Joe Sandbox Cloud Basic Analysis Report
Play interactive tourEdit tour

Windows Analysis Report officeclicktorun.exe

Overview

General Information

Sample Name:officeclicktorun.exe
Analysis ID:512469
MD5:77d569aa073d06f3268d1fadd49b2e64
SHA1:9052a38ec33f671ae32fdfba8081061044df6c9c
SHA256:010b8629ea9dfce3cde59fc862caa0db7126799aff9af9cc8d7681338c75ee51
Infos:

Most interesting Screenshot:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

  • System is w10x64
  • officeclicktorun.exe (PID: 6700 cmdline: 'C:\Users\user\Desktop\officeclicktorun.exe' MD5: 77D569AA073D06F3268D1FADD49B2E64)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: officeclicktorun.exeStatic PE information: certificate valid
Source: officeclicktorun.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: d:\dbs\el\aug\target\x64\ship\click2run\x-none\OfficeClickToRun.pdb source: officeclicktorun.exe
Source: Binary string: d:\dbs\el\aug\target\x64\ship\click2run\x-none\OfficeClickToRun.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: officeclicktorun.exe
Source: officeclicktorun.exeString found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorViewerIdealConcurrencyValueOverrideHostNameOOBELowCostUplo
Source: officeclicktorun.exeString found in binary or memory: https://clients.config.office.net/c2rDeviceIdPresentMSADeviceTokenPresentrequest-
Source: officeclicktorun.exeString found in binary or memory: https://ecs.office.com/config/v2/OfficeetagClientidApplicationMsoVersionexpiresdateIdSubscriptionLic
Source: officeclicktorun.exeString found in binary or memory: https://nexus.officeapps.live.com/nexus/ruleshttps://nexusrules.officeapps.live.comIgnoring
Source: officeclicktorun.exe, 00000000.00000000.276164998.00007FF6B648F000.00000002.00020000.sdmpBinary or memory string: RegisterRawInputDevices
Source: officeclicktorun.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\officeclicktorun.exeSection loaded: ncrypt.dllJump to behavior
Source: officeclicktorun.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\officeclicktorun.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: officeclicktorun.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
Source: officeclicktorun.exeString found in binary or memory: EA4A4090-DE26-49D7-93C1-91BFF9E53FC3F3260CF1-A92C-4C75-B02E-D64C0A86A968Microsoft_LTSC202186752282-5841-4120-AC80-DB03AE6B5FDB5440FD1F-7ECB-4221-8110-145EFAA6372F64256AFE-F5D9-4F86-8936-8840A6A4F5BEB8F9B850-328D-4355-9145-C59439A0C4CFInsiders_LTSC2E148DE9-61C8-4051-B103-4AF54BAFFBB4Insiders_LTSC2021834504CC-DC55-4C6D-9E71-E024D0253F6DC4A7726F-06EA-48E2-A13A-9D78849EB7065462EEE5-1E97-495B-9370-853CD873BB07B61285DD-D9F7-41F2-9757-8F61CBA4E9C89A3B7FF2-58ED-40FD-ADD5-1E5158059D1CF4F024C8-D611-4748-A7E0-02B6E754C0FEMicrosoft_LTSC1D2D2EA6-1680-4C56-AC58-A441C8C24FF95030841D-C919-4594-8D2D-84AE4F96E58E\\OFFDOG\ODFSERVER\V2\RELEASES_DOGFOOD_MAINCANARY12F4F6AD-FDEA-4D2A-A90F-17496CC19A48492350F6-3A01-4F97-B9C0-C7C6DDF67D6055336B82-A18D-4DD6-B5F6-9E5095C314A67FFBC6BF-BC32-4F92-8982-F9DD17FD311489815E81-C82E-49A3-99DC-2B99229CF632Production_LTSCF2E724C1-748F-4B47-8FB8-8E0D210E9208Production_LTSC2021SAEPreviewSAEDogfoodCanaryDogfoodMainDogfoodForkDogfoodSAEMicrosoftMainMicrosoftForkInsiderSlowMicrosoftSAEPreviewMicrosoftSAEAutomationJobIdAutomationTaskIdAutomationTaskPurposeAutomationTaskCreatorEmailAutomationTaskExecutionIdAutomationExecutionNumberAutomationJobPropertiesAutomationScenarioIdAutomationConfigNameAutomationJobClassificationAutomationPartyIdAutomationJobNameCan't query for a default value for a NO_DEFAULT rid.ResultSoftware\PoliciesSoftware\Microsoft\OfficeSoftware\Policies\Microsoft\OfficeSoftware\Policies\Microsoft\CloudKeyPathlRetFailed to open registry key.Could not open persistent key as R/W, but succeeded as opening read-only. This indicates a key is incorrectly marked as a non-read-only key.Software\Policies\Microsoft\Cloud\OfficeSoftware\AppDataLow\Microsoft\OfficeSoftware\Policies\Microsoft\cloud\OfficeSoftware\Microsoft\Office Test\AlwaysPersistentOrapiUTSoftware\Policies\MicrosoftSoftware\MicrosoftWin32ErrorCodeRegistryValueNameFailed to write registry value.OrapiWriteFail: RegSetValueExWOrapiHiveStorageOptionOptionsPathKeyFailed to find an open key anywhere in the chain?ErrorFailed to create key with read-only accessFailed to open key with read-only accessHKCU cloud Policy ExistsKeyNameOrapiWriteFail: TryOpenKey in WriteValueIndexHKCU Policy Exists
