General Info

File name

OInstall.exe

Full analysis
https://app.any.run/tasks/5a7665c7-521e-49b3-87dd-d9aa70ed0e22
Verdict
Malicious activity
Analysis date
5/15/2019, 14:51:27
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5

cb6e2c13b9548e4864eaa610ebce96a3

SHA1

02b0f88785ded01c75a3eaf4288aeb0be48d143e

SHA256

9f46b1f0aa822b65f98744f91414e033c9248021a9f472fa23ae8a81b26b8fae

SSDEEP

196608:vHKNxawqBBz0yVnn6z77vv1JQOE5LlpiFi8oULkWZlftsc1ZMihDOnc6ACqcq2tf:vExEBBV96z77vvf3kioGkmBD7wnc6Ad2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • OfficeClickToRun.exe (PID: 1636)
  • OfficeClickToRun.exe (PID: 3528)
  • setup.exe (PID: 2324)
  • files.dat (PID: 3568)
Changes settings of System certificates
  • OfficeClickToRun.exe (PID: 1636)
  • setup.exe (PID: 2324)
Loads dropped or rewritten executable
  • OfficeClickToRun.exe (PID: 1636)
  • OfficeClickToRun.exe (PID: 3528)
Removes files from Windows directory
  • OfficeClickToRun.exe (PID: 1636)
Creates files in the program directory
  • OfficeClickToRun.exe (PID: 1636)
  • setup.exe (PID: 2324)
Adds / modifies Windows certificates
  • OfficeClickToRun.exe (PID: 1636)
  • setup.exe (PID: 2324)
Creates files in the Windows directory
  • OfficeClickToRun.exe (PID: 1636)
Executable content was dropped or overwritten
  • OfficeClickToRun.exe (PID: 1636)
  • OInstall.exe (PID: 2076)
  • files.dat (PID: 3568)
  • setup.exe (PID: 2324)
Creates files in the user directory
  • powershell.exe (PID: 3120)
Executes PowerShell scripts
  • setup.exe (PID: 2324)
Searches for installed software
  • setup.exe (PID: 2324)
Starts CMD.EXE for commands execution
  • OInstall.exe (PID: 2076)
Starts application with an unusual extension
  • cmd.exe (PID: 944)
Reads Microsoft Office registry keys
  • OfficeClickToRun.exe (PID: 1636)
  • OfficeClickToRun.exe (PID: 3528)
Reads settings of System Certificates
  • OfficeClickToRun.exe (PID: 1636)
  • OfficeClickToRun.exe (PID: 3528)
  • setup.exe (PID: 2324)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   UPX compressed Win32 Executable (76%)
.exe
|   Win32 Executable (generic) (12.6%)
.exe
|   Generic Win/DOS Executable (5.6%)
.exe
|   DOS Executable Generic (5.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:04:25 07:02:44+02:00
PEType:
PE32
LinkerVersion:
2.5
CodeSize:
10174464
InitializedDataSize:
90112
UninitializedDataSize:
9658368
EntryPoint:
0x12eace0
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
6.7.0.0
ProductVersionNumber:
6.7.0.0
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Unknown (0)
ObjectFileType:
Unknown
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
ProductName:
Office 2013-2016 C2R Install
FileDescription:
Office 2013-2016 C2R Install
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
25-Apr-2019 05:02:44
Detected languages
English - United States
ProductName:
Office 2013-2016 C2R Install
FileDescription:
Office 2013-2016 C2R Install
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
25-Apr-2019 05:02:44
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
UPX0 0x00001000 0x00936000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
UPX1 0x00937000 0x009B4000 0x009B4000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.89369
.rsrc 0x012EB000 0x00016000 0x00015200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 1.96496
Resources
1

2

3

4

Imports
    ADVAPI32.DLL

    COMCTL32.DLL

    GDI32.DLL

    gdiplus.dll

    ICMP.DLL

    IMAGEHLP.DLL

    IPHLPAPI.DLL

    KERNEL32.DLL

    MSI.DLL

    MSVCRT.dll

    NETAPI32.DLL

    OLE32.DLL

    OLEAUT32.DLL

    SETUPAPI.DLL

    SHELL32.DLL

    URLMON.DLL

    USER32.DLL

    USERENV.DLL

    WININET.DLL

    WINMM.DLL

    WINSPOOL.DRV

    WSOCK32.DLL

Exports

    No exports.

Screenshots

Processes

Total processes
49
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

+
start drop and start oinstall.exe no specs oinstall.exe cmd.exe no specs cmd.exe no specs files.dat cmd.exe no specs setup.exe powershell.exe no specs officeclicktorun.exe officeclicktorun.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3248
CMD
"C:\Users\admin\AppData\Local\Temp\OInstall.exe"
Path
C:\Users\admin\AppData\Local\Temp\OInstall.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Office 2013-2016 C2R Install
Version
Modules
Image
c:\users\admin\appdata\local\temp\oinstall.exe
c:\systemroot\system32\ntdll.dll

PID
2076
CMD
"C:\Users\admin\AppData\Local\Temp\OInstall.exe"
Path
C:\Users\admin\AppData\Local\Temp\OInstall.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Description
Office 2013-2016 C2R Install
Version
Modules
Image
c:\users\admin\appdata\local\temp\oinstall.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\icmp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\msi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shell32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\audioses.dll
c:\windows\system32\avrt.dll

PID
3312
CMD
"C:\Windows\System32\cmd.exe" /D /c copy C:\Windows\system32\Tasks\OInstall "C:\Windows\Temp\OInstall.tmp" /Y
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
OInstall.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
944
CMD
"C:\Windows\System32\cmd.exe" /D /c files.dat -y -pkmsauto
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
OInstall.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\files\files.dat

PID
3568
CMD
files.dat -y -pkmsauto
Path
C:\Users\admin\AppData\Local\Temp\files\files.dat
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Igor Pavlov
Description
7z Console SFX
Version
9.20
Modules
Image
c:\users\admin\appdata\local\temp\files\files.dat
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2132
CMD
"C:\Windows\System32\cmd.exe" /D /c C:\Users\admin\AppData\Local\Temp\files\Setup.exe /configure Configure.xml
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
OInstall.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\files\setup.exe

PID
2324
CMD
C:\Users\admin\AppData\Local\Temp\files\Setup.exe /configure Configure.xml
Path
C:\Users\admin\AppData\Local\Temp\files\setup.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Microsoft Office
Version
16.0.11617.33601
Modules
Image
c:\users\admin\appdata\local\temp\files\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\credssp.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\powrprof.dll
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe

PID
3120
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
setup.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\netutils.dll

PID
3528
CMD
deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 platform=x86 productreleaseid=none forcecentcheck= culture=en-us defaultplatform=False storeid= lcid=1033 b= totalclientcabsize=20033012 productstoadd=ProjectProRetail.16_en-us_x-none|ProplusRetail.16_en-us_x-none|VisioProRetail.16_en-us_x-none scenariosubtype=ODT scenario=unknown updatesenabled.16=True acceptalleulas.16=True cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.11601.20204 mediatype.16=CDN visioproretail.excludedapps.16=onedrive baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 projectproretail.excludedapps.16=onedrive sourcetype.16=CDN flt.useexptransportinplacepl=unknown flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown
Path
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
Indicators
Parent process
setup.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Microsoft Office Click-to-Run (SxS)
Version
16.0.11601.20174
Modules
Image
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-file-l2-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-localization-l1-2-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-synch-l1-2-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-file-l1-2-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-string-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\msvcp140.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-math-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-time-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shlwapi.dll
c:\program files\common files\microsoft shared\clicktorun\apiclient.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\normaliz.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\version.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystemcontroller.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\schannel.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\program files\common files\microsoft shared\clicktorun\c2rui.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\common files\microsoft shared\clicktorun\c2rintl.en-us.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\powrprof.dll

PID
1636
CMD
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Path
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Office Click-to-Run (SxS)
Version
16.0.11601.20174
Modules
Image
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-file-l2-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-localization-l1-2-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-synch-l1-2-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-core-file-l1-2-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-string-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\msvcp140.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-math-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-time-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\common files\microsoft shared\clicktorun\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shlwapi.dll
c:\program files\common files\microsoft shared\clicktorun\apiclient.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\profapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystemcontroller.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\program files\common files\microsoft shared\clicktorun\streamserver.dll
c:\windows\system32\msdelta.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\schannel.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\concrt140.dll

