Program did not start
General Info
- File name
-
SKM_C30819111181835.xls
- Verdict
- Malicious activity
- Analysis date
- 12/3/2019, 01:21:29
- OS:
- Windows 10 Professional (build: 16299, 64 bit)
- Tags:
-
macros
ole-embedded
macros-on-open
ta505
- Indicators:
- MIME:
- application/vnd.ms-excel
- File info:
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: CiBQd, Subject: N, Author: NYxaYK, Last Saved By: Administrator, Revision Number: 602, Name of Creating Application: Microsoft Excel, Total Editing Time: 1d+04:31:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Mon Dec 2 20:35:23 2019, Number of Pages: 2, Number of Words: 3929, Number of Characters: 7608, Security: 0
- MD5
-
e64732dbba7c812de3cfd435b5f1f20b
- SHA1
-
98f84376fe5e050c7783d1819fab2e6369503066
- SHA256
-
04c6ce889c9d7e0b4c7d61ecb51f2fdecf3a37ce9892f7a4b6d5d458c8ab4daf
- SSDEEP
-
12288:6EB+Jx9Cjs/39lKf94sGg0SOMwItwmtSp+gW3:tcCjsnKG4wbmtcBE
Software environment set and analysis options
Launch configuration
- Task duration
- 900 seconds
- Additional time used
- 240 seconds
- Fakenet option
- off
- Heavy Evaision option
- on
- MITM proxy
- on
- Route via Tor
- off
- Network geolocation
- off
- Privacy
- Public submission
- Autoconfirmation of UAC
- on
Software preset
- Internet Explorer 11.431.16299.0
KB4103768
- Adobe Acrobat Reader DC MUI (15.007.20033)
- CCleaner (5.35)
- FileZilla Client 3.31.0 (3.31.0)
- Google Chrome (73.0.3683.86)
- Google Update Helper (1.3.33.23)
- Java 8 Update 92 (64-bit) (8.0.920.14)
- Java Auto Updater (2.8.92.14)
- Microsoft Office Professional 2019 - de-de (16.0.12026.20264)
- Microsoft Office Professional 2019 - en-us (16.0.12026.20264)
- Microsoft Office Professional 2019 - es-es (16.0.12026.20264)
- Microsoft Office Professional 2019 - it-it (16.0.12026.20264)
- Microsoft Office Professional 2019 - ja-jp (16.0.12026.20264)
- Microsoft Office Professional 2019 - ko-kr (16.0.12026.20264)
- Microsoft Office Professional 2019 - pt-br (16.0.12026.20264)
- Microsoft Office Professional 2019 - tr-tr (16.0.12026.20264)
- Microsoft Office Professionnel 2019 - fr-fr (16.0.12026.20264)
- Microsoft Office профессиональный 2019 - ru-ru (16.0.12026.20264)
- Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325 (14.11.25325.0)
- Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
- Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325 (14.11.25325)
- Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325 (14.11.25325)
- Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
- Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
- Mozilla Firefox 65.0.2 (x64 en-US) (65.0.2)
- Notepad++ (64-bit x64) (7.5.1)
- Office 16 Click-to-Run Extensibility Component (16.0.12026.20264)
- Office 16 Click-to-Run Licensing Component (16.0.12026.20264)
- Office 16 Click-to-Run Localization Component (16.0.12026.20264)
- Opera 12.15 (12.15.1748)
- Skype™ 7.39 (7.39.102)
- Update for Windows 10 for x64-based Systems (KB4023057) (2.19.0.0)
- VLC media player (2.2.6)
- WinRAR 5.60 (64-bit) (5.60.0)
- Windows 10 Upgrade Assistant (1.4.9200.22175)
Hotfixes
- Client LanguagePack Package
- Foundation Package
- InternetExplorer Optional Package
- KB4054022
- KB4055237
- KB4055994
- KB4058043
- KB4078408
- KB4093110
- KB4094276
- KB4103729
- KB4131372
- KB4134661
- LanguageFeatures Basic en us Package
- LanguageFeatures Handwriting en us Package
- LanguageFeatures OCR en us Package
- LanguageFeatures Speech en us Package
- LanguageFeatures TextToSpeech en us Package
- MediaPlayer Package
- Microsoft OneCore ApplicationModel Sync Desktop FOD Package
- NetFx3 OnDemand Package
- ProfessionalEdition
- QuickAssist Package
- RollupFix
Behavior activities
| MALICIOUS | SUSPICIOUS | INFO |
|---|---|---|
Loads dropped or rewritten executable
|
Reads Environment values
|
Creates files in the user directory
|
Static information
TRiD
.xls
|
Microsoft Excel sheet (48%)
.xls
|
Microsoft Excel sheet (alternate) (39.2%)
EXIF
FlashPix
CompObjUserTypeLen:
25
CompObjUserType:
Microsoft Forms 2.0 Form
Title:
CiBQd
Subject:
N
Author:
NYxaYK
LastModifiedBy:
Administrator
RevisionNumber:
602
Software:
Microsoft Excel
TotalEditTime:
1.2 days
CreateDate:
2019:08:30 09:14:50
ModifyDate:
2019:12:02 20:35:23
Pages:
2
Words:
3929
Characters:
7608
Security:
None
CodePage:
Windows Latin 1 (Western European)
Company:
null
Bytes:
12777
Lines:
230
Paragraphs:
36
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts:
Page2
HeadingPairs
null
null
Video and screenshots
Processes
Total processes
99
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
–
+
Specs description
Integrity level
elevation
Task сontains an error
or was rebooted
Process has crashed
Task contains several
apps running
Executable file was
dropped
Debug information is
available
Process was injected
Network attacks were
detected
Application downloaded
the executable file
Actions similar to
stealing personal data
Behavior similar to
exploiting the vulnerability
Inspected object has
sucpicious PE structure
File is detected by
antivirus software
CPU overrun
RAM overrun
Process starts the
services
Process was added to
the startup
Behavior similar to
spam
Low-level access to
the HDD
Probably Tor was used
System was rebooted
Connects to the
network
Known threat
Process information
Click at the process to see the details.