Source: officeclicktorun.exeString found in binary or memory: mso-oleo-ensureinit-failed-possible-bad-install-state
Source: officeclicktorun.exeString found in binary or memory: BufferedLogWriter Flushing BufferBufferedLogWriter reached buffer size hard limit, ignoring traces.logReporting configuration of non-default log writers.Logging liblet uninitializing.Logging liblet initialized.Default throttling not initialized.Failed to send sync request to Http.Sent sync request to Http.bytesWrittenIsHighCostNetwork_TimedoutUpload-Sequence-Numberapplication/vnd.ms-ots-uls-v1%#x%02d/%02d/%04d %02d:%02d:%02d.%03dDiskLogFile failed to write to disk.MsoNotifyPerfMarkermso20win32clientPluggableUI UI LanguageUI LanguagePluggableUI Language List EntryOrderOfLanguagezh-TWsaUser ProfileLanguagesControl Panel\InternationalPreferredUILanguageTagPendingInstallMatchWindowsDisplayLanguageMso::Oleo::EnsureInit failedLangTagWindowsLangTagOfficeCountInstalledOfficeDisplayLangsVerifyUserRequestedLangInstalledNoLangsInstalledLangTagCorrelationGUID\VarFileInfo\TranslationString ResourceProofingTools!x-sys-default-localemso-oleo-ensureinit-failed-possible-bad-install-stateHrInitializeCommonDataResB-too-few-culturesCulturesOleoVerHrInitializeCommonDataResB-oom-wzResCharactersHrInitializeCommonDataResB-bad-global-statenCultures-bad-statepcoTable-bad-stateHrInitializeCommonDataResB-oom-wzRes2-tagsHrInitializeCommonDataResB-realloc-wzRes2-tagsCultureTagHrInitializeCommonDataResB-DecodeGetTripletString-header-hex-lcids-failedHrInitializeCommonDataResB-oom-wzRes2-lcidsHrInitializeCommonDataResB-realloc-wzRes2-lcidsLCIDHrInitializeCommonDataResB-oom-pcotTempv_hresdecResB-bad-stateOleoHrInitializeDataProviderCore-file-version-unexpectedOleoHrInitializeDataProviderCore-caller-uOleoInitVersion-unexpectedOleoHrInitializeDataProviderCore-caller-hModule-NULLOleoHrInitializeDataProviderCore-MsoLoadResourceLibrary-failedOleoHrInitializeDataProviderCore-caller-podpi-NULLHrInitializeCommonDataResB-HrEnsureCultureHandles-failedHrInitializeCommonDataResB-oom-wzLocalesHrInitializeCommonDataResB-DecodeGetTripletString-header-tags-failedOleoHrInitializeDataProviderCore-succeededOleoHrInitializeDataProviderCore-HrInitializeCommonDataResB-failedOleoHrInitializeDataProviderCore-DecodeReadResBInit-failedOleoHrInitializeDataProviderCore-MsoLoadResource-failedHrInitializeOleoCultureDataTable-oomHrInitializeOleoCultureDataTable-pcoTable-NULLHrGetHcultureFromCultureTagCoremsi-based-gimme-DoOleoInit-MsoHrInitializeOleo-succeededmsi-based-gimme-DoOleoInit-MsoHrInitializeOleo-DataFileErrormsi-based-gimme-DoOleoInit-MsoHrInitializeOleo-failedmsi-based-gimme-DoOleoInit-GetFallBackOleoOdfPath-failedmsi-based-gimme-DoOleoInit-FGimmeFileEx-failedmsi-based-gimme-DoOleoInit-FGimmeFileEx-skippedAliasTagsGeoIDInternalSequenceNumberTimeAriaTenantTokenContractSendEvent
Source: officeclicktorun.exeString found in binary or memory: olk-launchevent-host.win32.bundle
Source: classification engineClassification label: clean2.winEXE@1/0@0/0
Source: officeclicktorun.exe, 00000000.00000000.276164998.00007FF6B648F000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: officeclicktorun.exe, 00000000.00000000.276164998.00007FF6B648F000.00000002.00020000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: officeclicktorun.exe, 00000000.00000000.276164998.00007FF6B648F000.00000002.00020000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: officeclicktorun.exe, 00000000.00000000.276164998.00007FF6B648F000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: officeclicktorun.exeStatic file information: File size 9250688 > 1048576
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: officeclicktorun.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: officeclicktorun.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: officeclicktorun.exeStatic PE information: certificate valid
Source: officeclicktorun.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x53e000