Registry activity

Total events
813
Read events
529
Write events
281
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
2076
OInstall.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Speaker Configuration
4
2324
setup.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\setup.exe
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\officeclicktorun
FirstSessionTriggered
1
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
UIFallbackLanguages
x-none
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
HelpLanguageTag
en-US
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
PreferredEditingLanguage
en-US
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
PreviousPreferredEditingLanguage
en-US
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
WordChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
WordMailChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
XLChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
PPTChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
AccessChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
OutlookChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
SharePointDesignerChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
PublisherChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
ProjectChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
InfoPathChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
OneNoteChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
WebDesignerChangeInstallLanguage
No
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
LangTuneUp
OfficeCompleted
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
1
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common
UID
F0B92E5221BDF140AD012297B3E8CBAA
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\officeclicktorun
EcsRequestPending
0
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\RulesLastAudienceReported
setup.exe
Unknown_Error_Read_StreamPackageUrl
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Registration\USER-PC
none.AttemptGetKey
1
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
EnableFileTracing
0
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
EnableConsoleTracing
0
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
FileTracingMask
4294901760
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
ConsoleTracingMask
4294901760
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
MaxFileSize
1048576
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
FileDirectory
%windir%\tracing
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
EnableFileTracing
0
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
EnableConsoleTracing
0
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
FileTracingMask
4294901760
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
ConsoleTracingMask
4294901760
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
MaxFileSize
1048576
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
FileDirectory
%windir%\tracing
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Registration
AcceptAllEulas
1
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Registration
AcceptAllEulas
1
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\General
ShownFirstRunOptin
1
2324
setup.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Blob
0F0000000100000014000000F45A0858C9CD920E647BAD539AB9F1CFC77F24CB090000000100000016000000301406082B0601050507030306082B06010505070308140000000100000014000000DAED6474149C143CABDD99A9BD5B284D8B3CC9D80B000000010000001400000055005300450052005400720075007300740000001D0000000100000010000000F919B9CCCE1E59C2E785F7DC2CCF6708030000000100000014000000E12DFB4B41D7D9C32B30514BAC1D81D8385E2D4620000000010000006A040000308204663082034EA003020102021044BE0C8B500024B411D3362DE0B35F1B300D06092A864886F70D0101050500308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A656374301E170D3939303730393138333132305A170D3139303730393138343033365A308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A65637430820122300D06092A864886F70D01010105000382010F003082010A0282010100CEAA813FA3A36178AA31005595119E270F1F1CDF3A9B826830C04A611DF12F0EFABE79F7A523EF55519684CDDBE3B96E3E31D80A2067C7F4D9BF94EB47043E02CE2AA25D870409F6309D188A97B2AA1CFC41D2A136CBFB3D91BAE7D97035FAE4E790C39BA39BD33CF5129977B1B709E068E61CB8F39463886A6AFE0B76C9BEF422E467B9AB1A5E77C18507DD0D6CBFEE06C7776A419EA70FD7FBEE9417B7FC85BEA4ABC41C31DDD7B6D1E4F0EFDF168FB25293D7A1D489A1072EBFE10112421E1AE1D89534DB647928FFBA2E11C2E5E85B9248FB470BC26CDAAD328341F3A5E54170FD65906DFAFA51C4F9BD962B19042CD36DA7DCF07F6F8365E26AAB8786750203010001A381AF3081AC300B0603551D0F0404030201C6300F0603551D130101FF040530030101FF301D0603551D0E04160414DAED6474149C143CABDD99A9BD5B284D8B3CC9D830420603551D1F043B30393037A035A0338631687474703A2F2F63726C2E7573657274727573742E636F6D2F55544E2D5553455246697273742D4F626A6563742E63726C30290603551D250422302006082B0601050507030306082B06010505070308060A2B0601040182370A0304300D06092A864886F70D01010505000382010100081F52B1374478DBFDCEB9DA959698AA556480B55A40DD21A5C5C1F35F2C4CC8475A69EAE8F03535F4D025F3C8A6A4874ABD1BB17308BDD4C3CAB635BB59867731CDA78014AE13EFFCB148F96B25252D51B62C6D45C198C88A565D3EEE434E3E6B278ED03A4B850B5FD3ED6AA775CBD15A872F3975135A72B002819FBEF00F845420626C69D4E14DC60D9943010D12968C789DBF50A2B144AA6ACF177ACF6F0FD4F824555FF0341649663E5046C96371383162B862B9F353AD6CB52BA212AA194F09DA5EE793C68E1408FEF0308018A086854DC87DD78B03FE6ED5F79D16AC922CA023E59C91521F94DF179473C3B3C1C17105200078BD13521DA83ECD001FC8
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Blob
040000000100000010000000ACB694A59C17E0D791529BB19706A6E40B0000000100000030000000440069006700690043006500720074002000420061006C00740069006D006F0072006500200052006F006F007400000053000000010000006200000030603020060A2B06010401B13E01640130123010060A2B0601040182373C0101030200C0301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C00F0000000100000014000000CE0E658AA3E847E467A147B3049191093D055E6F140000000100000014000000E59D5930824758CCACFA085436867B3AB5044DF01D0000000100000010000000918AD43A9475F78BB5243DE886D8103C030000000100000014000000D4DE20D05E66FC53FE1A50882C78DB2852CAE47419000000010000001000000068CB42B035EA773E52EF50ECF50EC52909000000010000003E000000303C06082B0601050507030106082B0601050507030406082B0601050507030206082B0601050507030306082B0601050507030906082B0601050507030862000000010000002000000016AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB20000000010000007B030000308203773082025FA0030201020204020000B9300D06092A864886F70D0101050500305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F74301E170D3030303531323138343630305A170D3235303531323233353930305A305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F7430820122300D06092A864886F70D01010105000382010F003082010A0282010100A304BB22AB983D57E826729AB579D429E2E1E89580B1B0E35B8E2B299A64DFA15DEDB009056DDB282ECE62A262FEB488DA12EB38EB219DC0412B01527B8877D31C8FC7BAB988B56A09E773E81140A7D1CCCA628D2DE58F0BA650D2A850C328EAF5AB25878A9A961CA967B83F0CD5F7F952132FC21BD57070F08FC012CA06CB9AE1D9CA337A77D6F8ECB9F16844424813D2C0C2A4AE5E60FEB6A605FCB4DD075902D459189863F5A563E0900C7D5DB2067AF385EAEBD403AE5E843E5FFF15ED69BCF939367275CF77524DF3C9902CB93DE5C923533F1F2498215C079929BDC63AECE76E863A6B97746333BD681831F0788D76BFFC9E8E5D2A86A74D90DC271A390203010001A3453043301D0603551D0E04160414E59D5930824758CCACFA085436867B3AB5044DF030120603551D130101FF040830060101FF020103300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100850C5D8EE46F51684205A0DDBB4F27258403BDF764FD2DD730E3A41017EBDA2929B6793F76F6191323B8100AF958A4D46170BD04616A128A17D50ABDC5BC307CD6E90C258D86404FECCCA37E38C637114FEDDD68318E4CD2B30174EEBE755E07481A7F70FF165C84C07985B805FD7FBE6511A30FC002B4F852373904D5A9317A18BFA02AF41299F7A34582E33C5EF59D9EB5C89E7C2EC8A49E4E08144B6DFD706D6B1A63BD64E61FB7CEF0F29F2EBB1BB7F250887392C2E2E3168D9A3202AB8E18DDE91011EE7E35AB90AF3E30947AD0333DA7650FF5FC8E9E62CF47442C015DBB1DB532D247D2382ED0FE81DC326A1EB5EE3CD5FCE7811D19C32442EA6339A9
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Blob
190000000100000010000000E843AC3B52EC8C297FA948C9B1FB2819030000000100000014000000E12DFB4B41D7D9C32B30514BAC1D81D8385E2D461D0000000100000010000000F919B9CCCE1E59C2E785F7DC2CCF67080B00000001000000140000005500530045005200540072007500730074000000140000000100000014000000DAED6474149C143CABDD99A9BD5B284D8B3CC9D8090000000100000016000000301406082B0601050507030306082B060105050703080F0000000100000014000000F45A0858C9CD920E647BAD539AB9F1CFC77F24CB20000000010000006A040000308204663082034EA003020102021044BE0C8B500024B411D3362DE0B35F1B300D06092A864886F70D0101050500308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A656374301E170D3939303730393138333132305A170D3139303730393138343033365A308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A65637430820122300D06092A864886F70D01010105000382010F003082010A0282010100CEAA813FA3A36178AA31005595119E270F1F1CDF3A9B826830C04A611DF12F0EFABE79F7A523EF55519684CDDBE3B96E3E31D80A2067C7F4D9BF94EB47043E02CE2AA25D870409F6309D188A97B2AA1CFC41D2A136CBFB3D91BAE7D97035FAE4E790C39BA39BD33CF5129977B1B709E068E61CB8F39463886A6AFE0B76C9BEF422E467B9AB1A5E77C18507DD0D6CBFEE06C7776A419EA70FD7FBEE9417B7FC85BEA4ABC41C31DDD7B6D1E4F0EFDF168FB25293D7A1D489A1072EBFE10112421E1AE1D89534DB647928FFBA2E11C2E5E85B9248FB470BC26CDAAD328341F3A5E54170FD65906DFAFA51C4F9BD962B19042CD36DA7DCF07F6F8365E26AAB8786750203010001A381AF3081AC300B0603551D0F0404030201C6300F0603551D130101FF040530030101FF301D0603551D0E04160414DAED6474149C143CABDD99A9BD5B284D8B3CC9D830420603551D1F043B30393037A035A0338631687474703A2F2F63726C2E7573657274727573742E636F6D2F55544E2D5553455246697273742D4F626A6563742E63726C30290603551D250422302006082B0601050507030306082B06010505070308060A2B0601040182370A0304300D06092A864886F70D01010505000382010100081F52B1374478DBFDCEB9DA959698AA556480B55A40DD21A5C5C1F35F2C4CC8475A69EAE8F03535F4D025F3C8A6A4874ABD1BB17308BDD4C3CAB635BB59867731CDA78014AE13EFFCB148F96B25252D51B62C6D45C198C88A565D3EEE434E3E6B278ED03A4B850B5FD3ED6AA775CBD15A872F3975135A72B002819FBEF00F845420626C69D4E14DC60D9943010D12968C789DBF50A2B144AA6ACF177ACF6F0FD4F824555FF0341649663E5046C96371383162B862B9F353AD6CB52BA212AA194F09DA5EE793C68E1408FEF0308018A086854DC87DD78B03FE6ED5F79D16AC922CA023E59C91521F94DF179473C3B3C1C17105200078BD13521DA83ECD001FC8
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs
CountryCode
std::wstring|SE
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\officeclicktorun
BuildNumber
16.0.11617
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
Expires
int64_t|0
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData
1
4D736F3A3A436865636B73756D52656769737472793A3A446174617C75696E7436345F747C383536333230383338303535353832363631363B456373436F6E666967526573706F6E7365446174617C7B202256657222203A2022696E7433325F747C30222C2022436F6E6649647322203A20227374643A3A77737472696E677C502D442D32393633352D312D312C502D442D32373038372D312D392C502D442D32393731392D312D312C502D442D32393731382D312D312C502D442D32393539332D312D312C502D522D31383531332D312D3330222C2022434322203A20227374643A3A77737472696E677C5345222C2022446566436F6E667322203A20227374643A3A77737472696E677C222C202245787054696D6522203A2022696E7436345F747C31353537393238333233222C20224554616722203A20227374643A3A77737472696E677C5C224671555535682B4A473674792F5979642F4D302B2B3935654837364E457565674A71396D67612F674870733D5C22222C202246434D617022203A205B207B20224622203A20224D6963726F736F66742E4F66666963652E4543532E436F6E666967496444656C696D69746572496E4C6F67222C20225622203A20227374643A3A77737472696E677C3B22207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E4543532E456E61626C65536D61727445546167222C20225622203A2022696E7433325F747C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5365676D656E746174696F6E2E436C6F7564222C20225622203A20227374643A3A77737472696E677C5075626C696322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5365676D656E746174696F6E2E50657270657475616C4C6963656E7365222C20225622203A20227374643A3A77737472696E677C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5365676D656E746174696F6E2E5365676D656E74222C20225622203A20227374643A3A77737472696E677C4E4F4E4652444322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5368617265642E4372634261736564556964222C20225622203A2022626F6F6C7C3122207D205D207D
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData
ChunkCount
uint64_t|0
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData
VersionId
uint16_t|1
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
ConfigIds
P-D-29635-1-1,P-D-27087-1-9,P-D-29719-1-1,P-D-29718-1-1,P-D-29593-1-1,P-R-18513-1-30
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
ETag
std::wstring|"FqUU5h+JG6ty/Yyd/M0++95eH76NEuegJq9mga/gHps="
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
Expires
int64_t|1557928323
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
DeferredConfigs
std::wstring|
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
setup.exe_queried
740BDC5C00000000
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
setup.exe
Wed, 15 May 2019 12:52:04 GMT
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\setup.exe
RulesEndpoint
https://nexusrules.officeapps.live.com/nexus/rules?Application=C2R.exe&Version=16.0.11617.33601&ClientId={522EB9F0-BD21-40F1-AD01-2297B3E8CBAA}&OSEnvironment=10&MsoAppId=37&AudienceName=Unknown_Error_Read_StreamPackageUrl&AudienceGroup=Other&AppVersion=16.0.11617.33601&
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\setup.exe\ULSMonitor
ULSTagIds0
5804129,7202269,20502174,17110992,6308191,7168707,3702920,3462423,17110988,17962391,17962392,3700754,3965062,4297094,7153421,18716193,7153487,7153435,7202265,20489353,18407617,17102418,22929429
2324
setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\setup.exe\ULSMonitor
ULSCategoriesSeverities
1723 50,1779 50,1715 50,1780 50,1716 50,1717 50,1718 50,1719 50,1720 50,1721 50,1722 50,1724 50,1725 50,1726 50,1727 50,1728 50,1729 50,1730 50,1731 50,1732 50,1733 50,1734 50,1735 50,1736 50,1737 50,1738 50,1739 50,1740 50,1741 50,1742 50,1743 50,1744 50,1745 50,1746 50,941 10,1748 50,1749 50,1750 50,1751 50,1752 50,1753 50,1755 50,1756 50,1757 50,1758 50,1759 50,1760 50,1761 50,1762 50,1763 50,1764 50,1765 50,1766 50,1767 50,1768 50,1769 50,1770 50,1771 50,1772 50,1773 50,1774 50,1775 50,1776 50,1777 50,1778 50,1781 50,1782 50,1783 50,1784 50,1785 50,1329 10,1329 15,941 15,1329 50,941 6,1329 100,1329 6,1603 50
2324
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
VersionToReport
16.0.11601.20204
3120
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3528
OfficeClickToRun.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
2
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
1
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\RulesLastAudienceReported
officeclicktorun.exe
Unknown_Error_Read_StreamPackageUrl
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASAPI32
EnableFileTracing
0
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASAPI32
EnableConsoleTracing
0
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASAPI32
FileTracingMask
4294901760
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASAPI32
ConsoleTracingMask
4294901760
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASAPI32
MaxFileSize
1048576
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASAPI32
FileDirectory
%windir%\tracing
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASMANCS
EnableFileTracing
0
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASMANCS
EnableConsoleTracing
0
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASMANCS
FileTracingMask
4294901760
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASMANCS
ConsoleTracingMask
4294901760
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASMANCS
MaxFileSize
1048576
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OfficeClickToRun_RASMANCS
FileDirectory
%windir%\tracing
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000072000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
ClientFolder
C:\Program Files\Common Files\Microsoft Shared\ClickToRun
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
ClientVersionToReport
16.0.11601.20174
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
WatcherInterval
3600000
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
PipelineServerName
ClickToRun_Pipeline16
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
PackageLockerPath
C:\ProgramData\Microsoft\Office
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
VersionToReport
16.0.11601.20204
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun
ExecutingScenario
INSTALL
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ScenarioInstanceID
F75D20AB-0673-4044-9C57-9CF020C33D4C
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ScenarioName
unknown
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ProductsToAdd