- PID
- 4208
- CMD
- "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\AppData\Local\Temp\SKM_C30819111181835.xls"
- Path
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
- Indicators
- Parent process
- ––
- User
- admin
- Integrity Level
- MEDIUM
- Version:
- Company
- Microsoft Corporation
- Description
- Microsoft Excel
- Version
- 16.0.12026.20264
Modules
| Image |
|---|
| c:\program files\microsoft office\root\office16\excel.exe |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\bcryptprimitives.dll |
| c:\windows\system32\msvcp140.dll |
| c:\windows\system32\cfgmgr32.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\gdi32full.dll |
| c:\windows\system32\msvcp_win.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\apphelp.dll |
| c:\windows\system32\userenv.dll |
| c:\windows\system32\kernel.appcore.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\ucrtbase.dll |
| c:\windows\system32\win32u.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\vcruntime140.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\shcore.dll |
| c:\windows\system32\windows.storage.dll |
| c:\windows\system32\kernelbase.dll |
| c:\program files\common files\microsoft shared\clicktorun\c2r64.dll |
| c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\combase.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\powrprof.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\shell32.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso50win32client.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso20win32client.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso30win32client.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso.dll |
| c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso98win32client.dll |
| c:\windows\system32\msi.dll |
| c:\windows\system32\resourcepolicyclient.dll |
| c:\windows\system32\uxtheme.dll |
| c:\windows\system32\winsta.dll |
| c:\windows\system32\dxgi.dll |
| c:\windows\system32\wtsapi32.dll |
| c:\windows\system32\secur32.dll |
| c:\windows\system32\d2d1.dll |
| c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.16299.431_none_46b2c6d3edf81841\gdiplus.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\bcrypt.dll |
| c:\windows\system32\d3d10warp.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso40uiwin32client.dll |
| c:\windows\system32\version.dll |
| c:\windows\system32\dwmapi.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\d3d11.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\rmclient.dll |
| c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll |
| c:\windows\system32\wbem\wbemprox.dll |
| c:\windows\system32\dwrite.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\wintypes.dll |
| c:\windows\system32\clbcatq.dll |
| c:\windows\system32\winhttp.dll |
| c:\windows\system32\wbemcomn.dll |
| c:\windows\system32\ondemandconnroutehelper.dll |
| c:\windows\system32\twinapi.appcore.dll |
| c:\windows\system32\cryptbase.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\riched20.dll |
| c:\windows\system32\npmproxy.dll |
| c:\windows\system32\mscoree.dll |
| c:\windows\system32\netprofm.dll |
| c:\windows\system32\nsi.dll |
| c:\windows\system32\dhcpcsvc6.dll |
| c:\windows\system32\winnsi.dll |
| c:\windows\system32\ws2_32.dll |
| c:\windows\system32\dhcpcsvc.dll |
| c:\windows\system32\windows.security.authentication.web.core.dll |
| c:\windows\system32\normaliz.dll |
| c:\windows\system32\mswsock.dll |
| c:\program files\microsoft office\root\office16\msoaria.dll |
| c:\windows\system32\iphlpapi.dll |
| c:\windows\system32\wininet.dll |
| c:\windows\system32\imagehlp.dll |
| c:\windows\system32\wbem\fastprox.dll |
| c:\windows\system32\sppc.dll |
| c:\windows\system32\urlmon.dll |
| c:\windows\system32\schannel.dll |
| c:\program files\microsoft office\root\office16\oart.dll |
| c:\windows\system32\wbem\wbemsvc.dll |
| c:\windows\system32\iertutil.dll |
| c:\windows\system32\xmllite.dll |
| c:\windows\system32\webio.dll |
| c:\windows\system32\msiso.dll |
| c:\windows\system32\dnsapi.dll |
| c:\windows\system32\fwpuclnt.dll |
| c:\windows\system32\cabinet.dll |
| c:\windows\system32\rasadhlp.dll |
| c:\windows\system32\coremessaging.dll |
| c:\windows\system32\ntmarta.dll |
| c:\windows\system32\ntasn1.dll |
| c:\windows\system32\twinapi.dll |
| c:\windows\system32\coreuicomponents.dll |
| c:\windows\system32\mskeyprotect.dll |
| c:\windows\system32\textinputframework.dll |
| c:\windows\system32\ncrypt.dll |
| c:\windows\system32\ncryptsslp.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\gpapi.dll |
| c:\windows\system32\webservices.dll |
| c:\windows\system32\dpapi.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\adal.dll |
| c:\windows\system32\netapi32.dll |
| c:\windows\system32\netutils.dll |
| c:\windows\system32\msvcp110_win.dll |
| c:\windows\system32\wkscli.dll |
| c:\windows\system32\cryptnet.dll |
| c:\windows\system32\dsreg.dll |
| c:\windows\system32\aepic.dll |
| c:\windows\system32\propsys.dll |
| c:\windows\system32\mpr.dll |
| c:\program files\microsoft office\root\office16\msohev.dll |
| c:\windows\system32\fltlib.dll |
| c:\windows\system32\mlang.dll |
| c:\windows\system32\cldapi.dll |
| c:\windows\system32\explorerframe.dll |
| c:\windows\system32\msxml6.dll |
| c:\windows\system32\uiautomationcore.dll |
| c:\windows\system32\windows.staterepositoryps.dll |
| c:\windows\system32\wintrust.dll |
| c:\windows\system32\coml2.dll |
| c:\windows\system32\msimg32.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll |
| c:\windows\system32\srpapi.dll |
| c:\program files\microsoft office\root\vfs\system\msvcr100.dll |
| c:\windows\system32\slc.dll |
| c:\program files\microsoft office\root\office16\gfx.dll |
| c:\program files\microsoft office\root\office16\gkexcel.dll |
| c:\program files\microsoft office\root\vfs\system\fm20.dll |
| c:\windows\system32\bcp47langs.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msptls.dll |
| c:\windows\system32\sxs.dll |
| c:\windows\system32\d3d10_1.dll |
| c:\windows\system32\dcomp.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\1033\vbe7intl.dll |
| c:\windows\system32\directmanipulation.dll |
| c:\windows\system32\windowscodecs.dll |
| c:\windows\system32\dataexchange.dll |
| c:\windows\system32\d3d10_1core.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\windows.globalization.dll |
| c:\windows\system32\globinputhost.dll |