Source: officeclicktorun.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2b8000
Source: officeclicktorun.exeStatic PE information: More than 200 imports for KERNEL32.dll
Source: officeclicktorun.exeStatic PE information: More than 200 imports for MSVCP140.dll
Source: officeclicktorun.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: officeclicktorun.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: officeclicktorun.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: officeclicktorun.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: officeclicktorun.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: officeclicktorun.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: officeclicktorun.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: officeclicktorun.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\dbs\el\aug\target\x64\ship\click2run\x-none\OfficeClickToRun.pdb source: officeclicktorun.exe
Source: Binary string: d:\dbs\el\aug\target\x64\ship\click2run\x-none\OfficeClickToRun.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: officeclicktorun.exe
Source: officeclicktorun.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: officeclicktorun.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: officeclicktorun.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: officeclicktorun.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: officeclicktorun.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: officeclicktorun.exeStatic PE information: real checksum: 0x8d3841 should be: 0x8e1866
Source: officeclicktorun.exeStatic PE information: section name: .didat
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2DLL Side-Loading1DLL Side-Loading1DLL Side-Loading1Input Capture11System Information Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 512469 Sample: officeclicktorun.exe Startdate: 31/10/2021 Architecture: WINDOWS Score: 2 4 officeclicktorun.exe 2->4         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
officeclicktorun.exe0%VirustotalBrowse
officeclicktorun.exe0%MetadefenderBrowse
officeclicktorun.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://127.0.0.1:13556/InsiderSlabBehaviorViewerIdealConcurrencyValueOverrideHostNameOOBELowCostUplo0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://clients.config.office.net/c2rDeviceIdPresentMSADeviceTokenPresentrequest-officeclicktorun.exefalse
    		high
    http://127.0.0.1:13556/InsiderSlabBehaviorViewerIdealConcurrencyValueOverrideHostNameOOBELowCostUploofficeclicktorun.exefalse
    • Avira URL Cloud: safe
    		unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:512469
    Start date:31.10.2021
    Start time:17:16:33
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 16s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:officeclicktorun.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:22
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:CLEAN
    Classification:clean2.winEXE@1/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    Warnings:
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.82.210.154, 20.54.110.249, 40.112.88.60, 173.222.108.210, 173.222.108.226, 52.251.79.25, 80.67.82.211, 80.67.82.235, 20.50.102.62
    • Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64, for MS Windows
    Entropy (8bit):6.251143543317622
    TrID:
    • Win64 Executable GUI (202006/5) 92.65%
    • Win64 Executable (generic) (12005/4) 5.51%
    • Generic Win/DOS Executable (2004/3) 0.92%
    • DOS Executable Generic (2002/1) 0.92%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:officeclicktorun.exe
    File size:9250688
    MD5:77d569aa073d06f3268d1fadd49b2e64
    SHA1:9052a38ec33f671ae32fdfba8081061044df6c9c
    SHA256:010b8629ea9dfce3cde59fc862caa0db7126799aff9af9cc8d7681338c75ee51
    SHA512:baf04ba197352a01df6dbfb2556c0f053d833b10ffca191135bc6c86c079793cea615597360640a9995cc6aee0b8693d0a8fb6f10be77783eccf9c5ed73d89d5
    SSDEEP:49152:+RIQJykfRZpq+LXhP+h0hkb22sW2hF8PEPA0Fk7wohsRsyQgiw4mzEOaCwRFoSh6:taLhGbctRvp/5GKbDINY
    File Content Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.........\.F.2.F.2.F.2.O...R.2. ...D.2.*.3.@.2.*.6.L.2.*.1.B.2.*.7.h.2...3.D.2.af_.N.2.afO.G.2...6.U.2...3.Y.2.F.3...2...1.G.2...7...2