ProjectProRetail.16_en-us_x-none|ProplusRetail.16_en-us_x-none|VisioProRetail.16_en-us_x-none
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ProductsToRemove
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
Platform
x86
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ClientCulture
en-us
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
BitfieldValues
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ScenarioSubType
ODT
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
TotalClientCabSize
20033012
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
C2RFlighting.UseExperimentalTransportForInPlacePipe
unknown
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
C2RFlighting.UseOfficeHelperAddon
unknown
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
C2RFlighting.UseOutlookShareAddon
unknown
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
BaseUrl
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
Version
16.0.11601.20204
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
MediaType
CDN
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
CDNUrl
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
AcceptAllEulas
True
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
UpdatesEnabled
True
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
SourceType
CDN
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ExcludedApps
visioproretail_onedrive|projectproretail_onedrive
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
DeliveryMechanism
492350f6-3a01-4f97-b9c0-c7c6ddf67d60
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
ScenarioCulture
en-us
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL\TasksState
SCENARIO:{FB9843BB-0D8A-4347-A227-C759C3FC9103}
TASKSTATE_EXECUTING
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL\TasksState
PROMPTUSER:{0468216F-0C80-4620-AA53-3F53A84CDFC4}
TASKSTATE_EXECUTING
3528
OfficeClickToRun.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
InstallID
581D0BBF-4A5C-4C8B-84D1-EA86B7BA18DD
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL\Condition
PromptAnswer
Continue
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL\TasksState
PROMPTUSER:{0468216F-0C80-4620-AA53-3F53A84CDFC4}
TASKSTATE_COMPLETED
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL\TasksState
BRANCH:{DF3BBBD9-F521-43BA-BE89-8749E5F80983}
TASKSTATE_EXECUTING
3528
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL\TasksState
GROUP:{8D3B8D3F-A1B6-4149-8187-5530518A3849}
TASKSTATE_EXECUTING
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
Expires
int64_t|1557928339
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData
0
4D736F3A3A436865636B73756D52656769737472793A3A446174617C75696E7436345F747C2D343632363232383730303635323735373230373B456373436F6E666967526573706F6E7365446174617C7B202256657222203A2022696E7433325F747C30222C2022436F6E6649647322203A20227374643A3A77737472696E677C502D442D32393633352D312D312C502D442D32373038372D312D392C502D442D32393731392D312D312C502D442D32393731382D312D312C502D442D32393539332D312D312C502D522D31383531332D312D3330222C2022434322203A20227374643A3A77737472696E677C5345222C2022446566436F6E667322203A20227374643A3A77737472696E677C222C202245787054696D6522203A2022696E7436345F747C31353537393238333339222C20224554616722203A20227374643A3A77737472696E677C5C224671555535682B4A473674792F5979642F4D302B2B3935654837364E457565674A71396D67612F674870733D5C22222C202246434D617022203A205B207B20224622203A20224D6963726F736F66742E4F66666963652E4543532E436F6E666967496444656C696D69746572496E4C6F67222C20225622203A20227374643A3A77737472696E677C3B22207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E4543532E456E61626C65536D61727445546167222C20225622203A2022696E7433325F747C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5365676D656E746174696F6E2E436C6F7564222C20225622203A20227374643A3A77737472696E677C5075626C696322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5365676D656E746174696F6E2E50657270657475616C4C6963656E7365222C20225622203A20227374643A3A77737472696E677C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5365676D656E746174696F6E2E5365676D656E74222C20225622203A20227374643A3A77737472696E677C4E4F4E4652444322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5368617265642E4372634261736564556964222C20225622203A2022626F6F6C7C3122207D205D207D
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData
VersionId
uint16_t|0
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
officeclicktorun.exe_queried
830BDC5C00000000
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
officeclicktorun.exe
Wed, 15 May 2019 12:52:19 GMT
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe
RulesEndpoint
https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.11601.20174&ClientId={522EB9F0-BD21-40F1-AD01-2297B3E8CBAA}&OSEnvironment=10&MsoAppId=37&AudienceName=Unknown_Error_Read_StreamPackageUrl&AudienceGroup=Other&AppVersion=16.0.11601.20174&
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor
ULSTagIds0
5804129,7202269,20502174,17110992,6308191,7168707,3702920,3462423,17110988,17962391,17962392,3700754,3965062,4297094,7153421,18716193,7153487,7153435,7202265,20489353,18407617,17102418,22929429
3528
OfficeClickToRun.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor
ULSCategoriesSeverities
1329 10,1329 50,941 10,1329 15,941 15,1329 6,1329 100,941 6
1636
OfficeClickToRun.exe
delete key
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\Experiment\officeclicktorun
FirstSessionTriggered
1
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
UIFallbackLanguages
x-none
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
HelpLanguageTag
en-US
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
PreferredEditingLanguage
en-US
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
PreviousPreferredEditingLanguage
en-US
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
WordChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
WordMailChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
XLChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
PPTChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
AccessChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
OutlookChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
SharePointDesignerChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
PublisherChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
ProjectChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
InfoPathChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
OneNoteChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
WebDesignerChangeInstallLanguage
No
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources
LangTuneUp
OfficeCompleted
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
1
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\Common
UID
67264D2DF28B9E48804F9E588A534730
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\Experiment\officeclicktorun
EcsRequestPending
0
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Shared
OfficeUILanguage
1033
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\RulesLastAudienceReported
officeclicktorun.exe
Unknown_Error_Read_StreamPackageUrl
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL\TasksState
CONFIGURELIGHT:{363FEBED-07D2-4993-B860-5925C6FAF115}
TASKSTATE_EXECUTING
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
SourceType
CDN
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ScenarioSubType
ODTInstall
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
LowBandwidthStreaming
True
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ProductsOriginalToAdd
ProjectProRetail.16_en-us_x-none|ProplusRetail.16_en-us_x-none|VisioProRetail.16_en-us_x-none
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ProductsToAdd
ProPlusRetail.16_en-us_x-none|ProjectProRetail.16_en-us_x-none|VisioProRetail.16_en-us_x-none
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Scenario\INSTALL
ExcludedApps
visioproretail_onedrive|projectproretail_onedrive
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
Platform
x86
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
InstallationPath
C:\Program Files\Microsoft Office
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
ClientCulture
en-us
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
CDNBaseUrl
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
AudienceId
492350f6-3a01-4f97-b9c0-c7c6ddf67d60
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
AudienceData
Production::CC
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
ProjectProRetail.MediaType
CDN
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
VisioProRetail.MediaType
CDN
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
ProPlusRetail.MediaType
CDN
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
UpdatesEnabled
True
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\propertyBag
Version
15.0.9999.9999
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
ProjectProRetail.ExcludedApps
onedrive
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
VisioProRetail.ExcludedApps
onedrive
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
1636
OfficeClickToRun.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5
Blob
040000000100000010000000A266BB7DCC38A562631361BBF61DD11B0F000000010000002000000008FBA831C08544208F5208686B991CA1B2CFC510E7301784DDF1EB5BF03932390B00000001000000540000004D006900630072006F0073006F0066007400200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F007200690074007900200032003000310030000000620000000100000020000000DF545BF919A2439C36983B54CDFC903DFA4F37D3996D8D84B4C31EEC6F3C163E140000000100000014000000D5F656CB8FE8A25C6268D13D94905BD7CE9A18C41D000000010000001000000083D006C6D15405E6CE2847A90A3F3EC969000000010000000E000000300C060A2B0601040182373C03020300000001000000140000003B1EFD3A66EA28B16697394703A72CA340A05BD51900000001000000100000003C70FAEA25600CE3B2CC5F0B222ED6292000000001000000F1050000308205ED308203D5A003020102021028CC3A25BFBA44AC449A9B586B4339AA300D06092A864886F70D01010B0500308188310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31323030060355040313294D6963726F736F667420526F6F7420436572746966696361746520417574686F726974792032303130301E170D3130303632333231353732345A170D3335303632333232303430315A308188310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31323030060355040313294D6963726F736F667420526F6F7420436572746966696361746520417574686F72697479203230313030820222300D06092A864886F70D01010105000382020F003082020A0282020100B9089E28E4E4EC064E5068B341C57BEBAEB68EAF81BA22441F6534694CBE704017F2167BE279FD86ED0D39F41BA8AD92901ECB3D768F5AD9B591102E3C058D8A6D2454E71FED56AD83B4509C15A51774885920FC08C58476D368D46F2878CE5CB8F3509044FFE3635FBEA19A2C961504D607FE1E8421E0423111C4283694CF50A4629EC9D6AB7100B25B0CE696D40A2496F5FFC6D5B71BD7CBB72162AF12DCA15D37E31AFB1A4698C09BC0E7631F2A0893027E1E6A8EF29F1889E42285A2B1845740FFF50ED86F9CEDE2453101CD17E97FB08145E3AA214026A172AAA74F3C01057EEE8358B15E06639962917882B70D930C246AB41BDB27EC5F95043F934A30F59718B3A7F919A793331D01C8DB22525CD725C946F9A2FB875943BE9B62B18D2D86441A46AC78617E3009FAAE89C4412A2266039139459CC78B0CA8CA0D2FFB52EA0CF76333239DFEB01FAD67D6A75003C6047063B52CB1865A43B7FBAEF96E296E21214126068CC9C3EEB0C28593A1B985D9E6326C4B4C3FD65DA3E5B59D77C39CC055B77400E3B838AB839750E19A42241DC6C0A330D11A5AC85234F773F1C7181F33AD7AECCB4160F3239420C24845AC5C51C62E80C2E27715BD8587ED369D9691EE00B5A370EC9FE38D80688376BAAF5D70522216E266FBBAB3C5C2F73E2F77A6CADEC1A6C6484CC3375123D327D7B84E7096F0A14476AF78CF9AE166130203010001A351304F300B0603551D0F040403020186300F0603551D130101FF040530030101FF301D0603551D0E04160414D5F656CB8FE8A25C6268D13D94905BD7CE9A18C4301006092B06010401823715010403020100300D06092A864886F70D01010B05000382020100ACA5968CBFBBAEA6F6D7718743315688FD1C32715B35B7D4F091F2AF37E214F1F30226053E16147F14BAB84FFB89B2B2E7D409CC6DB95B3B64657066B7F2B15ADF1A02F3F551B8676D79F3BF567BE484B92B1E9B409C2634F947189869D81CD7B6D1BF8F61C267C4B5EF60438E101B3649E420CAADA7C1B1276509F8CDF55B2AD08433F3EF1FF2F59C0B589337A075A0DE72DE6C752A6622F58C0630569F40B930AA40771582D78BECC0D3B2BD83C5770C1EAEAF1953A04D79719F0FAF30CE67F9D62CCC22417A07F2974218CE59791055DE6F10E4B8DA836640160968235B972E269A02BB578CC5B8BA69623280899EA1FDC0927C7B2B3319842A63C5006862FA9F478D997A453AA7E9EDEE6942B5F3819B4756107BFC7036841873EAEFF9974D9E3323DD260BBA2AB73F44DC8327FFBD61592B11B7CA4FDBC58B0C1C31AE32F8F8B942F77FDC619A76B15A04E1113D6645B71871BEC92485D6F3D4BA41345D122D25B98DA613486D4BB0077D99930961817457268AAB69E3E4D9C788CC24D8EC52245C1EBC9114E296DEEB0ADA9EDD5FB35BDBD482ECC620508725403AFBC7EECDFE33E56EC3840955032539C0E9355D6531A8F6BFA009CD29C7B336322EDC95F383C15ACF8B8DF6EAB321F8A4ED1E310EB64C11AB600BA412232217A3366482910412E0AB6F1ECB500561B440FF598671D1D533697CA9738A38D7640CF169
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
4600000002000000090000000000000000000000000000000400000000000000F05377091D0BD501000000000000000000000000020000001700000000000000FE80000000000000A179B3FF019923140B0000002CCF64012CCF64010000000000000000040000000000000050CF640104000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF0300000000000000020000000100000002000000C0A864D80000000000000000DADADADA2E006500000000000500000000000000000000001B3F1400000000000000000000000000C8CF6401C8CF64010000000000000000FFFFFFFF00000000000000000000000000000000ECCF6401ECCF640100000000F8CF6401F8CF640100000000000000000000000000000000
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs
CountryCode
std::wstring|SE
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\Experiment\officeclicktorun
BuildNumber
16.0.11601
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
Expires
int64_t|0
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData
1
4D736F3A3A436865636B73756D52656769737472793A3A446174617C75696E7436345F747C2D313933343031353833303935393131373930343B456373436F6E666967526573706F6E7365446174617C7B202256657222203A2022696E7433325F747C30222C2022436F6E6649647322203A20227374643A3A77737472696E677C502D442D32393633352D312D312C502D442D32373038372D312D392C502D442D32393731392D312D312C502D442D32393731382D312D312C502D442D32393539332D312D312C502D522D31383531332D312D3330222C2022434322203A20227374643A3A77737472696E677C5345222C2022446566436F6E667322203A20227374643A3A77737472696E677C222C202245787054696D6522203A2022696E7436345F747C31353537393238333432222C20224554616722203A20227374643A3A77737472696E677C5C224671555535682B4A473674792F5979642F4D302B2B3935654837364E457565674A71396D697A38777336633D5C22222C202246434D617022203A205B207B20224622203A20224D6963726F736F66742E4F66666963652E4543532E436F6E666967496444656C696D69746572496E4C6F67222C20225622203A20227374643A3A77737472696E677C3B22207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E4543532E456E61626C65536D61727445546167222C20225622203A2022696E7433325F747C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5365676D656E746174696F6E2E436C6F7564222C20225622203A20227374643A3A77737472696E677C5075626C696322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5365676D656E746174696F6E2E50657270657475616C4C6963656E7365222C20225622203A20227374643A3A77737472696E677C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5365676D656E746174696F6E2E5365676D656E74222C20225622203A20227374643A3A77737472696E677C4E4F4E4652444322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5368617265642E4372634261736564556964222C20225622203A2022626F6F6C7C3122207D205D207D
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData
ChunkCount
uint64_t|0
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData
VersionId
uint16_t|1
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
ConfigIds
P-D-29635-1-1,P-D-27087-1-9,P-D-29719-1-1,P-D-29718-1-1,P-D-29593-1-1,P-R-18513-1-30
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
ETag
std::wstring|"FqUU5h+JG6ty/Yyd/M0++95eH76NEuegJq9miz8ws6c="
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
Expires
int64_t|1557928342
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun
DeferredConfigs
std::wstring|
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
officeclicktorun.exe_queried
860BDC5C00000000
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
officeclicktorun.exe
Wed, 15 May 2019 12:52:23 GMT
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe
RulesEndpoint
https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.11601.20174&ClientId={2D4D2667-8BF2-489E-804F-9E588A534730}&OSEnvironment=10&MsoAppId=37&AudienceName=Unknown_Error_Read_StreamPackageUrl&AudienceGroup=Other&AppVersion=16.0.11601.20174&
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor
ULSTagIds0
5804129,7202269,20502174,17110992,6308191,7168707,3702920,3462423,17110988,17962391,17962392,3700754,3965062,4297094,7153421,18716193,7153487,7153435,7202265,20489353,18407617,17102418,22929429
1636
OfficeClickToRun.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor
ULSCategoriesSeverities
1329 10,1329 50,941 10,1329 15,941 15,1329 6,1329 100,941 6