| c:\windows\system32\windows.security.authentication.onlineid.dll |
| c:\program files\microsoft office\root\office16\chart.dll |
| c:\windows\system32\windows.networking.connectivity.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeuires.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\1033\vbeuiintl.dll |
| c:\windows\system32\wshom.ocx |
| c:\windows\system32\scrrun.dll |
| c:\windows\system32\onecoreuapcommonproxystub.dll |
| c:\windows\system32\oleacc.dll |
| c:\program files\microsoft office\root\vfs\system\fm20enu.dll |
| c:\windows\system32\asycfilt.dll |
| c:\windows\system32\elscore.dll |
| c:\windows\system32\onecorecommonproxystub.dll |
| c:\windows\system32\packager.dll |
| c:\windows\system32\appresolver.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\shdocvw.dll |
| c:\windows\system32\dui70.dll |
| c:\windows\system32\winshfhc.dll |
| c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.16299.431_none_887985224abb0026\comctl32.dll |
| c:\windows\system32\chartv.dll |
| c:\program files\winrar\rarext.dll |
| c:\windows\system32\zipfldr.dll |
| c:\windows\system32\edputil.dll |
| c:\windows\system32\atlthunk.dll |
| c:\windows\system32\wdscore.dll |
| c:\windows\system32\duser.dll |
| c:\users\admin\appdata\roaming\microsoft\windows\templates\rtdt.dll |
- PID
- 1240
- CMD
- C:\WINDOWS\splwow64.exe 8192
- Path
- C:\WINDOWS\splwow64.exe
- Indicators
- No indicators
- Parent process
- EXCEL.EXE
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Microsoft Corporation
- Description
- Print driver host for applications
- Version
- 10.0.16299.15 (WinBuild.160101.0800)
Modules
| Image |
|---|
| c:\windows\system32\gdi32full.dll |
| c:\windows\system32\iertutil.dll |
| c:\windows\system32\powrprof.dll |
| c:\windows\system32\dwmapi.dll |
| c:\windows\system32\msvcp_win.dll |
| c:\windows\system32\sxs.dll |
| c:\windows\system32\driverstore\filerepository\prnms003.inf_amd64_4592475aca2acf83\amd64\printconfig.dll |
| c:\windows\system32\version.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\msiso.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\msxml6.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\bcryptprimitives.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\ucrtbase.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\imagehlp.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\win32u.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\splwow64.exe |
| c:\windows\system32\combase.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\prntvpt.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\kernelbase.dll |
| c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msoxmlmf.dll |
| c:\windows\system32\shcore.dll |
| c:\windows\system32\vcruntime140.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\kernel.appcore.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\iphlpapi.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\system32\windows.storage.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\jscript.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\userenv.dll |
| c:\windows\system32\uxtheme.dll |
| c:\windows\system32\printisolationproxy.dll |
| c:\windows\system32\amsi.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\bcrypt.dll |
| c:\windows\system32\clbcatq.dll |
| c:\windows\system32\urlmon.dll |
Registry activity
Total events
2113
Read events
1706
Write events
358
Delete events
49
Modification events
PID
Process
Operation
Key
Name
Value
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{B866D7AE-7C99-4C20-AA98-278FC044FB98}
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D5181
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D6C6C
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
1
01D014000000001000284FFA2E01000000000000000400000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\EXCEL\4208
0
0B0E103A6D74DCB9E66F4A83DB99A51B9CE2E0230046D999AEF0FAADEAEA016A0410240044FA5D64A89E01008500A907556E6B6E6F776EC9062E226D2B484F4D616659574A5464337373702B3165327141506A326C775347586F6C4A7635624B6E337449506B3D2200
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
es-es
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
de-de
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
fr-fr
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
it-it
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ja-jp
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ko-kr
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
pt-br
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ru-ru
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
tr-tr
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
de-de
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
es-es
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
fr-fr
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
it-it
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ja-jp
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ko-kr
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
pt-br
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ru-ru
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
tr-tr
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
$1:
24313A0070100000010000000000000054B231AE6FA9D50100000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
41:
34313A00701000000000044001000000121434AE6FA9D501D20600003A6D74DCB9E66F4A83DB99A51B9CE2E0121434AE6FA9D5010000000000001000284FFA2E000000000600000020007B000200000000000000000000000000556E6B6E6F776E00000000000000000000000000000000000000000000000000000000000000000000000000000000000DF0ADDE0DF0ADDE0DF0ADDE0DF0ADDE440045004600410055004C00540000000000FFA445020000D289A1D8FD7F000040000000450200000000000045020000A0D0FCA645020000C8F00F0CB900000040A9F8A64502000058F10F0CB900000058F70F0CB900000080F40F0CB900000060CCE1A64502000058F10F0CB900000018F40F0CB900000060CCE1A64502000080F40F0CB9000000340000C00000000058F70F0CB900000058F70F0CB900000090F10F0CB90000009040FCA6450200007040FCA6450200005C0EACB9FD7F00000000000000000000C31EACB9FD7F0000D0CCF8A6450200008A289CB9FD7F0000FEFFFFFFFFFFFFFF9040FCA64502000000CCE1A64502000060CCE1A64502000060CCE1A645020000CE25ACB9FD7F0000B08D01A7450200007040FCA64502000068CDE1A645020000D8CCE1A645020000FEFFFFFFFFFFFFFFE865B4B9FD7F0000FEFFFFFFFFFFFFFF40CDE1A6450200000000000000000000DB01ABB9FD7F000050F10F0CB900000090F10F0CB900000058F70F0CB9000000998EC09A0B23E847D0CCF8A6450200008A289CB9FD7F0000000000000200