    File Icon

    Icon Hash:e0c8cec6c6cec0e0

    Static PE Info

    General

    Entrypoint:0x140198fb0
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Time Stamp:0x615FCCB8 [Fri Oct 8 04:44:40 2021 UTC]
    TLS Callbacks:0x40199b60, 0x1, 0x40199be0, 0x1
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:1
    File Version Major:6
    File Version Minor:1
    Subsystem Version Major:6
    Subsystem Version Minor:1
    Import Hash:a7b9ab4bbd09c0dc099868bf35998764

    Authenticode Signature

    Signature Valid:true
    Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    Signature Validation Error:The operation completed successfully
    Error Number:0
    Not Before, Not After
    • 12/15/2020 1:24:20 PM 12/2/2021 1:24:20 PM
    Subject Chain
    • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    Version:3
    Thumbprint MD5:31F605F0D1D4BA54250DA5C719A8200C
    Thumbprint SHA-1:E8C15B4C98AD91E051EE5AF5F524A8729050B2A2
    Thumbprint SHA-256:22A3C23E08C7DBB4E7F4591E58C04285C0514C2894E3C418AD157D817D7EDF3C
    Serial:33000003DE8D56825AF1A4A9670000000003DE
    Instruction
    dec eax
    sub esp, 28h
    call 00007F8C8D03CE50h
    dec eax
    add esp, 28h
    jmp 00007F8C8D03BE0Fh
    int3
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    dec eax
    cmp ecx, dword ptr [0065E039h]
    jne 00007F8C8D03BFB5h
    dec eax
    rol ecx, 10h
    test cx, FFFFh
    jne 00007F8C8D03BFA5h
    ret
    dec eax
    ror ecx, 10h
    jmp 00007F8C8D03C824h
    int3
    nop
    nop
    dec eax
    sub esp, 28h
    call 00007F8C8D03D378h
    test eax, eax
    je 00007F8C8D03BFC3h
    dec eax
    mov eax, dword ptr [00000030h]
    dec eax
    mov ecx, dword ptr [eax+08h]
    jmp 00007F8C8D03BFA7h
    dec eax
    cmp ecx, eax
    je 00007F8C8D03BFB6h
    xor eax, eax
    dec eax
    cmpxchg dword ptr [00689718h], ecx
    jne 00007F8C8D03BF90h
    xor al, al
    dec eax
    add esp, 28h
    ret
    mov al, 01h
    jmp 00007F8C8D03BF99h
    int3
    nop
    nop
    inc eax
    push ebx
    dec eax
    sub esp, 20h
    movzx eax, byte ptr [00689703h]
    test ecx, ecx
    mov ebx, 00000001h
    cmove eax, ebx
    mov byte ptr [006896F3h], al
    call 00007F8C8D03D17Fh
    call 00007F8C8D035EEEh
    test al, al
    jne 00007F8C8D03BFA6h
    xor al, al
    jmp 00007F8C8D03BFB6h
    call 00007F8C8D035EE1h
    test al, al
    jne 00007F8C8D03BFABh
    xor ecx, ecx
    call 00007F8C8D035ED6h
    jmp 00007F8C8D03BF8Ch
    mov al, bl
    dec eax
    add esp, 20h
    Programming Language:
    • [ C ] VS2005 build 50727
    • [ASM] VS2005 build 50727
    • [IMP] VS2008 SP1 build 30729
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x7280a80x244.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x8940000x191d0.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x8400000x52764.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x8ce2000x4580.reloc
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x8ae0000x29388.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x73086c0x38.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x63f0b00x28.rdata
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x55a9600x138.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x53f0000x1b88.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x724d7c0x380.rdata
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x53df860x53e000unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .rdata0x53f0000x2b7e950x2b8000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x7f70000x48f880x42600False0.112166754944data3.73575306133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .pdata0x8400000x527640x52800False0.487494081439data6.33829297694IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .didat0x8930000x9580xa00False0.245703125data3.39207067139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x8940000x191d00x19200False0.109044620647data3.07954751364IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x8ae0000x293880x29400False0.0548709753788data5.44638875393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    NameRVASizeTypeLanguageCountry
    RT_SCENARIO0x8944d80xa1bASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x894ef40x1ceASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x8950c40x560ASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x8956240x510ASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x895b340x1beASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x895cf40xefASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x895de40x188ASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x895f6c0x2a0ASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x89620c0x893ASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x896aa00x6f9ASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x89719c0x23bASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x8973d80xd9ASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x8974b40xcbASCII text, with CRLF line terminatorsEnglishUnited States
    RT_SCENARIO0x8975800x2e1ASCII text, with CRLF line terminatorsEnglishUnited States
    RT_ICON0x8978640x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
    RT_ICON0x8a808c0x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