Files activity

Executable files
190
Suspicious files
16
Text files
29
Unknown types
8

Dropped files

PID
Process
Filename
Type
2076
OInstall.exe
C:\Users\admin\AppData\Local\Temp\files\setup.exe
executable
MD5: 5b51ece9852b92cfd1d3946d5940eed5
SHA256: 4f5c5cbcbf63115d0fa4f79988f80b9753b1c43d5a2b2c1dd1a6597ea9038e6e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.el-gr.dll
executable
MD5: dfb1535683177da2e00c8892f38804b8
SHA256: 166e461d5f6ace426f64121127c2391e03be8419c55e1faaeb2114f05ead601d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.fi-fi.dll
executable
MD5: 550b7665c65b6c9239b8ba642915accb
SHA256: 5a7b780ee17e32d6d4fde21a49179c77873f61dc23f1f56d4437f329f65ae572
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.de-de.dll
executable
MD5: 9c1f019326b6acd07689f36ea72e0b13
SHA256: 926e3ec9ca5f2dbd892370dcda2b3cf2514183996b4548fe5953cafb4d89ee11
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.es-es.dll
executable
MD5: 5236543383ff906ee5190f6a35034c2b
SHA256: bf7cb26ccc0c0d4a1060c47a16a7b4859459d90ccea1380eaa62017709536651
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.cs-cz.dll
executable
MD5: 673c45e03575f63eeca4d3c59872ee2c
SHA256: 3781dfa52b95a965b45a6321909d01ff236bf3698ea1107100ed5c1ef1a4632e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.hi-in.dll
executable
MD5: 31b79e385d52bacd976e4431a96e15e6
SHA256: a7affad6865ff5e25a9d3587a596b49d4dc07b9d50778c4495224cc03930ea0b
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.da-dk.dll
executable
MD5: dc3ff43cf4037303ff73c855d088bb4a
SHA256: 5d247daf9a40247e24338c9b1b66d37161d35236713ee73586bdcfdf0c5320ec
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.he-il.dll
executable
MD5: aa0c25e81eb41958f0362b08c19fb486
SHA256: 403f5bb17b1d55d6137eedd644c898062fad37d6b138ea1ac4cdde14dbc9204e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.ar-sa.dll
executable
MD5: 18d8e02d454ac75d22214bad136d688f
SHA256: b4c67f0aa0d1be3b887624b1e44aa64be100f50faee960b4210dcdd6a257c29a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.es-es.dll
executable
MD5: 5236543383ff906ee5190f6a35034c2b
SHA256: bf7cb26ccc0c0d4a1060c47a16a7b4859459d90ccea1380eaa62017709536651
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.hr-hr.dll
executable
MD5: 7416c3de8f95611e42c1dd882b5d2f5a
SHA256: 09e1577d1908352cc1fcec299602a9fe9680b2f861482cae2869a8e7dc3f347e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.et-ee.dll
executable
MD5: 57a2f8d69650e60053d521cd07cd7b38
SHA256: 685fda89bbb01c874412e80c29a7f99c84ea353839080de33dc0cff61795bd86
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.bg-bg.dll
executable
MD5: 1197ac848cbf4fbb3602f7590fdd57da
SHA256: a2b426446aafd099a647f9a98becead806982667c0fde7e67f4f30fc47999976
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.en-us.dll
executable
MD5: 5e10b3ed87659bf4f360f30d4401f85c
SHA256: 131c2e1923a802ed7ab68bf7a392c7a78b6e174b1c55dd5d2768eac31f924a74
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.id-id.dll
executable
MD5: 1a794b9a46663296ec273d04d0eb3fe6
SHA256: 3bfd8cf9710860d6e5137019b47390a5c77dc2435cd8eb5a06bad6286fd282c3
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.el-gr.dll
executable
MD5: dfb1535683177da2e00c8892f38804b8
SHA256: 166e461d5f6ace426f64121127c2391e03be8419c55e1faaeb2114f05ead601d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2R32.dll
executable
MD5: 6de80952e4755d8bcb1c4464a6ce427b
SHA256: b9120f73ae18c300faddfa605b032c6f4fe49cffca7defe5242b6d554c985203
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.et-ee.dll
executable
MD5: 57a2f8d69650e60053d521cd07cd7b38
SHA256: 685fda89bbb01c874412e80c29a7f99c84ea353839080de33dc0cff61795bd86
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.hu-hu.dll
executable
MD5: f528d9cd5d3e2ac9edd15bcc83cde085
SHA256: d5856d72f530fd4ea486a805238d211a45e2e2157997b9aea6b2c65641dc3f2f
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.en-us.dll
executable
MD5: 5e10b3ed87659bf4f360f30d4401f85c
SHA256: 131c2e1923a802ed7ab68bf7a392c7a78b6e174b1c55dd5d2768eac31f924a74
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVShNotify.exe
executable
MD5: 33fdb87540089ef5c19ee48695a2eb5f
SHA256: 1b23a3dc6339424be174f7da61701a98d7c89a19dfe8ead07a8d974fb4ef0611
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.fr-fr.dll
executable
MD5: 2bbe0866f8b55ba477e5270af7d6810b
SHA256: 62fd8d0639c649364112a5f3eb49d51cd6abda5d1b0f014240d0732ba6f621f7
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.ja-jp.dll
executable
MD5: c5304ed48320be7e1a4136b6c40aaea8
SHA256: 2b3387bb1469201d27819e9747791ca3258766545e1cd41f6c3630f677a1cada
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.de-de.dll
executable
MD5: 9c1f019326b6acd07689f36ea72e0b13
SHA256: 926e3ec9ca5f2dbd892370dcda2b3cf2514183996b4548fe5953cafb4d89ee11
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVScripting.dll
executable
MD5: ae1480d5aa041369e6f6f4fa6c07cb24
SHA256: 12f14ec2eb07c9748d61b2e58799b6d2eef5b9a25f38da434538ee8f35ddf82a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.fi-fi.dll
executable
MD5: 550b7665c65b6c9239b8ba642915accb
SHA256: 5a7b780ee17e32d6d4fde21a49179c77873f61dc23f1f56d4437f329f65ae572
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.it-it.dll
executable
MD5: 719e5205c1b4d4521bd35a564e020032
SHA256: 73dd897b0e1b8a9968ac0d7eda2cb89dd96593712a2eda40e72a3c14002f7933
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.da-dk.dll
executable
MD5: dc3ff43cf4037303ff73c855d088bb4a
SHA256: 5d247daf9a40247e24338c9b1b66d37161d35236713ee73586bdcfdf0c5320ec
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVPolicy.dll
executable
MD5: e235fae7a0378921b4c15557faba05a4
SHA256: c06f284332652d8944da935cdc437211d57b5a952a37bdbad6fd226ae1092587
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.he-il.dll
executable
MD5: aa0c25e81eb41958f0362b08c19fb486
SHA256: 403f5bb17b1d55d6137eedd644c898062fad37d6b138ea1ac4cdde14dbc9204e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.ko-kr.dll
executable
MD5: b65e39dd8d3cc715716cfea7d89367f5
SHA256: edfb54af24cd5dab100c5123ae06958aae9b3b9681c456a392a4f5e1762835d5
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.cs-cz.dll
executable
MD5: 673c45e03575f63eeca4d3c59872ee2c
SHA256: 3781dfa52b95a965b45a6321909d01ff236bf3698ea1107100ed5c1ef1a4632e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVOrchestration.dll
executable
MD5: e136e3aca68c0a49c83019df0e8474b6
SHA256: 4eedfa8cbfad1a52f23f5e1087a0573fc2475c53ce0dee78d931b91677e73f4b
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.hi-in.dll
executable
MD5: 31b79e385d52bacd976e4431a96e15e6
SHA256: a7affad6865ff5e25a9d3587a596b49d4dc07b9d50778c4495224cc03930ea0b
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.lt-lt.dll
executable
MD5: b048108a20d384ac9773abb691d5d22a
SHA256: 171319b21de0cb23da28c559040d7f99212ee6b3a08fcf6b7957e620842d6acd
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.ar-sa.dll
executable
MD5: 18d8e02d454ac75d22214bad136d688f
SHA256: b4c67f0aa0d1be3b887624b1e44aa64be100f50faee960b4210dcdd6a257c29a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVManifest.dll
executable
MD5: 3638cc9b7551c0dbe78fb0416226c0aa
SHA256: 201b3db79483400a70f4e74d19707b22d171faa99f2a69e44b10f2a5d791c112
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.hu-hu.dll
executable
MD5: f528d9cd5d3e2ac9edd15bcc83cde085
SHA256: d5856d72f530fd4ea486a805238d211a45e2e2157997b9aea6b2c65641dc3f2f
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.kk-kz.dll
executable
MD5: 08c8778f03425abed4ee04904c06dab9
SHA256: 19e3ee12299ac1b222b8e67d6f7d1400900658cf1e0c6b394b25d786cc6ae9f8
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.bg-bg.dll
executable
MD5: 1197ac848cbf4fbb3602f7590fdd57da
SHA256: a2b426446aafd099a647f9a98becead806982667c0fde7e67f4f30fc47999976
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVIsvVirtualization.dll
executable
MD5: e84fde960d9c4bacd33affb01560abaf
SHA256: d9b7943dc2ba6d4825fc5756541d7e88e1961ffe03d797ee0339466ac7ffaa8d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.hr-hr.dll
executable
MD5: 7416c3de8f95611e42c1dd882b5d2f5a
SHA256: 09e1577d1908352cc1fcec299602a9fe9680b2f861482cae2869a8e7dc3f347e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.ms-my.dll
executable
MD5: 00ebf6b23190733b55b36ec8633ca683
SHA256: 893c881944f2c8face5be0717a8a3794f65acadf8d2212d03b078986875d815b
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2R32.dll
executable
MD5: 6de80952e4755d8bcb1c4464a6ce427b
SHA256: b9120f73ae18c300faddfa605b032c6f4fe49cffca7defe5242b6d554c985203
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppvIsvSubsystems32.dll
executable
MD5: 319a033d4e09fa3a614cf91f3e19dc0a
SHA256: 7e49783cadbdb7af70b89a8118247951e76eca66876cb36b4daa277d1c0f4400
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.id-id.dll
executable
MD5: 1a794b9a46663296ec273d04d0eb3fe6
SHA256: 3bfd8cf9710860d6e5137019b47390a5c77dc2435cd8eb5a06bad6286fd282c3
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.lv-lv.dll
executable
MD5: 76d17701922e4ab98dbc82adefdddb9c
SHA256: 3933530bf5aaf6873ade852d62f03d176863e7c00c612c98a521d7eebd7fa96d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe
executable
MD5: 33fdb87540089ef5c19ee48695a2eb5f
SHA256: 1b23a3dc6339424be174f7da61701a98d7c89a19dfe8ead07a8d974fb4ef0611
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVIsvSubsystemController.dll
executable
MD5: 4e64f7c2bdc6b854c8666a3239c7fad1
SHA256: 25eda314f1b72d7dd45a447bfc206db9cddd830d4057e6977e9b3c81fd2e888e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.ja-jp.dll
executable
MD5: c5304ed48320be7e1a4136b6c40aaea8
SHA256: 2b3387bb1469201d27819e9747791ca3258766545e1cd41f6c3630f677a1cada
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.nb-no.dll
executable
MD5: 6d0c515a3c06299dcbf7216b61c7169e
SHA256: f1bad01e2d6f519d247266659ed159fbf99cd7b19c83c58e79d5266bdb7d3d25
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVScripting.dll
executable
MD5: ae1480d5aa041369e6f6f4fa6c07cb24
SHA256: 12f14ec2eb07c9748d61b2e58799b6d2eef5b9a25f38da434538ee8f35ddf82a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVIsvStreamingManager.dll