000060CCE1A64502000090CEF8A645020000D0CCF8A64502000048030000000000001562A9B9FD7F0000B0F10F0CB900000066F59BB9FD7F0000D0CCF8A6450200006380AAB9FD7F0000000000000000000078F10F0CB9000000FEFFFFFFFFFFFFFF96759BB9FD7F00000000000000000000440045004600410055004C00540000004403000000000000C012F2A44502000000000000FD7F00000000F2A44502000090A9F8A64502000080F40F0CB900000090000000FD7F000018F40F0CB900000044030000000000000000000000000000C00CF2A4450200000000FFA4450200009CBBA1D8FD7F0000F006000000000000000000000000000000000000000000001C0000000000000000000000000000007668A1D8FD7F0000000000000000000000000000000000000000FFA44502000001000000FD7F00000000000000000000800DF6A64502000010000000000000007E000000360200000000000045020000700DF6A645020000700DF6A645020000FF030000000000008000000000000000F0030000000000008F000000000000008F000000000000008F000000000000000000000000000000030000000000000060F70F0CB900000040F40F0CB90000000496ADB9FD7F0000493CFFFF6D00000008F40F0C48FEFFFF030000000000000084B5FFA4450200005001FFA445020000FE0000000000000010D7F8A645020000F61FACB9FD7F0000BCB5FFA4450200008F00000000000000FEFFFFFFFFFFFFFFBF9AADB9FD7F0000B0F30F0CB900000066F59BB9FD7F00000000000045020000F800FED7FD7F000000F80F0CB9000000F00600000000000000000000000000009D01A1D8FD7F00008F000000000000001600000000000000440045004600410055004C0054000000907106D8FD7F000002000002FD7F000018F50F0CB90000000000000000000000462841B5FD7F0000B60200B4FD7F0000010000000000000026C408EA0000000081F40F0CB900000002000002FD7F000040A9F8A645020000000000004502000081F40F0CB90000000100000000000000340000C0B9000000B60200B4FD7F0000D084B5B9FD7F0000A884B5B9FD7F00005020FCA645020000D0CCE1A645020000407A2BB2FD7F0000A0D0FCA64502000000000000000000000000000000000000407A2BB2FD7F000000000000000000006F00000000000000F0060000000000000000FFA445020000AB8EA1D8FD7F00000000FFA44502000002000000FD7F0000E006000000000000F0060000000000008806FFA44502000078F40F0CB900000010D7F8A64502000003000000FD7F000010D7F8A64502000010D7F8A64502000018000000000000007668A1D8FD7F000040A9F8A645020000D67B33B6FD7F00000000000000000000658BA7B9FD7F0000A0D0FCA645020000D67B33B6FD7F00003088AFB2FD7F00000100000000000000407A2BB2FD7F000000000000000000000800000000000000CB85D0B4FD7F0000F00DF6A645020000E00600000000000020F90F0CB90000000000000000000000800DF6A645020000A37CD0B4FD7F0000900DF6A64502000020F90F0CB900000094A1A5B160B00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034003800
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common
SessionId
1C217356E59DBC40961A14A173C4B9C4
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\192\52C64B7E
LanguageList
en-US
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.12026&crev=3\0
FilePath
officeclient.microsoft.com\68841F51-88A6-4DEB-BE82-49620921B1D8
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.12026&crev=3\0
StartDate
3072BDAF6FA9D501
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.12026&crev=3\0
EndDate
303227DA38AAD501
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache
LastClean
209EC4AF6FA9D501
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
2
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
Categories
06020000170200000B020000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{B866D7AE-7C99-4C20-AA98-278FC044FB98}
4
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{B866D7AE-7C99-4C20-AA98-278FC044FB98}
Categories
57020000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
4
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
Categories
BF010000CD030000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSTagIds0
5804129,17846737,18409363,17696988,8758344,17339781,17634580,7668685,18658649,18375312,18948102,7214608,18428691,9319450,17126295,18658648,17322183,18384724,5850062,18658650,18674530,18637650,16920930,20789191,17311449,17698821,18409416,7668686,22131214,18948101,7398615,19978122,20026645,17182941,7668692,18711811,22131171,7440607,19153728,17182981,17182942,4859234,18384801,25514583,17322188,17331930,19543138,5601374,17146274,7668683,5898847,8263521,5850584,17622912,8254547,22070208,23729926,18633496,17182980,8988293,18474530,8697678,17922253,4317338,7649375,17372928,21030619,16859363,6636695,17322181,9176926,17956946,5850122,24466059,8448079,6366290,5850463,6690465,17064074,7649377,5850305,5850582,17425358,19223073,8709129,8750272,18917267,5898845,17182979,6166345,17846738,17885409,17182943,23729931,7459348,17322184,6636694,5850583,22131201,17846749,7218753,8430030,5810308,17182982,18970382,22595280,5850061,5898851,17331926,17331923,7668682,7668681,17846753,17698820,7668693,17331927,17846750,17331929,17127502,6137435,6170083,23459486,17127501,17698822,8988294,17846730,17106064,17698823,17846747,17846734,7398614,18948169,22853700,17110992,17846735,17846748,17846736,19261452,19261450,19261453,19261451,6341763,7116053,6366291,18716634,17610659,18716635,17372899,17914001,17102418,18917269,6029780,8750242,17913997,17913998,17913999,17914000,4289286,7463684,17914002,17914003,22872910,5898849,24466061,17962391,5898880,8433728,5898881,5898884,22929427,8701660,18917328,18917326,18949600,18917268,17578125,18917271,22131169,18917330,18949601,25514584,18970383,22595279,22131208,17322179,18208672,22131207,17127511,22131213,8750241,22853699,5850525,22929425,5587867,23414153,4564173,17127509,16815750,18208656,7690258,8263520,22083550,7690253,22872911,7463105,18647262,19978123,25514585,17962392,5601367,25514582,7966755,6647824,17573643,7868952,17445651,17106059,17445650,17106060,17106065,17106063,19744898,17962113,18625879,36467677,19531353,5601379,7202269,23978014,7168707,6059089,5601366,17110988,8709120,18441314,8747207,17311443,18208657,19174148,22349186,9037324,18633497,17311450,8996805,4859233,17969938,18208715,18208705,18208658,17311446,8709078,8709086,8709089,18621250,8709081,20248016,16860185,8750274,7214607,16843347,17339214,20489431,17618826,18384725,7690256,19744899,19732354,5888003,36467808,19732353,7690254,19543137,18375313,18384802,18647260,18647259,18647261,20026646,7657413,7649378,7657414,17842627,8447777,16815754,18970381,19198081,17045407,17045408,8430031,8254544,6301592,17425365,24131419,17322180,17322182,17322187,22929429,8758345,36292435
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSCategoriesSeverities
827 15,1001 15,1000 15,999 15,226 15,1282 50,1338 50,1338 10,1249 10,1039 15,998 15,1282 10,831 15,1249 15,1338 15,1282 15,829 15,1128 15,291 15,1622 50,850 15,828 15,830 15,1255 15,974 15,670 15,671 15,1002 15,669 15,70 50,2086 15,2087 15,2088 15