    RT_ICON0x8aa6340x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
    RT_ICON0x8ab6dc0x468GLS_BINARY_LSB_FIRSTEnglishUnited States
    RT_STRING0x8abb440x3cdataEnglishUnited States
    RT_GROUP_ICON0x8abb800x3edataEnglishUnited States
    RT_VERSION0x8abbc00x454dataEnglishUnited States
    RT_MANIFEST0x8ac0140x11b9XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
    DLLImport
    ADVAPI32.dllRegCreateKeyExW, RegCloseKey, RegOpenKeyExW, RegSetValueExW, RegQueryValueExW, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerExW, SetServiceStatus, CreateWellKnownSid, CheckTokenMembership, RegEnumKeyExW, RegQueryInfoKeyW, RegEnumValueW, RegDeleteTreeW, RegDeleteKeyW, RegGetValueW, RegDeleteValueW, GetTokenInformation, IsValidSid, GetSidSubAuthorityCount, GetSidSubAuthority, ReportEventW, RegisterEventSourceW, DeregisterEventSource, EventWriteTransfer, EventRegister, EventUnregister, CryptReleaseContext, CryptAcquireContextW, CryptDestroyHash, CryptGetHashParam, CryptCreateHash, GetFileSecurityW, SetFileSecurityW, RegNotifyChangeKeyValue, RevertToSelf, RegQueryValueW, OpenThreadToken, OpenProcessToken, GetLengthSid, CopySid, InitializeAcl, AddAccessAllowedAce, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, GetSecurityDescriptorDacl, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidA, ConvertSidToStringSidW, EqualSid, EventWrite, RegEnumValueA, RegDeleteValueA, CreateProcessAsUserW, RegCopyTreeW, ConvertStringSidToSidW, LookupAccountSidW, ImpersonateLoggedOnUser, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenSCManagerW, CloseServiceHandle, OpenServiceW, QueryServiceStatusEx, QueryServiceConfigW, StartServiceW, ControlService, EnumDependentServicesW, DeleteService, CreateServiceW, ChangeServiceConfig2W, ChangeServiceConfigW, SetServiceObjectSecurity, RegGetValueA, DuplicateTokenEx, SetTokenInformation, SetThreadToken, ControlTraceW, StartTraceW, OpenTraceW, CloseTrace, ProcessTrace, EnableTraceEx, RegSaveKeyExW, RegRestoreKeyW, RegGetKeySecurity, RegSetKeySecurity, RegRenameKey, RegOpenCurrentUser, DuplicateToken
    GDI32.dllGetFontData, RemoveFontResourceW, CreateFontIndirectW, AddFontResourceW, EnumFontFamiliesExW, DeleteObject, GetDeviceCaps, SelectObject
    IPHLPAPI.DLLGetAdaptersInfo, CreateSortedAddressPairs, FreeMibTable
    KERNEL32.dllLoadLibraryA, FormatMessageA, GetSystemTimeAsFileTime, GetTickCount64, GetCurrentThreadId, GetUserDefaultLocaleName, IsValidCodePage, WideCharToMultiByte, GetSystemTime, SystemTimeToFileTime, FileTimeToSystemTime, GetCPInfoExW, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, TlsAlloc, TlsFree, FlsGetValue, TlsGetValue, FlsSetValue, TlsSetValue, InitializeSRWLock, GetProcessTimes, TerminateProcess, GetModuleFileNameA, GetShortPathNameA, K32GetModuleFileNameExW, CreateProcessW, FindResourceW, SizeofResource, LoadResource, VerSetConditionMask, VerifyVersionInfoW, OpenProcess, GlobalMemoryStatusEx, GetVersionExW, GetDiskFreeSpaceExW, GetWindowsDirectoryW, CreateFileW, DeviceIoControl, SetErrorMode, GetComputerNameW, MulDiv, FormatMessageW, GetLogicalProcessorInformation, GetNativeSystemInfo, GetSystemDirectoryW, HeapFree, HeapAlloc, GetProcessHeap, WaitForSingleObject, CreateThread, WaitForMultipleObjectsEx, CreateEventExW, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, CloseThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CreateThreadpoolTimer, CloseThreadpoolWait, SetThreadpoolWait, WaitForThreadpoolWaitCallbacks, CreateThreadpoolWait, CreateThreadpoolWork, SubmitThreadpoolWork, ReleaseSemaphore, WaitForSingleObjectEx, QueryDepthSList, TryEnterCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeSListHead, InterlockedPushEntrySList, InterlockedPopEntrySList, RtlCaptureStackBackTrace, TzSpecificLocalTimeToSystemTime, OpenEventW, OpenMutexW, GetTempPathW, GetLongPathNameW, ResetEvent, IsDebuggerPresent, GetFileAttributesExW, FindFirstFileExW, MoveFileExW, FindNextFileW, CreateDirectoryW, RemoveDirectoryW, SetFileAttributesW, WriteFile, ReadFile, SetFilePointerEx, SetEndOfFile, GetFileSizeEx, FlushFileBuffers, LockFileEx, UnlockFileEx, CopyFileExW, GetVolumePathNamesForVolumeNameW, SetFileInformationByHandle, CreateFileMappingW, WaitForMultipleObjects, RtlLookupFunctionEntry, RtlVirtualUnwind, GetFileType, SetFilePointer, LockFile, GetOverlappedResult, GetFileAttributesW, GetFileTime, ReplaceFileW, CopyFileW, GetTempFileNameW, GetShortPathNameW, QueryPerformanceCounter, QueryPerformanceFrequency, GlobalFree, GlobalAlloc, CreateFileMappingA, LockResource, SetFileTime, CancelIoEx, GetProcessAffinityMask, CreateWaitableTimerW, SetWaitableTimerEx, CancelWaitableTimer, WerRegisterMemoryBlock, WerUnregisterMemoryBlock, QueryFullProcessImageNameW, CreateIoCompletionPort, PostQueuedCompletionStatus, GetThreadIOPendingFlag, GetCurrentThread, GetQueuedCompletionStatus, lstrlenW, GetStartupInfoW, CreateMemoryResourceNotification, GetSystemPowerStatus, IsSystemResumeAutomatic, QueryUnbiasedInterruptTime, OutputDebugStringW, RtlCaptureContext, CreateMutexW, OpenEventA, CreateEventA, OpenMutexA, CreateMutexA, OpenSemaphoreA, CreateSemaphoreA, OpenFileMappingA, LocalAlloc, LCMapStringEx, LCIDToLocaleName, K32GetProcessMemoryInfo, GetPhysicallyInstalledSystemMemory, GetProductInfo, GetLocalTime, GetLocaleInfoEx, ResolveLocaleName, GetUserPreferredUILanguages, GetACP, GetSystemDefaultLCID, EnumSystemLocalesEx, GetSystemDefaultLocaleName, GetUserGeoID, GetGeoInfoW, GetUserDefaultUILanguage, GetTimeZoneInformation, GetThreadLocale, DeleteFileA, GetTempPathA, FindFirstFileW, lstrcmpW, FlushViewOfFile, GetFullPathNameW, GetPriorityClass, GetExitCodeProcess, K32EnumProcesses, ProcessIdToSessionId, GetVolumeInformationW, GetExitCodeThread, AreFileApisANSI, HeapCreate, GetDiskFreeSpaceW, InitializeCriticalSection, GetFullPathNameA, HeapValidate, HeapSize, GetDiskFreeSpaceA, GetFileAttributesA, GetModuleHandleW, GetSystemInfo, HeapCompact, HeapDestroy, CloseHandle, DeleteTimerQueueTimer, CreateTimerQueueTimer, CreateFileA, GetStringTypeExW, MapViewOfFile, UnlockFile, GetFileSize, GetCurrentProcess, GetModuleHandleExW, GetLastError, CompareStringEx, GetProcAddress, FreeLibrary, UnmapViewOfFile, FindClose, LocaleNameToLCID, ReleaseMutex, GetCurrentProcessId, GlobalAddAtomW, GlobalFindAtomW, CreateEventW, SetEvent, DeleteFileW, FlsAlloc, FlsFree, LoadLibraryExA, VirtualQuery, VirtualProtect, InitOnceBeginInitialize, InitOnceComplete, CreateSymbolicLinkW, GetFileInformationByHandleEx, CreateHardLinkW, GetFileInformationByHandle, GetTickCount, Sleep, OutputDebugStringA, QueryActCtxW, CreateActCtxW, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, GetDriveTypeW, GetFinalPathNameByHandleW, lstrcmpiW, SetCurrentDirectoryW, GetDateFormatW, GetTimeFormatW, FindActCtxSectionStringW, LoadLibraryW, ActivateActCtx, DeactivateActCtx, SetLastError, RaiseException, LocalFree, GetModuleFileNameW, MultiByteToWideChar, DeleteCriticalSection, InitializeCriticalSectionEx, LoadLibraryExW, ExpandEnvironmentStringsW, IsWow64Process, HeapReAlloc
    OLEAUT32.dllUnRegisterTypeLib, LoadTypeLib, SysStringLen, GetErrorInfo, SetErrorInfo, RegisterTypeLib, SysFreeString, VariantInit, VariantClear, SysAllocString
    RPCRT4.dllRpcServerUnregisterIf, RpcRevertToSelf, RpcImpersonateClient, UuidCreate, RpcMgmtWaitServerListen, NdrServerCall2, RpcBindingInqAuthClientW, RpcMgmtStopServerListening, RpcStringBindingComposeW, RpcBindingFromStringBindingW, RpcStringFreeW, RpcServerListen, RpcBindingSetAuthInfoW, RpcBindingFree, RpcMgmtIsServerListening, RpcServerRegisterIf2, RpcServerRegisterAuthInfoW, RpcServerUseProtseqEpW, UuidToStringW
    WS2_32.dllGetAddrInfoW, WSAStartup, FreeAddrInfoW
    RstrtMgr.DLLRmShutdown, RmAddFilter, RmRestart, RmStartSession, RmRegisterResources, RmGetList, RmEndSession
    Cabinet.dll
    WINTRUST.dllWTHelperGetProvSignerFromChain, WTHelperProvDataFromStateData, WinVerifyTrust
    WTSAPI32.dllWTSFreeMemory, WTSSendMessageW, WTSQueryUserToken, WTSQuerySessionInformationW, WTSEnumerateSessionsW
    SETUPAPI.dllSetupIterateCabinetW
    VCRUNTIME140_1.dll__CxxFrameHandler4
    VCRUNTIME140.dll__std_terminate, strstr, memcpy, _CxxThrowException, __C_specific_handler_noexcept, memchr, memcmp, _purecall, memset, __std_type_info_compare, __RTtypeid, __RTDynamicCast, __std_exception_copy, __C_specific_handler, __std_type_info_name, wcschr, memmove, strchr, wcsrchr, wcsstr, __current_exception_context, __current_exception, __std_exception_destroy
    MSVCP140.dll?pubimbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z, ?pubseekoff@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@_JHH@Z, _Mbrtowc, ?_Xbad_alloc@std@@YAXXZ, ?_Xout_of_range@std@@YAXPEBD@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ, ?_Syserror_map@std@@YAPEBDH@Z, ?_Winerror_map@std@@YAHH@Z, ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z, ?setp@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W0@Z, ?setg@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W00@Z, ?eback@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ?egptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ?epptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ?pptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z, ?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ, ?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z, ?gptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ?gbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXH@Z, ?pbase@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z, ?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z, ?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ, ?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ, ?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ, ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ, ?setp@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W00@Z, ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z, ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ??Bid@locale@std@@QEAA_KXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?width@ios_base@std@@QEAA_J_J@Z, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?flags@ios_base@std@@QEBAHXZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?good@ios_base@std@@QEBA_NXZ, ?uncaught_exception@std@@YA_NXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?width@ios_base@std@@QEBA_JXZ, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?exceptions@ios_base@std@@QEAAXH@Z, ?flags@ios_base@std@@QEAAHH@Z, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z, ?precision@ios_base@std@@QEAA_J_J@Z, ?