executable
MD5: 30507dd2e3e890dd7e4773f4f2aa58a3
SHA256: a99cc7bb4ecea5d111740e613942679883ea41c399eedb9ef6d4f5ca15012bc3
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.it-it.dll
executable
MD5: 719e5205c1b4d4521bd35a564e020032
SHA256: 73dd897b0e1b8a9968ac0d7eda2cb89dd96593712a2eda40e72a3c14002f7933
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.nl-nl.dll
executable
MD5: 16f8f3cea8e9346eac62c9b72fc9f7b9
SHA256: 938093d6f94653373ad6e64743145897a0b26c7a413b5a4769dcfedd7dd4f65d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVPolicy.dll
executable
MD5: e235fae7a0378921b4c15557faba05a4
SHA256: c06f284332652d8944da935cdc437211d57b5a952a37bdbad6fd226ae1092587
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVIsvApi.dll
executable
MD5: f4af62dc442bcd3d19f730e13e5414bc
SHA256: deacfffa77f22a6d5540422911343087030a594628eb76b974f8443e714a2ba5
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.kk-kz.dll
executable
MD5: 08c8778f03425abed4ee04904c06dab9
SHA256: 19e3ee12299ac1b222b8e67d6f7d1400900658cf1e0c6b394b25d786cc6ae9f8
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.pl-pl.dll
executable
MD5: 0572494a34a6444d7a359e80bfdc804c
SHA256: 01238fff3839938d2fc3636c734603227fc534fa4e4e4a7ec51b3fd2c685a3da
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll
executable
MD5: e136e3aca68c0a49c83019df0e8474b6
SHA256: 4eedfa8cbfad1a52f23f5e1087a0573fc2475c53ce0dee78d931b91677e73f4b
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVIntegration.dll
executable
MD5: e2ed5ba835ac654f1b9668ef86d5dcd8
SHA256: 6d8b8fef8b13df580fc28f2c3a88b3cb764b2b517e7be0a3882fdd4d66b0cdd5
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.ko-kr.dll
executable
MD5: b65e39dd8d3cc715716cfea7d89367f5
SHA256: edfb54af24cd5dab100c5123ae06958aae9b3b9681c456a392a4f5e1762835d5
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.pt-pt.dll
executable
MD5: 7eb70841d5c5b74cebead112bdbc6766
SHA256: e7be59a415db0614bb5dac50829562226329ea2f855282605c0bf4baaab6a901
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVManifest.dll
executable
MD5: 3638cc9b7551c0dbe78fb0416226c0aa
SHA256: 201b3db79483400a70f4e74d19707b22d171faa99f2a69e44b10f2a5d791c112
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll
executable
MD5: f6b4d8d403d22eb87a60bf6e4a3e7041
SHA256: 25687e95b65d0521f8c737df301bf90db8940e1c0758bb6ea5c217cf7d2f2270
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.lt-lt.dll
executable
MD5: b048108a20d384ac9773abb691d5d22a
SHA256: 171319b21de0cb23da28c559040d7f99212ee6b3a08fcf6b7957e620842d6acd
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.pt-br.dll
executable
MD5: 766b56920f22bd633aaf05e5d918f35f
SHA256: 75b70b675da30e8825fca13cc388eb86b28a1f62478343f997541c496dc1e752
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppvIsvSubsystems32.dll
executable
MD5: 319a033d4e09fa3a614cf91f3e19dc0a
SHA256: 7e49783cadbdb7af70b89a8118247951e76eca66876cb36b4daa277d1c0f4400
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\appvcleaner.exe
executable
MD5: 16b0494f59a563ce023ad26d4dfe4e10
SHA256: 054bd69e40ab4f82c373de1036560108855f99f55af29c748b40b8d786151980
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.lv-lv.dll
executable
MD5: 76d17701922e4ab98dbc82adefdddb9c
SHA256: 3933530bf5aaf6873ade852d62f03d176863e7c00c612c98a521d7eebd7fa96d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.ro-ro.dll
executable
MD5: 0b083d969147d857666fe4233fb1e4b6
SHA256: 933ca790c032c71971a168db9e0dedd457bdafb1854868d76cf1a65ed32f7bd9
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll
executable
MD5: e84fde960d9c4bacd33affb01560abaf
SHA256: d9b7943dc2ba6d4825fc5756541d7e88e1961ffe03d797ee0339466ac7ffaa8d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVCatalog.dll
executable
MD5: 874d28540b3d1c5ea2647c32f5e60b10
SHA256: dca54dc20b9be93335c15c75b56cdcdca05d91323efa49971afba85ec3650495
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.ms-my.dll
executable
MD5: 00ebf6b23190733b55b36ec8633ca683
SHA256: 893c881944f2c8face5be0717a8a3794f65acadf8d2212d03b078986875d815b
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.ru-ru.dll
executable
MD5: 89d795770c5a9db919370abd7f642c67
SHA256: adb9395a167ab741149234f63d9dd2d406a2832d24daa15f93a399a5698e18db
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll
executable
MD5: 4e64f7c2bdc6b854c8666a3239c7fad1
SHA256: 25eda314f1b72d7dd45a447bfc206db9cddd830d4057e6977e9b3c81fd2e888e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\ApiClient.dll
executable
MD5: a01eb1a64190144aa6b9dc2b3fcf75aa
SHA256: 0d21f30e5cecfaa26efb2439a484e0b02f91a3d4797db09528eddb18dde07996
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.nb-no.dll
executable
MD5: 6d0c515a3c06299dcbf7216b61c7169e
SHA256: f1bad01e2d6f519d247266659ed159fbf99cd7b19c83c58e79d5266bdb7d3d25
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.sk-sk.dll
executable
MD5: 06fa5e8007fbab9de64e8dd29c4eb124
SHA256: 29a9b93cc7e492151f41ab0c222a98c6103857cbb81b83462a290095be796be3
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvStreamingManager.dll
executable
MD5: 30507dd2e3e890dd7e4773f4f2aa58a3
SHA256: a99cc7bb4ecea5d111740e613942679883ea41c399eedb9ef6d4f5ca15012bc3
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-utility-l1-1-0.dll
executable
MD5: d6abf5c056d80592f8e2439e195d61ac
SHA256: 8858d883d180cea63e3bf4a3f5bc9e0f9fa16c9a35a84c4efe65308cea13a364
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.nl-nl.dll
executable
MD5: 16f8f3cea8e9346eac62c9b72fc9f7b9
SHA256: 938093d6f94653373ad6e64743145897a0b26c7a413b5a4769dcfedd7dd4f65d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.sr-latn-rs.dll
executable
MD5: 19574546d9e6afe0b0ac24a7047af86f
SHA256: ed69e5a83ff7f7fc1dc386ea3638c1de0edf2d84c930c508ac59172504bb5bcc
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvApi.dll
executable
MD5: f4af62dc442bcd3d19f730e13e5414bc
SHA256: deacfffa77f22a6d5540422911343087030a594628eb76b974f8443e714a2ba5
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-time-l1-1-0.dll
executable
MD5: 1fa7c2b81cdfd7ace42a2a9a0781c946
SHA256: cafdb772a1d7acf0807478fdba1e00fd101fc29c136547b37131f80d21dacffd
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.pl-pl.dll
executable
MD5: 0572494a34a6444d7a359e80bfdc804c
SHA256: 01238fff3839938d2fc3636c734603227fc534fa4e4e4a7ec51b3fd2c685a3da
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.sl-si.dll
executable
MD5: 32cbf2ba6518805cc751ba0c8c1a7d15
SHA256: 9d53ef567d4af9e861021856d52a0957212ec595f79a10e5b49431579f6a20ef
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll
executable
MD5: e2ed5ba835ac654f1b9668ef86d5dcd8
SHA256: 6d8b8fef8b13df580fc28f2c3a88b3cb764b2b517e7be0a3882fdd4d66b0cdd5
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-stdio-l1-1-0.dll
executable
MD5: 32d7b95b1bce23db9fbd0578053ba87f
SHA256: 104a76b41cbd9a945dba43a6ffa8c6de99db2105d4ce93a717729a9bd020f728
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.pt-br.dll
executable
MD5: 766b56920f22bd633aaf05e5d918f35f
SHA256: 75b70b675da30e8825fca13cc388eb86b28a1f62478343f997541c496dc1e752
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.sv-se.dll
executable
MD5: 0e8e7d05ba5da09d00884815dfd575e2
SHA256: cb33508b94d3d2111ea4cb885c7b4695d887c5a5acb53d3712a661127b7de82d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVFileSystemMetadata.dll
executable
MD5: 1eef31d805e8791b4dd1c8c4f79d7239
SHA256: 38e14a71b92a75633926610560a1311114131492f6780bb11f93de7939737249
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-string-l1-1-0.dll
executable
MD5: 5e72659b38a2977984bbc23ed274f007
SHA256: 44a4db6080f6bdae6151f60ae5dc420faa3be50902e88f8f14ad457dec3fe4ea
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.ro-ro.dll
executable
MD5: 0b083d969147d857666fe4233fb1e4b6
SHA256: 933ca790c032c71971a168db9e0dedd457bdafb1854868d76cf1a65ed32f7bd9
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.th-th.dll
executable
MD5: 6192a3063ef440a25dd8280c1ff8dea5
SHA256: 4d6a694a95dfc835467e410862831acec2b27e74ae1aa540aa5e5231ef295d79
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\appvcleaner.exe
executable
MD5: 16b0494f59a563ce023ad26d4dfe4e10
SHA256: 054bd69e40ab4f82c373de1036560108855f99f55af29c748b40b8d786151980
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-runtime-l1-1-0.dll
executable
MD5: ae3fa6bf777b0429b825fb6b028f8a48
SHA256: 66b86ed0867fe22e80b9b737f3ee428be71f5e98d36f774abbf92e3aaca71bfb
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.pt-pt.dll
executable
MD5: 7eb70841d5c5b74cebead112bdbc6766
SHA256: e7be59a415db0614bb5dac50829562226329ea2f855282605c0bf4baaab6a901
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.tr-tr.dll
executable
MD5: 914e77693dfca304dcf221a9896174e3
SHA256: 35f8e014d234d9e65657e4a7131b2051fb1876afaa2f41f486c2f187bc3623ef
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVCatalog.dll
executable
MD5: 874d28540b3d1c5ea2647c32f5e60b10
SHA256: dca54dc20b9be93335c15c75b56cdcdca05d91323efa49971afba85ec3650495
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-process-l1-1-0.dll
executable
MD5: 8f8a47617dfd829a63e3ec4aff2718d9
SHA256: 6d4a1aad695a3451c2d3f564c7cc8d37192cd35539874df6ae55e24847e51784
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.ru-ru.dll
executable
MD5: 89d795770c5a9db919370abd7f642c67
SHA256: adb9395a167ab741149234f63d9dd2d406a2832d24daa15f93a399a5698e18db
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.uk-ua.dll
executable
MD5: 7f96e854dc9277a07f42e618a7945825
SHA256: e8f7dcc065fdb3a632e1d89c2396790660659311a71cffd6f849b4c97b017f8a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll
executable
MD5: a01eb1a64190144aa6b9dc2b3fcf75aa
SHA256: 0d21f30e5cecfaa26efb2439a484e0b02f91a3d4797db09528eddb18dde07996
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-private-l1-1-0.dll
executable
MD5: 1dd5666125b8734e92b1041139fa6c37
SHA256: d0ff5f6bb94961d4c17f0709297a6b5a5fa323c9ac82f4fe27187912b4b13cf3
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.sl-si.dll
executable
MD5: 32cbf2ba6518805cc751ba0c8c1a7d15
SHA256: 9d53ef567d4af9e861021856d52a0957212ec595f79a10e5b49431579f6a20ef
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.vi-vn.dll