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSAllCategories
10
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs
CountryCode
std::wstring|GB
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingConfigurableSettings
DC00000000000000803A090041060100010001000000000000000000000000000000000000000000201C0000201C00008051010080510100805101008051010080F4030080F4030080F403002C01000084030000805101000000000084030000805101000A0000001E0000001E000000000000000000000080510100010000000100000000000000000000000000000000000000008D2700008D2700008D2700010000000A000000805101000000300000003000000030000000000084030000805101002C0100008403000080510100050000000500000005000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingConfigurableSettings
DC00000000000000803A0900E3070C00020003000000160003008A03000000000000000000000000201C0000201C00008051010080510100805101008051010080F4030080F4030080F403002C01000084030000805101000000000084030000805101000A0000001E0000001E000000000000000000000080510100010000000100000000000000000000000000000000000000008D2700008D2700008D2700010000000A000000805101000000300000003000000030000000000084030000805101002C0100008403000080510100050000000500000005000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\excel
BuildNumber
16.0.12026
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel
Expires
int64_t|0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingLastSyncTime
E3070C0002000300000016000300B903
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingLastWriteTime
E3070C0002000300000016000300B903
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|3
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|4
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|5
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Fonts
CloudFontsVersion
4
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|6
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|7
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|8
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|9
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|10
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|11
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|12
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|13
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|14
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
0.15
506C6174666F726D2E50726576656E74546162466C69636B6572222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E50726976616379436F6E73656E744469616C6F672E44697361626C6543616E63656C427574746F6E222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E507269766163794E6F74696365436F6E73756D6572446C67222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E5072697661637953657474696E67734469616C6F67456E61626C6564222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E53656E6454656C656D657472794F7074696F6E2E53686F77466972737452756E50726F6D7074222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E53656E6454656C656D657472794F7074696F6E2E536B6970496E6E657252696E67436865636B222C20225622203A2022626F6F6C7C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E53686F77416363436865636B657250616E654261636B67726F756E645363616E6E696E674F7074696F6E222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E53686F77416363436865636B65725374617475734261725465616368696E6743616C6C6F7574222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E53686F7750726976616379436F6E74726F6C73496E4261636B7374616765222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E54616262656450616E65734B6579626F617264696E67222C20225622203A2022626F6F6C7C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E5468656D696E672E4578706C696369746C7952657061696E7441707057696E646F77734F6E5468656D654368616E6765222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E5468656D696E672E4D696453657373696F6E5468656D65526F616D696E672E57696E3332222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E5468656D696E672E5573654E65774F6D5468656D654368616E67656448616E646C6572222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E557365466F6E7449636F6E73466F7243617074696F6E436F6E74726F6C73222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E57686174734E65772E454353446174614C6F61646564222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E416464436865636B466F72496E6B4F7245726173657252656164696E657373222C20225622203A2022626F6F6C7C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E426C6F636B4B6579626F6172645768656E496E6B696E674F7245726173696E67222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D3130304B42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D3130304D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D31304D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D314742416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D314D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D3530304B42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D3530304D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D35304D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D354D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D5265616C6C79426967416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E456E61626C655061747465726E73496E41746E74786E64222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E46416363446973706F7365222C20225622203A2022626F6F6C7C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E576F72642E436C6F736557696E646F774F6E576D456E6453657373696F6E222C20225622203A2022626F6F6C7C3022207D205D207D
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|15
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
VersionId
uint16_t|0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel
ETag
std::wstring|"qWbXYMn5E7RBQwCIw3e9ApubaPzh6COXJ4MCwdBvCWM="
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel
Expires
int64_t|1575336123
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\EXCEL\4208
0
0B0E103A6D74DCB9E66F4A83DB99A51B9CE2E0230046D999AEF0FAADEAEA016A0410240044FA5D64A89E01008500A907556E6B6E6F776EC9062E2271576258594D6E354537524251774349773365394170756261507A6836434F584A344D437764427643574D3D2200
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Licensing\CachedLicenseData
excel.exe
02E0C11717D3479948A6D31022DB7415E01000000000000000300034003100310031002D003000380033002D00300034003300370032003900000001000000010000000600000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
!:
20213A0070100000000000400100000083A8B0B06FA9D5018400000002000000740000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0073006B006D005F006300330030003800310039003100310031003100380031003800330035002E0078006C007300000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D5181
2D5181
04000000701000003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004B004D005F004300330030003800310039003100310031003100380031003800330035002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000C084B0B06FA9D50181512D0081512D0000000000E0020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D5181
2D5181
04000000701000003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004B004D005F004300330030003800310039003100310031003100380031003800330035002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000C084B0B06FA9D50181512D0081512D0000000000E0020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel
ImmersiveWorkbookDirtySentinel
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel
ImmersiveWorkbookDirtySentinel
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0
MSForms
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0
MSComctlLib
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\VBA\Forms3\Controls
EnableActiveXControlArchitetureIndependent
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\VBA\Forms3\Controls
EnableActiveXControlMSWebBrowserArchiteturePersistenceIssue
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D5181
2D5181
04000000701000003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004B004D005F004300330030003800310039003100310031003100380031003800330035002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000C084B0B06FA9D50181512D0081512D0000000000E0020000001800000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D5828
2D5828
04000000701000003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004B004D005F004300330030003800310039003100310031003100380031003800330035002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000001000000962728A66FA9D50128582D0028582D0000000000E00200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{37050C37-AD6B-4AEB-A8AB-068F6F8CD799}\2.0
Microsoft Forms 2.0 Object Library
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{37050C37-AD6B-4AEB-A8AB-068F6F8CD799}\2.0\FLAGS
6
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{37050C37-AD6B-4AEB-A8AB-068F6F8CD799}\2.0\0\win32
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{37050C37-AD6B-4AEB-A8AB-068F6F8CD799}\2.0\HELPDIR
C:\Users\admin\AppData\Local\Temp\VBE
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
FOLDERID_Desktop
C:\Users\admin\Desktop\
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
FOLDERID_Documents
C:\Users\admin\Documents\
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU
FOLDERID_Desktop
C:\Users\admin\Desktop\
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU
FOLDERID_Documents
C:\Users\admin\Documents\
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
LastBootTime
0000000000000000
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\192\52C64B7E
@%SystemRoot%\System32\urlmon.dll,-4200
Open File - Security Warning
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
LastBootTime
129FE55D00000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D6C6C
2D6C6C
04000000701000002A00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C007600640073002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000001000000DD4EC7B46FA9D5016C6C2D006C6C2D0000000000E0020000640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E3070C0002000300000016000E00380100000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_CanvasLocalSaveDocument_Win32
TransactionId
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
AppIdOnAction
4294967295
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
CallDelta
86400
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
MaxWait
2000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
MessageId
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
Provider
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
SetUserAction
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
ShouldShowBadging
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
TimeToNextcall
2019-12-04T00:22:15Z
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
AppIdOnAction
4294967295
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
CallDelta
86400
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
MaxWait
2000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
MessageId
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
Provider
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
SetUserAction
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
ShouldShowBadging
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
TimeToNextcall
2019-12-04T00:22:16Z
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_InAppPurchase_Win32
TransactionId
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
AppIdOnAction
4294967295
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
CallDelta
86400
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
MaxWait
2000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
MessageId
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
Provider
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
SetUserAction
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
ShouldShowBadging
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
TimeToNextcall
2019-12-04T00:22:45Z
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_CanvasOutSpaceSaveAs_Win32
TransactionId
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
AppIdOnAction
4294967295
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
CallDelta
86400
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
MaxWait
2000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
MessageId
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
Provider
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
SetUserAction
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
ShouldShowBadging
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
TimeToNextcall
2019-12-04T00:22:45Z
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_CanvasBoot_Win32
TransactionId
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
AppIdOnAction
4294967295
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
CallDelta
86400
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
MaxWait
2000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