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?widen@?$ctype@D@std@@QEBADD@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?narrow@?$ctype@D@std@@QEBADDD@Z, ?is@?$ctype@D@std@@QEBA_NFD@Z, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, _Mtx_lock, ?_Throw_C_error@std@@YAXH@Z, _Mtx_unlock, _Mtx_destroy_in_situ, _Mtx_init_in_situ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, _Thrd_id, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@H@Z, ?classic@locale@std@@SAAEBV12@XZ, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ??1facet@locale@std@@MEAA@XZ, ??0facet@locale@std@@IEAA@_K@Z, ?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ, ?_Incref@facet@locale@std@@UEAAXXZ, ??0id@locale@std@@QEAA@_K@Z, ?tie@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_ostream@_WU?$char_traits@_W@std@@@2@XZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ, ?fill@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WXZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@I@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@F@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_J@Z, _Xtime_get_ticks, ?_Throw_Cpp_error@std@@YAXH@Z, _Cnd_init_in_situ, _Cnd_destroy_in_situ, _Cnd_broadcast, _Mtx_current_owns, _Cnd_timedwait, _Query_perf_counter, _Query_perf_frequency, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?_Xinvalid_argument@std@@YAXPEBD@Z, ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?is@?$ctype@_W@std@@QEBA_NF_W@Z, ??1_Locinfo@std@@QEAA@XZ, ?c_str@?$_Yarn@D@std@@QEBAPEBDXZ, ??0_Locinfo@std@@QEAA@PEBD@Z, ?id@?$ctype@_W@std@@2V0locale@2@A, ?id@?$collate@_W@std@@2V0locale@2@A, _Wcsxfrm, _Wcscoll, ?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ, ?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z, ?tolower@?$ctype@_W@std@@QEBA_W_W@Z, ?pubsync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?toupper@?$ctype@_W@std@@QEBA_W_W@Z, ?_Xbad_function_call@std@@YAXXZ, ?__ExceptionPtrRethrow@@YAXPEBX@Z, ?__ExceptionPtrDestroy@@YAXPEAX@Z, ?__ExceptionPtrCopy@@YAXPEAXPEBX@Z, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?setf@ios_base@std@@QEAAHH@Z, ?setf@ios_base@std@@QEAAHHH@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z, _Thrd_sleep, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?_Gettrue@_Locinfo@std@@QEBAPEBDXZ, ?_Getfalse@_Locinfo@std@@QEBAPEBDXZ, ?_Getlconv@_Locinfo@std@@QEBAPEBUlconv@@XZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@G@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z, ??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z, _Thrd_join, _Thrd_detach, _Cnd_do_broadcast_at_thread_exit, ?widen@?$ctype@_W@std@@QEBA_WD@Z, ??Bios_base@std@@QEBA_NXZ, ?fail@ios_base@std@@QEBA_NXZ, ??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@G@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@N@Z, ?clear@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ?tellp@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ, ?fill@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAA_W_W@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?_Random_device@std@@YAIXZ, _Cnd_wait, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAN@Z, ?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ, _Thrd_yield, ?tellp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ, _Mtx_trylock, _Cnd_signal, ?GetCurrentThreadId@platform@details@Concurrency@@YAJXZ, ?_ReportUnobservedException@details@Concurrency@@YAXXZ, ?_Schedule_chore@details@Concurrency@@YAHPEAU_Threadpool_chore@12@@Z, ?_LogWorkItemCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ, ?_LogWorkItemStarted@_TaskEventLogger@details@Concurrency@@QEAAXXZ, ?_LogTaskExecutionCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ, ?_LogTaskCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ, ?_LogCancelTask@_TaskEventLogger@details@Concurrency@@QEAAXXZ, ?_LogScheduleTask@_TaskEventLogger@details@Concurrency@@QEAAX_N@Z, ?_Release_chore@details@Concurrency@@YAXPEAU_Threadpool_chore@12@@Z, ?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ, ?_Capture@_ContextCallback@details@Concurrency@@AEAAXXZ, ?_IsCurrentOriginSTA@_ContextCallback@details@Concurrency@@CA_NXZ, ?_Assign@_ContextCallback@details@Concurrency@@AEAAXPEAX@Z, ?_Reset@_ContextCallback@details@Concurrency@@AEAAXXZ, ?_CallInContext@_ContextCallback@details@Concurrency@@QEBAXV?$function@$$A6AXXZ@std@@_N@Z, ??0task_continuation_context@Concurrency@@AEAA@XZ, ?__ExceptionPtrCreate@@YAXPEAX@Z, ?__ExceptionPtrCurrentException@@YAXPEAX@Z, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_K@Z, ?__ExceptionPtrAssign@@YAXPEAXPEBX@Z, ?__ExceptionPtrToBool@@YA_NPEBX@Z, ?imbue@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z, ?pbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXH@Z, ?bad@ios_base@std@@QEBA_NXZ, ?narrow@?$ctype@_W@std@@QEBAD_WD@Z, ?id@?$numpunct@_W@std@@2V0locale@2@A, _Cnd_unregister_at_thread_exit, _Cnd_register_at_thread_exit, ?_Rethrow_future_exception@std@@YAXVexception_ptr@1@@Z, ?_Throw_future_error@std@@YAXAEBVerror_code@1@@Z, ?uncaught_exceptions@std@@YAHXZ, ?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z, ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Gninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ, ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ, ?