executable
MD5: 6333047c510034649f8ee2bf054bf71e
SHA256: a54dcd725fabc01d1ac77fbb099bfc29446a34df2728aa4d9f20b1f2faa2d0a4
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll
executable
MD5: 1fa7c2b81cdfd7ace42a2a9a0781c946
SHA256: cafdb772a1d7acf0807478fdba1e00fd101fc29c136547b37131f80d21dacffd
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-multibyte-l1-1-0.dll
executable
MD5: 809bc1010eaf714cd095189af236ce2f
SHA256: b52f2b9de19d12b0e727e13e3dde93009e487bfb2dd97fd23952c7080949d97e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.sk-sk.dll
executable
MD5: 06fa5e8007fbab9de64e8dd29c4eb124
SHA256: 29a9b93cc7e492151f41ab0c222a98c6103857cbb81b83462a290095be796be3
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.zh-cn.dll
executable
MD5: 5e034c84c9d095a9751164d671751768
SHA256: 7e711b17f957e6814fefeff629cf3f5ef9970c5aa7374e101553a7c0a16db049
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll
executable
MD5: d6abf5c056d80592f8e2439e195d61ac
SHA256: 8858d883d180cea63e3bf4a3f5bc9e0f9fa16c9a35a84c4efe65308cea13a364
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-math-l1-1-0.dll
executable
MD5: d0d380af839124368a96d6aa82c7c8ae
SHA256: 06985d00bf4985024e95442702bbdb53c2127e99f16440424f3380a88883f1a5
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.sr-latn-rs.dll
executable
MD5: 19574546d9e6afe0b0ac24a7047af86f
SHA256: ed69e5a83ff7f7fc1dc386ea3638c1de0edf2d84c930c508ac59172504bb5bcc
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.zh-tw.dll
executable
MD5: e77ca3de0f0affeffdd66b7c5b9dd8dc
SHA256: 38cfa5527ca3ca744bf514c12f69fa416568d6441b20fb7a79f238b0f848b954
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll
executable
MD5: 32d7b95b1bce23db9fbd0578053ba87f
SHA256: 104a76b41cbd9a945dba43a6ffa8c6de99db2105d4ce93a717729a9bd020f728
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-heap-l1-1-0.dll
executable
MD5: 39d81596a7308e978d67ad6fdccdd331
SHA256: 3d109fd01f6684414d8a1d0d2f5e6c5b4e24de952a0695884744a6cbd44a8ec7
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.th-th.dll
executable
MD5: 6192a3063ef440a25dd8280c1ff8dea5
SHA256: 4d6a694a95dfc835467e410862831acec2b27e74ae1aa540aa5e5231ef295d79
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll
executable
MD5: c6e49cdd6295b42a711b01630810f90c
SHA256: 04ea4802fbbbc495335583f4989d2914ec2574bde56302076e9fe1d62bb13912
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll
executable
MD5: 5e72659b38a2977984bbc23ed274f007
SHA256: 44a4db6080f6bdae6151f60ae5dc420faa3be50902e88f8f14ad457dec3fe4ea
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-locale-l1-1-0.dll
executable
MD5: e70d8fe9d21841202b4fd1cf55d37ac5
SHA256: e087f611b3659151dfb674728202944a7c0fe71710f280840e00a5c4b640632d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.sv-se.dll
executable
MD5: 0e8e7d05ba5da09d00884815dfd575e2
SHA256: cb33508b94d3d2111ea4cb885c7b4695d887c5a5acb53d3712a661127b7de82d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\concrt140.dll
executable
MD5: 1e5b9799a91d80b9a82df786ad98fd47
SHA256: 9068d558632422427e8c6a3e6b3223d314717009498f4566365699ebe8a040eb
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll
executable
MD5: 8f8a47617dfd829a63e3ec4aff2718d9
SHA256: 6d4a1aad695a3451c2d3f564c7cc8d37192cd35539874df6ae55e24847e51784
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-environment-l1-1-0.dll
executable
MD5: 45c54a21261180410091cefb23f6a5ae
SHA256: 2b0fea07db507b7266346eab3ca7ede3821876aadc519daf059b130b85640918
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.tr-tr.dll
executable
MD5: 914e77693dfca304dcf221a9896174e3
SHA256: 35f8e014d234d9e65657e4a7131b2051fb1876afaa2f41f486c2f187bc3623ef
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\cpprestsdk.dll
executable
MD5: 634f65e713010703a8a2fd905b43fc03
SHA256: d3361982ccd15b0db8a2441b909c92874e96d27cf7514a986093587318a987ba
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll
executable
MD5: ae3fa6bf777b0429b825fb6b028f8a48
SHA256: 66b86ed0867fe22e80b9b737f3ee428be71f5e98d36f774abbf92e3aaca71bfb
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-filesystem-l1-1-0.dll
executable
MD5: ab8734c2328a46e7e9583befeb7085a2
SHA256: 921b7cf74744c4336f976db6750921b2a0960e8aa11268457f5ed27c0e13b2c8
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.uk-ua.dll
executable
MD5: 7f96e854dc9277a07f42e618a7945825
SHA256: e8f7dcc065fdb3a632e1d89c2396790660659311a71cffd6f849b4c97b017f8a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\IntegratedOffice.exe
executable
MD5: 906bfb4711eeca7a0f9da42627681f11
SHA256: 570d593c036e731c91202dd859c539b0e268a43ea54ffa7e8f762b7d4341ba3d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll
executable
MD5: 1dd5666125b8734e92b1041139fa6c37
SHA256: d0ff5f6bb94961d4c17f0709297a6b5a5fa323c9ac82f4fe27187912b4b13cf3
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-conio-l1-1-0.dll
executable
MD5: 3b038338c1eb179d8eee3883cf42bc3e
SHA256: c17786e9031062f56e4b205f394a795e11ef9367b922763ddf391f2acab2e979
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.vi-vn.dll
executable
MD5: 6333047c510034649f8ee2bf054bf71e
SHA256: a54dcd725fabc01d1ac77fbb099bfc29446a34df2728aa4d9f20b1f2faa2d0a4
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\InspectorOfficeGadget.exe
executable
MD5: 018296a59a0c4e6f2cf31837b1e7599d
SHA256: e78f90cdd0e8675aa702528b7ccb597b1f9114d1cfd16bdef1fb067837fc2626
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll
executable
MD5: 809bc1010eaf714cd095189af236ce2f
SHA256: b52f2b9de19d12b0e727e13e3dde93009e487bfb2dd97fd23952c7080949d97e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-crt-convert-l1-1-0.dll
executable
MD5: 5245f303e96166b8e625dd0a97e2d66a
SHA256: 90a63611d9169a8cd7d030cd2b107b6e290e50e2beba6fa640a7497a8599aff5
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.zh-cn.dll
executable
MD5: 5e034c84c9d095a9751164d671751768
SHA256: 7e711b17f957e6814fefeff629cf3f5ef9970c5aa7374e101553a7c0a16db049
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\msvcp120.dll
executable
MD5: e3244fdcec84c99e4b60227eb3b70893
SHA256: 81fbc2824e73f0d101d91854694a52e79db0ffaadbb2a10deaaf47b3b7f9b2b0
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll
executable
MD5: d0d380af839124368a96d6aa82c7c8ae
SHA256: 06985d00bf4985024e95442702bbdb53c2127e99f16440424f3380a88883f1a5
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-core-xstate-l2-1-0.dll
executable
MD5: e20c50cb320a5718ae869d8ec4d460ca
SHA256: 48c776f38eaed72cb05a993484f60cbfdf5af59aebc48e53481a997ae7ded8dc
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RINTL.zh-tw.dll
executable
MD5: e77ca3de0f0affeffdd66b7c5b9dd8dc
SHA256: 38cfa5527ca3ca744bf514c12f69fa416568d6441b20fb7a79f238b0f848b954
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\msvcr120.dll
executable
MD5: 1a22ac29230ff06e278cf85992f48c86
SHA256: 3a3f61f1d187142bba9b37b318f6052a09743ff24fcdb3cee478d1bc5c68d300
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll
executable
MD5: e70d8fe9d21841202b4fd1cf55d37ac5
SHA256: e087f611b3659151dfb674728202944a7c0fe71710f280840e00a5c4b640632d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-core-timezone-l1-1-0.dll
executable
MD5: a20084f41b3f1c549d6625c790b72268
SHA256: 0fa42237fd1140fd125c6edb728d4c70ad0276c72fa96c2faabf7f429fa7e8f1
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RUI.dll
executable
MD5: c6e49cdd6295b42a711b01630810f90c
SHA256: 04ea4802fbbbc495335583f4989d2914ec2574bde56302076e9fe1d62bb13912
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\msvcp140.dll
executable
MD5: 774997bd018a0cc54c42bb545ebb400c
SHA256: 7bf763dab6ec4c1840e1ec884e23c42ab78ab1e59d706b7fa994025c8d31219a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll
executable
MD5: 39d81596a7308e978d67ad6fdccdd331
SHA256: 3d109fd01f6684414d8a1d0d2f5e6c5b4e24de952a0695884744a6cbd44a8ec7
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-core-synch-l1-2-0.dll
executable
MD5: f6b4d8d403d22eb87a60bf6e4a3e7041
SHA256: 25687e95b65d0521f8c737df301bf90db8940e1c0758bb6ea5c217cf7d2f2270
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\concrt140.dll
executable
MD5: 1e5b9799a91d80b9a82df786ad98fd47
SHA256: 9068d558632422427e8c6a3e6b3223d314717009498f4566365699ebe8a040eb
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RCom.dll
executable
MD5: 739c782bba48c4917d3a994f283ddbab
SHA256: b473643a4dbde173f3d918df710fce13b41cd876982e63d6d5c5705a2968ddd9
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll
executable
MD5: 45c54a21261180410091cefb23f6a5ae
SHA256: 2b0fea07db507b7266346eab3ca7ede3821876aadc519daf059b130b85640918
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-core-processthreads-l1-1-1.dll
executable
MD5: c2ead5fcce95a04d31810768a3d44d57
SHA256: 42a9a3d8a4a7c82cb6ec42c62d3a522daa95beb01ecb776aac2bfd4aa1e58d62
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\cpprestsdk.dll
executable
MD5: 634f65e713010703a8a2fd905b43fc03
SHA256: d3361982ccd15b0db8a2441b909c92874e96d27cf7514a986093587318a987ba
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
executable
MD5: a58c70f17dfd0aa04611942300e3a670
SHA256: 7fe85b214f6ae85204ce2cb9553bf28eadca18a0adaf1d27d06a728fcd733a40
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll
executable
MD5: ab8734c2328a46e7e9583befeb7085a2
SHA256: 921b7cf74744c4336f976db6750921b2a0960e8aa11268457f5ed27c0e13b2c8
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-core-localization-l1-2-0.dll
executable
MD5: 3b9d034ca8a0345bc8f248927a86bf22
SHA256: a7ac7ece5e626c0b4e32c13299e9a44c8c380c8981ce4965cbe4c83759d2f52d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\InspectorOfficeGadget.exe
executable
MD5: 018296a59a0c4e6f2cf31837b1e7599d
SHA256: e78f90cdd0e8675aa702528b7ccb597b1f9114d1cfd16bdef1fb067837fc2626
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
executable
MD5: a8dc13f05dc880653b9468d762d72adf
SHA256: b7e193b1b42a5c2e3778c53c7a6e81fdcd2402ff7f85b350e87775a6cefaf9c9
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll
executable
MD5: 5245f303e96166b8e625dd0a97e2d66a
SHA256: 90a63611d9169a8cd7d030cd2b107b6e290e50e2beba6fa640a7497a8599aff5