MessageId
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
Provider
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
SetUserAction
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
ShouldShowBadging
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
TimeToNextcall
2019-12-04T00:22:45Z
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Documents
LastPurgeTime
26255543
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\RulesLastAudienceReported
excel.exe
Production
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSTagIds0
17846737,5804129,17696988,18409363,17339781,8758344,17634580,18375312,18658649,7668685,18948102,18428691,7214608,9319450,17126295,18658648,17322183,5850062,18384724,18658650,18637650,18674530,20789191,16920930,17311449,17698821,18409416,7668686,22131214,18948101,7398615,20026645,19978122,17182941,7668692,7440607,22131171,18711811,19153728,17182981,17182942,4859234,25514583,18384801,17322188,17331930,5601374,19543138,17146274,7668683,5898847,17622912,5850584,8263521,8254547,22070208,18633496,23729926,17182980,8988293,18474530,8697678,17922253,7649375,4317338,17372928,21030619,16859363,6636695,17322181,9176926,24466059,5850122,17956946,6366290,8448079,5850463,6690465,7649377,17064074,5850305,5850582,17425358,8750272,8709129,19223073,5898845,18917267,17182979,6166345,17885409,17846738,17182943,23729931,17322184,7459348,6636694,5850583,22131201,8430030,7218753,17846749,5810308,17182982,18970382,22595280,5850061,5898851,17331926,7668682,17331923,7668681,17698820,17846753,7668693,17331927,17846750,17331929,17127502,6137435,23459486,6170083,17127501,17698822,8988294,17106064,17846730,17698823,17846747,17846734,7398614,17110992,22853700,18948169,17846735,17846748,17846736,19261452,19261450,19261453,19261451,6341763,7116053,6366291,17610659,18716634,18716635,17372899,17102418,17914001,18917269,6029780,8750242,17913997,17913998,17913999,4289286,17914000,7463684,17914002,17914003,5898849,22872910,17962391,24466061,8433728,5898880,5898881,5898884,22929427,8701660,18917328,18917326,18949600,17578125,18917268,18917271,22131169,18917330,18970383,25514584,18949601,22595279,17322179,22131208,18208672,22131207,17127511,22131213,8750241,22853699,5850525,5587867,22929425,4564173,23414153,17127509,18208656,16815750,7690258,8263520,22083550,7463105,22872911,7690253,19978123,18647262,25514585,5601367,17962392,7966755,25514582,6647824,17573643,7868952,17445651,17106059,17445650,17106060,17106065,17106063,17962113,19744898,18625879,19531353,36467677,5601379,7202269,23978014,7168707,6059089,17110988,5601366,8709120,18441314,17311443,8747207,19174148,18208657,22349186,17311450,18633497,9037324,8996805,4859233,17969938,18208715,18208705,18208658,17311446,8709078,8709086,8709089,18621250,8709081,20248016,16860185,7214607,8750274,16843347,20489431,17339214,17618826,18384725,7690256,19744899,19732354,5888003,19732353,36467808,7690254,19543137,18375313,18384802,18647260,18647259,18647261,20026646,7657413,7649378,7657414,17842627,8447777,16815754,18970381,19198081,17045407,17045408,8430031,8254544,6301592,17425365,24131419,17322180,17322182,17322187,22929429,8758345,36292435
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSCategoriesSeverities
827 15,1001 15,1000 15,1282 50,226 15,999 15,1338 50,1338 10,1249 10,998 15,1039 15,831 15,1282 10,1249 15,1338 15,1282 15,829 15,1128 15,291 15,850 15,1622 50,828 15,1255 15,830 15,974 15,670 15,671 15,1002 15,669 15,70 50,2086 15,2087 15,2088 15
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\General
LastAutoSavePurgeTime
26255547
Files activity
Executable files
1
Suspicious files
5
Text files
4
Unknown types
6
Dropped files
PID
Process
Filename
Type
4208
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\rtdt.dll
executable
MD5:
5363ce18b4052ecea9bf805f9f6dbdd3
SHA256:
1ac115a67bff6cd95a7150651807e8ffe5b67c3ada7897138ee2d01a4c7dd3b9
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\VB65E5.tmp
––
MD5:
––
SHA256:
––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\vds.xlsx.zip
document
MD5:
e086b75e082ca291ea2b5054f6db6cb6
SHA256:
388624acc1c29bffe623bd200bddb0f73c0375c8cb0c96ba208344567fb8f4d9
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DF174B2BFD28BB847C.TMP
––
MD5:
––
SHA256:
––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~$vds.xlsx
––
MD5:
––
SHA256:
––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DF8BB14BC035E16D81.TMP
––
MD5:
––
SHA256:
––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\vds.xlsx
document
MD5:
e086b75e082ca291ea2b5054f6db6cb6
SHA256:
388624acc1c29bffe623bd200bddb0f73c0375c8cb0c96ba208344567fb8f4d9
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\786D2000
––
MD5:
––
SHA256:
––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\msohtmlclip1_PendingDelete
––
MD5:
––
SHA256:
––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFA9806757755F8C1B.TMP
––
MD5:
––
SHA256:
––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\{0D245EA2-BC87-403A-B9BF-C27B6F6F1F07}\basecamp:Zone.Identifier
text
MD5:
fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256:
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\{0D245EA2-BC87-403A-B9BF-C27B6F6F1F07}\basecamp
binary
MD5:
280443000c5e43d396564fc40531e1c8
SHA256:
75003cf7e3d731fd62d3f643f6db95636f16d62e2f85c283a33b088e7890505b
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\VB65E4.tmp
––
MD5:
––
SHA256:
––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\68841F51-88A6-4DEB-BE82-49620921B1D8
xml
MD5:
2c43afc5d2e86cce9c444ac23b382b09
SHA256:
a52ebebba5ec32b22b7938dac78cf6f731e97382c8d82a6c85eebedc70599f59
4208
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
binary
MD5:
4fcb2a3ee025e4a10d21e1b154873fe2
SHA256:
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
4208
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GX40DJG9L5N7WTGHV33S.temp
––
MD5:
––
SHA256:
––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DF901CDE733F9959AE.TMP
––
MD5:
––
SHA256:
––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
tlb
MD5:
46060c4cc8c01fe4ba73b1c35b5535b7
SHA256:
65617b6b687dfc62c9f36d8504f8f3bb419ad10e1ffbee33c7a1e2ebd10fdabe
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\.ses
text
MD5:
6c4f4ee37113ff82723bcd1b080f7e70
SHA256:
2d4835b6a2dcf333fe3b26ce3d1db7d342500b647ef8759485ba7f0fab895daf
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6B1C85E9.emf
emf
MD5:
e16a806016925395cf510111f1179b15
SHA256:
31cf4f12d4d843f5e6e41bee96d21ed86a3e3dd5833d531e81efe75b088c33f3
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\95FACB88.emf
emf
MD5:
ecfc0cc69f9cb85f62dfc41be72ff0ec
SHA256:
a4c6a04ae687275f4db5de808ba38af076de12f20cbaaa00eadaa86855814af3
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A81506E3.emf
emf
MD5:
a361b3ba419228dd028adb2645693cf7
SHA256:
ba332eeae5b3584ae1c4359744deaf51b2944704753d6294b57c44c3752657ff
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D44BFBEA.emf
emf
MD5:
4c8c0801326f0c962e87b206d8ef52f1
SHA256:
de413f2bf420c5ab089a382f414e355c874924e07297d2167fcd963f446197e0
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_9.ttf
pi2
MD5:
a0a989f2e6a7b7edbe7cc64ec77e3829
SHA256:
f0338a27d7ce3a39ee72a3333bfbc656517010a4fa8e526ccb89e47c71451f37
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json
text
MD5:
da0bd83a887299f6a4a2b5acf6c88af1
SHA256:
4339ef6fc484d48533e9da01ab8016b060f3c378c63ed58ee5ffd869121fc362
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\oleObject1.bin
binary
MD5:
c69e9dd0302d34af7961e115121f05fd
SHA256:
0249680033faadfd7f027e904911c9e0186f8f589ca96f6799fd1bc1c93cbfc4
Network activity
HTTP(S) requests
19
TCP/UDP connections
31
DNS requests
18
Threats
0
HTTP requests
| PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
| 4208 | EXCEL.EXE | GET | 200 | 52.109.76.6:443 | https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.12026&crev=3 | IE |
xml
|
|
whitelisted |
| 4208 | EXCEL.EXE | GET | 200 | 2.18.232.120:443 | https://fs.microsoft.com/fs/4.9/flatFontAssets.pkg | unknown |
compressed
|
|
whitelisted |
| 4208 | EXCEL.EXE | POST | 200 | 52.109.88.10:443 | https://roaming.officeapps.live.com/rs/RoamingSoapService.svc | NL |
text
text
|
|
whitelisted |
| 4208 | EXCEL.EXE | GET | 200 | 13.107.3.128:443 | https://config.edge.skype.com/config/v2/Office/excel/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bDC746D3A-E6B9-4A6F-83DB-99A51B9CE2E0%7d&LabMachine=false | US |
text
|
|
whitelisted |
| –– | –– | POST | 200 | 40.90.22.184:443 | https://login.live.com/RST2.srf | US |
xml
xml
|
|
whitelisted |
| –– | –– | POST | 400 | 40.90.22.184:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US |
text
text
|
|
whitelisted |
| –– | –– | POST | 400 | 40.90.22.184:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US |
text
text
|
|
whitelisted |
| –– | –– | POST | 400 | 40.90.22.184:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US |
text
text
|
|
whitelisted |
| –– | –– | POST | 400 | 40.90.22.184:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US |
text
text
|
|
whitelisted |
| 4208 | EXCEL.EXE | POST | –– | 52.114.132.74:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | US |
binary
––
|
––
|
whitelisted |
| 4208 | EXCEL.EXE | POST | –– | 172.104.91.16:443 | https://live-en.com/1111 | JP |
text
––
|
––
|
malicious |
| 4208 | EXCEL.EXE | GET | 200 | 52.109.52.36:443 | https://messaging.office.com/lifecycle/legacygetcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.12026&lc=en-US&platform=10%3A0%3A16299%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA044%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BDC746D3A-E6B9-4A6F-83DB-99A51B9CE2E0%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofaa1msspvo2xw31%2Cofgg6vdq3anjh131%2Cof3ttwdwizkwt531%2Cofskuekmq22yki31%22%7D | JP |
xml
|
|
whitelisted |
| 4208 | EXCEL.EXE | GET | –– | 52.109.52.36:443 | https://messaging.office.com/lifecycle/legacygetcustommessage16?app=1&ui=en-US&src=Office_CanvasLocalSaveDocument_Win32&messagetype=Canvas&hwid=04111-083-043729&ver=16.0.12026&lc=en-US&platform=10%3A0%3A16299%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA044%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BDC746D3A-E6B9-4A6F-83DB-99A51B9CE2E0%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofaa1msspvo2xw31%2Cofgg6vdq3anjh131%2Cof3ttwdwizkwt531%2Cofskuekmq22yki31%22%7D | JP |
––
|
––
|
whitelisted |
| –– | –– | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | unknown |
der
|
|
whitelisted |
| –– | –– | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/Microsoft%20Code%20Signing%20PCA(2).crl | unknown |
der
|
|
whitelisted |
| –– | –– | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown |
der
|
|
whitelisted |
| –– | –– | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | unknown |
der
|
|
whitelisted |
| –– | –– | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown |
der
|
|
whitelisted |
| –– | –– | GET | 200 | 2.21.38.54:80 | http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl | FR |
der
|
|
whitelisted |
Connections
| PID | Process | IP | ASN | CN | Reputation |
|---|---|---|---|---|---|
| 4208 | EXCEL.EXE | 52.109.76.6:443 | Microsoft Corporation | IE | whitelisted |
| 4208 | EXCEL.EXE | 52.109.88.10:443 | Microsoft Corporation | NL | whitelisted |
| 4208 | EXCEL.EXE | 2.18.232.120:443 | Akamai International B.V. | –– | whitelisted |
| 4208 | EXCEL.EXE | 13.107.3.128:443 | Microsoft Corporation | US | whitelisted |
| –– | –– | 40.90.22.184:443 | Microsoft Corporation | US | unknown |
| 4208 | EXCEL.EXE | 52.114.132.74:443 | Microsoft Corporation | US | unknown |
| 4208 | EXCEL.EXE | 172.104.91.16:443 | Linode, LLC | JP | malicious |
| 4208 | EXCEL.EXE | 52.109.52.36:443 | Microsoft Corporation | JP | unknown |
| 4208 | EXCEL.EXE | 52.109.76.31:443 | Microsoft Corporation | IE | whitelisted |
| –– | –– | 2.16.186.74:80 | Akamai International B.V. | –– | whitelisted |
| –– | –– | 2.21.38.54:80 | GTT Communications Inc. | FR | malicious |
| –– | –– | 40.90.22.190:443 | Microsoft Corporation | US | unknown |
DNS requests
| Domain | IP | Reputation |
|---|---|---|
| self.events.data.microsoft.com | 52.114.132.74
|
whitelisted |
| officeclient.microsoft.com | 52.109.76.6
|
whitelisted |
| fs.microsoft.com | 2.18.232.120
|
whitelisted |
| roaming.officeapps.live.com | 52.109.88.10
|
whitelisted |
| config.edge.skype.com | 13.107.3.128
|
whitelisted |
| login.live.com | 40.90.22.184
40.90.22.192 40.90.22.188 |
whitelisted |
| live-en.com | 172.104.91.16
|
malicious |
| messaging.office.com | 52.109.52.36
|
whitelisted |
| nexusrules.officeapps.live.com | 52.109.76.31
|
whitelisted |
| dns.msftncsi.com | 131.107.255.255
|
whitelisted |
| www.microsoft.com | 2.21.38.54
|
whitelisted |
| crl.microsoft.com | 2.16.186.120
2.16.186.74 |
whitelisted |
| ocsp.verisign.com | 23.37.43.27
|
whitelisted |
Debug output strings
No debug info.