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A, ?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z, ?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?unshift@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEBA?AVlocale@2@XZ, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Gndec@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ, ?getline@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@PEA_W_J@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z, ?gcount@?$basic_istream@DU?$char_traits@D@std@@@std@@QEBA_JXZ, ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z, ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ, ?sgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEAD_J@Z, ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@V?$fpos@U_Mbstatet@@@2@@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z, ?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
    api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, calloc, _msize, malloc, free, realloc
    api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsnwprintf_s, __stdio_common_vswprintf_s, __stdio_common_vsnprintf_s, __p__commode, _set_fmode, _get_stream_buffer_pointers, fputc, fread, fwrite, fputwc, ungetwc, ungetc, fgetc, fgetwc, fgetpos, __stdio_common_vsprintf_s, __stdio_common_vswprintf, _wfopen_s, fclose, __stdio_common_vsprintf, __stdio_common_vsscanf, fgets, fputs, fflush, setvbuf, fsetpos, _fseeki64, __stdio_common_vswscanf
    api-ms-win-crt-runtime-l1-1-0.dll_initialize_onexit_table, _register_onexit_function, _crt_atexit, _endthreadex, _seh_filter_exe, _clearfp, _beginthreadex, _set_app_type, _register_thread_local_exe_atexit_callback, abort, _c_exit, terminate, _invalid_parameter_noinfo_noreturn, _cexit, _configure_wide_argv, _exit, exit, _initterm_e, _initterm, _get_wide_winmain_command_line, _errno, _invalid_parameter_noinfo, _initialize_wide_environment
    api-ms-win-crt-string-l1-1-0.dlliswspace, towlower, strncmp, strcspn, isdigit, iswalpha, _wcsnicmp, wcstok_s, wcscpy_s, wmemcpy_s, _towupper_l, wcsncmp, isxdigit, tolower, wcscmp, isspace, towupper, _stricmp, wcsncat_s, wcsnlen, _wcsicmp, isalnum, wcscat_s, strnlen, strncpy_s, strcmp, wcsncpy_s
    api-ms-win-crt-convert-l1-1-0.dll_wtol, _itow_s, _ui64toa_s, wcstoll, _i64tow_s, _ui64tow_s, strtol, wcstol, strtod, _ultow_s, strtoull, _wcstoui64, _wtoi64, wcstoull, _wtof, strtoll, _wcstoi64, wcstoul, _wtoi, wcstod
    api-ms-win-crt-time-l1-1-0.dll_gmtime64_s, _time64, _difftime64, _mktime64, _localtime64_s, wcsftime, clock
    api-ms-win-crt-math-l1-1-0.dlllogf, log10, floor, expf, ceilf, ceil, _dclass, _dsign, round, __setusermatherr, log2, pow
    api-ms-win-crt-locale-l1-1-0.dll___lc_codepage_func, __initialize_lconv_for_unsigned_char, _configthreadlocale, _create_locale
    api-ms-win-crt-utility-l1-1-0.dllsrand, rand_s, rand
    api-ms-win-crt-filesystem-l1-1-0.dll_unlock_file, _lock_file, _wsplitpath_s
    NETAPI32.dllNetGetJoinInformation, NetApiBufferFree
    ntdll.dllNtSetInformationKey
    ApiClient.dll?QueueTaskItem@@YAJV?$shared_ptr@VORpcClient@@@std@@U_GUID@@@Z, ?KillQueuedProcesses@@YAJV?$shared_ptr@VORpcClient@@@std@@@Z, ?RestartKilledProcesses@@YAJV?$shared_ptr@VORpcClient@@@std@@@Z, ?InvokeProcessKillerEx@@YAJV?$shared_ptr@VORpcClient@@@std@@HHHPEB_W1PEAK@Z, ?InvokeProcessKiller@@YAJV?$shared_ptr@VORpcClient@@@std@@HHHPEB_WPEAK@Z, ?GetClickToRunData@@YAJV?$shared_ptr@VORpcClient@@@std@@HPEB_WPEA_WK@Z, ?PromptUser@@YAJV?$shared_ptr@VORpcClient@@@std@@KPEAKPEB_W@Z, ?RaiseTaskErrorEvent3@@YAJV?$shared_ptr@VORpcClient@@@std@@KKKKPEB_W@Z, ?RaiseTaskToastEvent@@YAJV?$shared_ptr@VORpcClient@@@std@@H@Z, ?RaiseTaskDialogEvent@@YAJV?$shared_ptr@VORpcClient@@@std@@PEB_W1@Z, ?RaiseTaskProgressEvent@@YAJV?$shared_ptr@VORpcClient@@@std@@U_GUID@@K@Z, ?GetServiceVersion@@YAJV?$shared_ptr@VORpcClient@@@std@@PEA_WK@Z, ?GetProcessPoolProcessId@@YAJV?$shared_ptr@VORpcClient@@@std@@PEAK@Z
    DescriptionData
    InternalNameOfficeClickToRun.exe
    FileVersion16.0.14430.20292
    CompanyNameMicrosoft Corporation
    LegalTrademarks1Microsoft is a registered trademark of Microsoft Corporation.
    LegalTrademarks2Windows is a registered trademark of Microsoft Corporation.
    ProductNameMicrosoft Office
    ProductVersion16.0.14430.20292
    FileDescriptionMicrosoft Office Click-to-Run (SxS)
    OriginalFilenameOfficeClickToRun.exe
    Translation0x0000 0x04e4

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    050100s020406080100

    Click to jump to process

    Memory Usage

    050100s0.00510MB

    Click to jump to process

    System Behavior

    Analysis Process: officeclicktorun.exe PID: 6700 Parent PID: 2928

    Function Logs

    General

    Start time:17:17:23
    Start date:31/10/2021
    Path:C:\Users\user\Desktop\officeclicktorun.exe
    Wow64 process (32bit):false
    Commandline:'C:\Users\user\Desktop\officeclicktorun.exe'
    Imagebase:0x7ff6b5f50000
    File size:9250688 bytes
    MD5 hash:77D569AA073D06F3268D1FADD49B2E64
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    Show Windows behavior

    Process Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    Disassembly

    Code Analysis