720bad3c640c404831a7e1b35661c922d96b6fa9b213

        Download Submit

      • C:\Windows\Temp\OFFICE~1\s640.cab
        Filesize

        2.4MB

        MD5

        42dc75eb64b589d3be7f1dca985ab98c

        SHA1

        bde35baf1c616f3086cc7b26851ba8053964bbfc

        SHA256

        654568d607d97596f65db8058e114a2049293813f4c82183bdfea6a681a3f83d

        SHA512

        d70ffb312aa6452df51e7c3d7c261ce8d6b1cb185c0041e83cf0314cb03b0663b5978f020267472ed13d3907f3729358d1d248c1c7496057817ef03fc1ffa356

        Download Submit

      • C:\Windows\Temp\OFFICE~1\s641033.cab
        Filesize

        516KB

        MD5

        27ba0f0c4d92745be0b1881d9e975cb7

        SHA1

        d73a799384b8580e038a8769a2770007e672ae18

        SHA256

        47e11197cb0558c97533299026439daaccc836ec27ba1c5b21282d00a5cb0464

        SHA512

        b6ce90cdb426c9f8c415304fc1fe21baa1e6b19990aa37fd5e524ae38fafeafa1896862cd24c4eccbf3bfcbdd2643d05aad8bb761ac9686983335ae182f44bae

        Download Submit

      • C:\Windows\Temp\OFFICE~1\sd640.delta00.cab
        Filesize

        2.5MB

        MD5

        95208bd98fbe6420ba3d4e63958b8ea1

        SHA1

        8b33adf213e03be55b5221f9a6b531735d5c9fab

        SHA256

        dcf2fda5b0ea07ab69c37f88e8064421b74ee17c67a6e0ab6f7db99cc31f39bc

        SHA512

        4e591890c847329eea8975a306d296326f31da388e20b0908e6781976c6751eda9e4aa18793b047e93d56e47964ee14a30d2802de8cc14e3c612c3f46e776a27

        Download Submit

      • C:\Windows\Temp\OFFICE~1\sd640.delta01.cab
        Filesize

        33KB

        MD5

        355ca52938b4a608699ee30588bba52e

        SHA1

        c1eaaa3b078d3d135c8731e41f5deb669bddf142

        SHA256

        cbf6806315a0a21236be2e8f219366a9e85111ca2b2c7135342cf9f26f3822f9

        SHA512

        f39fb01a1a13648aa9dfaf75417ae6db4067726f2d0b807fc3eec1701e918ef8418047b6a24103cd5215ca5b755330e52081c76be9c6cfc296ca1014cd7c1cf6

        Download Submit

      • C:\Windows\Temp\OFFICE~1\sd640.delta02.cab
        Filesize

        33KB

        MD5

        a853c6d1a4d10afee2afbce5832f63b4

        SHA1

        a28b297de5b67f6882081ffe880ad3f49f366269

        SHA256

        aa277bdf1a3f38bb439fdd5380e557a87510c1bb237cdb234c8b950d389bb057

        SHA512

        865f794f8d5462b71a3170403e8812d5f55178df44ce54d6328a4add883249eab2ed2e86027567632f957c0a45b0322bf80faf9fbcc02f896119556ef4465d0a

        Download Submit

      • C:\Windows\Temp\OFFICE~1\sd640.delta03.cab
        Filesize

        33KB

        MD5

        db8c5f9424cb45f1462a319929a7b4f2

        SHA1

        c2cf09c9c4b3c5735e0c1b0d81796eabc50dcdda

        SHA256

        1d5ff9ee98dcf822a2ac777180f58db2c13e1bddb8328a4ef21cb586aa18229c

        SHA512

        76ff2c095535bb5220671afc6e0ede3231299a5b30d93b3b60b5c664e403356b313bd5abfd8d00179bae9e01455847ac6add1ddf22ea586787bff0ee7db4575e

        Download Submit

      • C:\Windows\Temp\OFFICE~1\sd641033.delta00.cab
        Filesize

        356KB

        MD5

        96ea2c4a6cc7a291dd0c841b519ece11

        SHA1

        694196f92e9f5cf18cfa452c537a805329ec6f4c

        SHA256

        c83f4c285ab3887c6016b74964eaaf8d758ff7786ecc91bd99c214a4d7524a42

        SHA512

        48ed9f5036930154b7d6be8f023ceacca4973feca4cb115384c51e25a470d4f533d082777771dd29b7d560bf02da62bb6820735752930283f2da32fe84f3faf2

        Download Submit

      • C:\Windows\Temp\OFFICE~1\sd641033.delta01.cab
        Filesize

        29KB

        MD5

        c91b591a32967c24d389f33b730a8934

        SHA1

        c042653477f0ba63b5fb4191a3a9ee9e0929db4a

        SHA256

        a5af24f4a2027a1fb5421d234f1610b063de149c6e2482a87156efa70d3d13b9

        SHA512

        ca04afc3d8ee1195c3baee1237cbc89428e2956706e4d9479cf66d226008c90b87181b67199a68bfd8f48bc68341a4ded845f21ebbbb93d75a234beaf0c6807c

        Download Submit

      • C:\Windows\Temp\OFFICE~1\sd641033.delta02.cab
        Filesize

        29KB

        MD5

        d35bf25df8ddfb70cfd4d3997e680cb7

        SHA1

        8cb4bec9711c8f1bdb0f49792570c6a958da49f1

        SHA256

        946ddbceb438da29b348a83d675032fa796fa95dd337df07d4917e7a87995221

        SHA512

        1ebc06dcabd452d88b95c51c65dd506c4f9a8d06e97d592ded774b1e2baaf2a49891fe7471d503556e52aa7429524ea1b988c6bfcaa748aaaab73915506caf4c

        Download Submit

      • C:\Windows\Temp\OFFICE~1\sd641033.delta03.cab
        Filesize

        29KB

        MD5

        77f59bf350f2088a347d219e09a1c978

        SHA1

        a12f860a9db79f46ae4b82cd286f1c454b0e40a6

        SHA256

        f28381b54e5680dd085abbd335e7845bf1df22d0a899727e0b28766d98fe2c0d

        SHA512

        a4bd875ee0869a94ad22912049c04c1e0201719d676f168650f21cd64391c521a1360adcad2f84975f73757dae22f817dde68589275ccaaac56c3e014cd9d600

        Download Submit

      • memory/2832-486-0x00007FFCFA550000-0x00007FFCFA565000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2832-487-0x00007FFCF8B50000-0x00007FFCF8B8A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2832-485-0x00007FFCF7830000-0x00007FFCF78CB000-memory.dmp

        Filesize

        620KB

        Download

      • memory/2832-484-0x00007FF7BB270000-0x00007FF7BBD09000-memory.dmp

        Filesize

        10.6MB

        Download