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-core-file-l2-1-0.dll
executable
MD5: bfb08fb09e8d68673f2f0213c59e2b97
SHA256: 6d5881719e9599bf10a4193c8e2ded2a38c10de0ba8904f48c67f2da6e84ed3e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\IntegratedOffice.exe
executable
MD5: 906bfb4711eeca7a0f9da42627681f11
SHA256: 570d593c036e731c91202dd859c539b0e268a43ea54ffa7e8f762b7d4341ba3d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\StreamServer.dll
executable
MD5: 4d656f779639bf9bd6d6fa41ce5cc06a
SHA256: d01ce8f8dfcb777764f05a59b44b02a7243fe4aaf164b00c2166b3a8753007fa
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll
executable
MD5: e20c50cb320a5718ae869d8ec4d460ca
SHA256: 48c776f38eaed72cb05a993484f60cbfdf5af59aebc48e53481a997ae7ded8dc
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\api-ms-win-core-file-l1-2-0.dll
executable
MD5: f6d1216e974fb76585fd350ebdc30648
SHA256: 348b70e57ae0329ac40ac3d866b8e896b0b8fef7e8809a09566f33af55d33271
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\msvcp120.dll
executable
MD5: e3244fdcec84c99e4b60227eb3b70893
SHA256: 81fbc2824e73f0d101d91854694a52e79db0ffaadbb2a10deaaf47b3b7f9b2b0
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ucrtbase.dll
executable
MD5: 21e6732ef4ef91b8efe2f17ad0562093
SHA256: ef2a371edb8835629de7a839f5b5d61c554c9e307cc4bf05cd9634817c0914f2
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll
executable
MD5: 3b038338c1eb179d8eee3883cf42bc3e
SHA256: c17786e9031062f56e4b205f394a795e11ef9367b922763ddf391f2acab2e979
3568
files.dat
C:\Users\admin\AppData\Local\Temp\files\x64\msvcr100.dll
executable
MD5: df3ca8d16bded6a54977b30e66864d33
SHA256: 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\msvcp140.dll
executable
MD5: 774997bd018a0cc54c42bb545ebb400c
SHA256: 7bf763dab6ec4c1840e1ec884e23c42ab78ab1e59d706b7fa994025c8d31219a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\vccorlib140.dll
executable
MD5: 150b1beaf80266c2c9fbedcaed4167b0
SHA256: 74621e9d25a2087565489bd702b3145635764a5a29fe40003239086066dd0bcf
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\msvcr120.dll
executable
MD5: 1a22ac29230ff06e278cf85992f48c86
SHA256: 3a3f61f1d187142bba9b37b318f6052a09743ff24fcdb3cee478d1bc5c68d300
3568
files.dat
C:\Users\admin\AppData\Local\Temp\files\x86\msvcr100.dll
executable
MD5: bf38660a9125935658cfa3e53fdc7d65
SHA256: 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\OfficeC2RClient.exe
executable
MD5: a58c70f17dfd0aa04611942300e3a670
SHA256: 7fe85b214f6ae85204ce2cb9553bf28eadca18a0adaf1d27d06a728fcd733a40
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\vcruntime140.dll
executable
MD5: 9b22263a62dcd0556e4bd9cea223cb3b
SHA256: 2b51c69681ed57f3092e9cac1ee364e9c8ae70ef1c25bfd5d83448dda2704a96
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\OfficeC2RCom.dll
executable
MD5: 739c782bba48c4917d3a994f283ddbab
SHA256: b473643a4dbde173f3d918df710fce13b41cd876982e63d6d5c5705a2968ddd9
3568
files.dat
C:\Users\admin\AppData\Local\Temp\files\x64\cleanospp.exe
executable
MD5: 162ab955cb2f002a73c1530aa796477f
SHA256: 5ce462e5f34065fc878362ba58617fab28c22d631b9d836dddcf43fb1ad4de6e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\OfficeClickToRun.exe
executable
MD5: a8dc13f05dc880653b9468d762d72adf
SHA256: b7e193b1b42a5c2e3778c53c7a6e81fdcd2402ff7f85b350e87775a6cefaf9c9
1636
OfficeClickToRun.exe
C:\Program Files\Microsoft Office 15\ClientX86\IntegratedOffice.exe
executable
MD5: 906bfb4711eeca7a0f9da42627681f11
SHA256: 570d593c036e731c91202dd859c539b0e268a43ea54ffa7e8f762b7d4341ba3d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll
executable
MD5: a20084f41b3f1c549d6625c790b72268
SHA256: 0fa42237fd1140fd125c6edb728d4c70ad0276c72fa96c2faabf7f429fa7e8f1
3568
files.dat
C:\Users\admin\AppData\Local\Temp\files\x86\cleanospp.exe
executable
MD5: 5fd363d52d04ac200cd24f3bcc903200
SHA256: 3fdefe2ad092a9a7fe0edf0ac4dc2de7e5b9ce6a0804f6511c06564194966cf9
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll
executable
MD5: bfb08fb09e8d68673f2f0213c59e2b97
SHA256: 6d5881719e9599bf10a4193c8e2ded2a38c10de0ba8904f48c67f2da6e84ed3e
1636
OfficeClickToRun.exe
C:\Program Files\Microsoft Office 15\ClientX86\OfficeClickToRun.exe
executable
MD5: 906bfb4711eeca7a0f9da42627681f11
SHA256: 570d593c036e731c91202dd859c539b0e268a43ea54ffa7e8f762b7d4341ba3d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll
executable
MD5: 3b9d034ca8a0345bc8f248927a86bf22
SHA256: a7ac7ece5e626c0b4e32c13299e9a44c8c380c8981ce4965cbe4c83759d2f52d
2076
OInstall.exe
C:\Users\admin\AppData\Local\Temp\files\files.dat
executable
MD5: 55d21b2c272a5d6b9f54fa9ed82bf9eb
SHA256: 7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll
executable
MD5: c2ead5fcce95a04d31810768a3d44d57
SHA256: 42a9a3d8a4a7c82cb6ec42c62d3a522daa95beb01ecb776aac2bfd4aa1e58d62
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll
executable
MD5: f6d1216e974fb76585fd350ebdc30648
SHA256: 348b70e57ae0329ac40ac3d866b8e896b0b8fef7e8809a09566f33af55d33271
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.fr-fr.dll
executable
MD5: 2bbe0866f8b55ba477e5270af7d6810b
SHA256: 62fd8d0639c649364112a5f3eb49d51cd6abda5d1b0f014240d0732ba6f621f7
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVFileSystemMetadata.dll
executable
MD5: 1eef31d805e8791b4dd1c8c4f79d7239
SHA256: 38e14a71b92a75633926610560a1311114131492f6780bb11f93de7939737249
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ServiceWatcherSchedule.xml
xml
MD5: eebd1ed93f54772302324ae7fc741ac7
SHA256: f3b0dc236db906b513e7faa2185ee38112079a71cfb8dcf489f8c022f292c82d
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journal
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RHeartbeatConfig.xml
xml
MD5: cdd1fb1c46f6c3b304625a288dbf7c99
SHA256: dcd0aab257eb6514847f82070f947fd3c5a760f9a510084db980f6fdee53c9b0
3528
OfficeClickToRun.exe
C:\Users\admin\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journal
––
MD5:  ––
SHA256:  ––
3528
OfficeClickToRun.exe
C:\Users\admin\AppData\Local\Temp\.ses
text
MD5: 6137157af540e577d8ebc22a59535f43
SHA256: 0ad8bbcddfc6536ec233f6d2ce9d1e9bcbc5c1fb4cf5589feafc6c9a3409f13d
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850
binary
MD5: d34f8a2b4c0f66d9537cca16d3dfd7f6
SHA256: b560a90c7ddcf464906002e7071be9b076e641eec5c18bf61f1b825990b50544
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\i320.hash
text
MD5: da39ac8a0d9dd112627a36c4a4129634
SHA256: 5e882174870f7b708adb6a5ab679fe023a5da5f778e3330368da6964566c4718
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\FrequentOfficeUpdateSchedule.xml
xml
MD5: 34c23504fb391504b56f6c9638683c85
SHA256: d9f27a03289fa1186e4c5b525597ec07aa308342967a7227f54904730ed4c40a
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850
der
MD5: 0eb320e8e72988fee9045c0b901b3ed6
SHA256: d037d903b5c8e7a2e5db2646817f141d1c85a3a714dd0ee35628f965ef0e9058
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml
xml
MD5: b5f3823e84dff20c75a428695d94ae75
SHA256: 45f5c7ec603a86c12a1bb0b0338c1d4fd0872e3719c594a440b5948976858e2a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ClientEventLogMessages.man
xml
MD5: 9a9a5f91ca03c8fea03bb8ac25475a12
SHA256: f3dc361d94356c8f4c4632ff98f5e990ebe80a18f0624896dcb9159aff0834e1
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVClientIsv.man
xml
MD5: eff70efd2c66a9241291560f3977b195
SHA256: 6b5cc677bb215c5f402e1413b0872eba465c8755fdaef0cf9e6af20b1866aaa9
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\AppVClient.man
xml
MD5: 98bf5a6cf9d866640e120894824304f6
SHA256: ac5575f583abf5d0d20b926f7c989131586bda9cf19db3d719af7a01dfc2273a
3528
OfficeClickToRun.exe
C:\Users\admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml
xml
MD5: b5f3823e84dff20c75a428695d94ae75
SHA256: 45f5c7ec603a86c12a1bb0b0338c1d4fd0872e3719c594a440b5948976858e2a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ClientCapabilities.json
text
MD5: 96ce107c5fb9ce67de12d7df7a9275e8
SHA256: 0f3a635894e56d558346837a983473090c866b909872c482c2e9fac65b298ddb
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21
binary
MD5: f53bb218dde277a2314ca32b43770013
SHA256: 3f17da4588b765993e3ca36acb1e2e790b539dcf2053cf71444042af26dfdb6e
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD
binary
MD5: dbf59a1aec0994761bfa55fb3a44faea
SHA256: e1913db466569690e3ee6510791cd2f3a489042f91e6f822efe84981a68bbe8e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\vcruntime140.dll
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\vccorlib140.dll
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\ucrtbase.dll
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\StreamServer.dll
––
MD5:  ––
SHA256:  ––
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21
der
MD5: fb1f976753602d3d3d090e31a227340a
SHA256: b726e78fcba97740bcdaabea3c19311e867ff4b273785e4c53bfeee2fba41ef4
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\SharedPerformance.man
xml
MD5: e21b7e03173fd8591b9906096c451e1a
SHA256: 6fbbb678f1bf875900bcacc5cdbf73aff82147fbf8f35c0fd57391bfc094693e
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\ServiceWatcherSchedule.xml
xml
MD5: eebd1ed93f54772302324ae7fc741ac7
SHA256: f3b0dc236db906b513e7faa2185ee38112079a71cfb8dcf489f8c022f292c82d
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\OfficeUpdateSchedule.xml
xml
MD5: 3a883f8166d0a0f41127505491ef19f3
SHA256: ed69a0b39842b0eac3a99ceb1a82985ed226ca823efd95bb5d72c50ec6d9391b
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD
der
MD5: 4b78863752e3467ad4468214f086c3fc
SHA256: 865966da93c5d105e473a39037d7ffe0e5d5e5f63c4dd83b2735a82826f86174
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVClientIsv.man
xml
MD5: eff70efd2c66a9241291560f3977b195
SHA256: 6b5cc677bb215c5f402e1413b0872eba465c8755fdaef0cf9e6af20b1866aaa9
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C7F163ED126D5C3CB9457F68EC64E9E
binary
MD5: 39fa975e3c7572f0892e4c4ee7e03266
SHA256: 361842adc2974b798c6b4b4bf36b60bd94ed125aa7123691d4cad391b2a11877
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVClient.man
xml
MD5: 98bf5a6cf9d866640e120894824304f6
SHA256: ac5575f583abf5d0d20b926f7c989131586bda9cf19db3d719af7a01dfc2273a
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C7F163ED126D5C3CB9457F68EC64E9E
der
MD5: 27ba3fdc586c65d3c239cffd7bebc0ed
SHA256: 57434d79f175bf5320259bd50c972f9d5d19ab4817bc02c5805d9cd542852000
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\SubsystemController.man
xml
MD5: aacf231fb3529afd5b2488704f8f9b82
SHA256: 7c112558cd5777f787e3d4bcced67b08cc63541294635e8bdbc0063c3c7fa081
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\SharedPerformance.man
xml
MD5: e21b7e03173fd8591b9906096c451e1a
SHA256: 6fbbb678f1bf875900bcacc5cdbf73aff82147fbf8f35c0fd57391bfc094693e
1636
OfficeClickToRun.exe
C:\Windows\TEMP\TarF5AF.tmp
––
MD5:  ––
SHA256:  ––
1636
OfficeClickToRun.exe
C:\Windows\TEMP\.ses
text
MD5: 073f369094ae72a4e6cb107fb9581bb8
SHA256: 404ae9500e893bdfe7170e6f6c1c72a204abf8d607c445e622abaadb32318fbd
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\FrequentOfficeUpdateSchedule.xml
xml
MD5: 34c23504fb391504b56f6c9638683c85
SHA256: d9f27a03289fa1186e4c5b525597ec07aa308342967a7227f54904730ed4c40a
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\i320.hash
text
MD5: da39ac8a0d9dd112627a36c4a4129634
SHA256: 5e882174870f7b708adb6a5ab679fe023a5da5f778e3330368da6964566c4718
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeUpdateSchedule.xml
xml
MD5: 3a883f8166d0a0f41127505491ef19f3
SHA256: ed69a0b39842b0eac3a99ceb1a82985ed226ca823efd95bb5d72c50ec6d9391b
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\ClientCapabilities.json
text
MD5: 96ce107c5fb9ce67de12d7df7a9275e8
SHA256: 0f3a635894e56d558346837a983473090c866b909872c482c2e9fac65b298ddb
2324
setup.exe
C:\Users\admin\AppData\Local\Temp\OfficeC2R15B9640C-6EFE-4249-88A7-6A72D0F9C250\i320.cab
––
MD5:  ––
SHA256:  ––
3120
powershell.exe
C:\Users\admin\AppData\Local\Temp\Office.ValidateError.scratch
––
MD5:  ––
SHA256:  ––
3120
powershell.exe
C:\Users\admin\AppData\Local\Temp\Office.ValidateResult.scratch
––
MD5:  ––
SHA256:  ––
3120
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 33b4c42baf9e3ca295e3bdcd51c02eaf
SHA256: b4273c31a01b0b90869574075d54d52e8098519587f61ae756b69729d0af86a5
3120
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13929e.TMP
binary
MD5: 33b4c42baf9e3ca295e3bdcd51c02eaf
SHA256: b4273c31a01b0b90869574075d54d52e8098519587f61ae756b69729d0af86a5
3120
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZA59B3K87YE3BHTR0YZF.temp
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Users\admin\AppData\Local\Temp\OfficeC2R90DA1C77-5FB2-4A37-875F-A5E66A955BA4\VersionDescriptor.xml
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Users\admin\AppData\Local\Temp\OfficeC2R90DA1C77-5FB2-4A37-875F-A5E66A955BA4\v32.hash
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Users\admin\AppData\Local\Temp\OfficeC2R90DA1C77-5FB2-4A37-875F-A5E66A955BA4OfficeC2R5A59CF32-75AE-4CEE-AAAB-751B657A814C\VersionDescriptor.xml
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Users\admin\AppData\Local\Temp\OfficeC2R90DA1C77-5FB2-4A37-875F-A5E66A955BA4OfficeC2R5A59CF32-75AE-4CEE-AAAB-751B657A814C\v32.hash
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76
binary
MD5: 5500c28aeee35aadfb564e7bfbf0fd81
SHA256: 996d66144cf384031c7fb04dc4946f52581637342fa26f6b1464cccabe94ddc6
2324
setup.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76
der
MD5: 29435da390214a59b32f2f69cfb97da4
SHA256: 917d013451659b09cbd354f6ca28f6d9cd15d5273f2615d3323129d942eac084
2324
setup.exe
C:\Users\admin\AppData\Local\Temp\Tar906D.tmp
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Users\admin\AppData\Local\Temp\Cab906C.tmp
––
MD5:  ––
SHA256:  ––
2324
setup.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21
der
MD5: fb1f976753602d3d3d090e31a227340a
SHA256: b726e78fcba97740bcdaabea3c19311e867ff4b273785e4c53bfeee2fba41ef4
2324
setup.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21
binary
MD5: 382169b58f16d3399436dcbc503e84b3
SHA256: 54ae0855cc1016779e1c7d8fafdd706028a38b72b6be82a56460c1fad39acf40
2324
setup.exe
C:\Users\admin\AppData\Local\Microsoft\Office\16.0\setup.exe_Rules.xml
xml
MD5: b5f3823e84dff20c75a428695d94ae75
SHA256: 45f5c7ec603a86c12a1bb0b0338c1d4fd0872e3719c594a440b5948976858e2a
2324
setup.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD
binary
MD5: 3e81352b60a83931e181f9cdd74019a3
SHA256: 71eb0605d3fed257a7b00b858d516409c71722b870d7e405dc75053e310a69d3
2324
setup.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD
der
MD5: 4b78863752e3467ad4468214f086c3fc
SHA256: 865966da93c5d105e473a39037d7ffe0e5d5e5f63c4dd83b2735a82826f86174
2324
setup.exe
C:\Users\admin\AppData\Local\Temp\OfficeC2R90DA1C77-5FB2-4A37-875F-A5E66A955BA4\v32_16.0.11601.20204.cab
––
MD5:  ––
SHA256:  ––
2076
OInstall.exe
C:\Users\admin\AppData\Local\Temp\files\Configure.xml
text
MD5: 057b592b8166e85054f04a76633be4b9
SHA256: 5dd6a2cbaf3fe54e623ae8ca79cf3b4bd15871c2ea68a3ce669a854238fd1223
2076
OInstall.exe
C:\Users\admin\AppData\Local\Temp\files\Configure.xml
text
MD5: ac6be84084e31dbb0e08d188b6c86ec8
SHA256: 1879f7de537c2aa70292c61ebef9c6477d36e25b2e6a639e318b159e0a22b0fc
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\ClientEventLogMessages.man
xml
MD5: 9a9a5f91ca03c8fea03bb8ac25475a12
SHA256: f3dc361d94356c8f4c4632ff98f5e990ebe80a18f0624896dcb9159aff0834e1
1636
OfficeClickToRun.exe
C:\Windows\TEMP\CabF5AE.tmp
––
MD5:  ––
SHA256:  ––
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CD1F910DD5DC23C234E99A91DE345C0
der
MD5: 5fb2e55f6919a67362bcc62c8db862ea
SHA256: 29d74f1a3ffc42633432a5b134939661a182cbe16e5bd3c014ebb22db41023c3
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\C2RHeartbeatConfig.xml
xml
MD5: cdd1fb1c46f6c3b304625a288dbf7c99
SHA256: dcd0aab257eb6514847f82070f947fd3c5a760f9a510084db980f6fdee53c9b0
3568
files.dat
C:\Users\admin\AppData\Local\Temp\files\Uninstall.xml
text
MD5: 364f86f97324ea82fe0d142cd01cf6dd
SHA256: 09d5b42140bab13165ba97fbd0e77792304c3c93555be02c3dce21a7a69c66dd
1636
OfficeClickToRun.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2CD1F910DD5DC23C234E99A91DE345C0
binary
MD5: 19411cde0762ea8e10320ddb8f89018f
SHA256: 6a2c792c5868855d6199381b4d92136828df3094349e6ca63bde00c47a7124c6
2324
setup.exe
C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RDA03A355-0669-49D4-926E-D6C7071903B2\SubsystemController.man
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
18
TCP/UDP connections
12
DNS requests
9
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2324 setup.exe HEAD 301 104.111.214.95:80 http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab NL
––
––
whitelisted
2324 setup.exe HEAD 200 2.16.186.83:80 http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab unknown
––
––
whitelisted
2324 setup.exe HEAD 301 104.111.214.95:80 http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab NL
––
––
whitelisted
2324 setup.exe HEAD 200 2.16.186.83:80 http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab unknown
––
––
whitelisted
2324 setup.exe GET 301 104.111.214.95:80 http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab NL
––
––
whitelisted
2324 setup.exe GET 200 2.16.186.83:80 http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab unknown
compressed
whitelisted
2324 setup.exe GET 200 173.223.10.123:80 http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl NL
der
whitelisted
2324 setup.exe GET 200 173.223.10.123:80 http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl NL
der
whitelisted
2324 setup.exe GET 200 173.223.10.123:80 http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl NL
der
whitelisted
2324 setup.exe HEAD 301 104.111.214.95:80 http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11601.20204/i320.cab NL
––
––
whitelisted
2324 setup.exe HEAD 200 2.16.186.83:80 http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11601.20204/i320.cab unknown
compressed
whitelisted
2324 setup.exe GET 301 104.111.214.95:80 http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11601.20204/i320.cab NL
––
––
whitelisted
2324 setup.exe GET 200 2.16.186.83:80 http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11601.20204/i320.cab unknown
compressed
whitelisted
1636 OfficeClickToRun.exe GET 200 2.16.186.120:80 http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl unknown
der
whitelisted
1636 OfficeClickToRun.exe GET 200 2.23.106.83:80 http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl unknown
der
whitelisted
1636 OfficeClickToRun.exe GET 200 2.16.186.120:80 http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl unknown
der
whitelisted
1636 OfficeClickToRun.exe GET 200 2.16.186.120:80 http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl unknown
der
whitelisted
1636 OfficeClickToRun.exe GET 200 2.16.186.120:80 http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl unknown
der
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2324 setup.exe 52.109.120.18:443 Microsoft Corporation HK whitelisted
2324 setup.exe 13.107.3.128:443 Microsoft Corporation US whitelisted
2324 setup.exe 52.109.76.40:443 Microsoft Corporation IE unknown
2324 setup.exe 104.111.214.95:80 Akamai International B.V. NL unknown
2324 setup.exe 2.16.186.83:80 Akamai International B.V. –– whitelisted
2324 setup.exe 173.223.10.123:80 Akamai International B.V. NL unknown
3528 OfficeClickToRun.exe 52.109.120.18:443 Microsoft Corporation HK whitelisted
–– –– 13.107.3.128:443 Microsoft Corporation US whitelisted
1636 OfficeClickToRun.exe 13.107.3.128:443 Microsoft Corporation US whitelisted
1636 OfficeClickToRun.exe 52.109.120.18:443 Microsoft Corporation HK whitelisted
1636 OfficeClickToRun.exe 2.16.186.120:80 Akamai International B.V. –– whitelisted
1636 OfficeClickToRun.exe 2.23.106.83:80 Akamai International B.V. –– suspicious

DNS requests

Domain IP Reputation
nexusrules.officeapps.live.com 52.109.120.18
whitelisted
config.edge.skype.com 13.107.3.128
whitelisted
mrodevicemgr.officeapps.live.com 52.109.76.40
whitelisted
officecdn.microsoft.com 104.111.214.95
whitelisted
officecdn.microsoft.com.edgesuite.net 2.16.186.83
2.16.186.90
whitelisted
crl.microsoft.com 173.223.10.123
173.223.10.146
whitelisted
www.microsoft.com 2.23.106.83
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.