General Info

File name

SKM_C30819111181835.xls

Full analysis
https://app.any.run/tasks/32683a2b-4a5c-4c28-986a-7b5e7f46b5e6
Verdict
Malicious activity
Analysis date
12/3/2019, 01:21:29
OS:
Windows 10 Professional (build: 16299, 64 bit)
Tags:

macros

ole-embedded

macros-on-open

ta505

Indicators:

MIME:
application/vnd.ms-excel
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: CiBQd, Subject: N, Author: NYxaYK, Last Saved By: Administrator, Revision Number: 602, Name of Creating Application: Microsoft Excel, Total Editing Time: 1d+04:31:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Mon Dec 2 20:35:23 2019, Number of Pages: 2, Number of Words: 3929, Number of Characters: 7608, Security: 0
MD5

e64732dbba7c812de3cfd435b5f1f20b

SHA1

98f84376fe5e050c7783d1819fab2e6369503066

SHA256

04c6ce889c9d7e0b4c7d61ecb51f2fdecf3a37ce9892f7a4b6d5d458c8ab4daf

SSDEEP

12288:6EB+Jx9Cjs/39lKf94sGg0SOMwItwmtSp+gW3:tcCjsnKG4wbmtcBE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
900 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.431.16299.0 KB4103768
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • CCleaner (5.35)
  • FileZilla Client 3.31.0 (3.31.0)
  • Google Chrome (73.0.3683.86)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft Office Professional 2019 - de-de (16.0.12026.20264)
  • Microsoft Office Professional 2019 - en-us (16.0.12026.20264)
  • Microsoft Office Professional 2019 - es-es (16.0.12026.20264)
  • Microsoft Office Professional 2019 - it-it (16.0.12026.20264)
  • Microsoft Office Professional 2019 - ja-jp (16.0.12026.20264)
  • Microsoft Office Professional 2019 - ko-kr (16.0.12026.20264)
  • Microsoft Office Professional 2019 - pt-br (16.0.12026.20264)
  • Microsoft Office Professional 2019 - tr-tr (16.0.12026.20264)
  • Microsoft Office Professionnel 2019 - fr-fr (16.0.12026.20264)
  • Microsoft Office профессиональный 2019 - ru-ru (16.0.12026.20264)
  • Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Mozilla Firefox 65.0.2 (x64 en-US) (65.0.2)
  • Notepad++ (64-bit x64) (7.5.1)
  • Office 16 Click-to-Run Extensibility Component (16.0.12026.20264)
  • Office 16 Click-to-Run Licensing Component (16.0.12026.20264)
  • Office 16 Click-to-Run Localization Component (16.0.12026.20264)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Windows 10 for x64-based Systems (KB4023057) (2.19.0.0)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)
  • Windows 10 Upgrade Assistant (1.4.9200.22175)

Hotfixes

  • Client LanguagePack Package
  • Foundation Package
  • InternetExplorer Optional Package
  • KB4054022
  • KB4055237
  • KB4055994
  • KB4058043
  • KB4078408
  • KB4093110
  • KB4094276
  • KB4103729
  • KB4131372
  • KB4134661
  • LanguageFeatures Basic en us Package
  • LanguageFeatures Handwriting en us Package
  • LanguageFeatures OCR en us Package
  • LanguageFeatures Speech en us Package
  • LanguageFeatures TextToSpeech en us Package
  • MediaPlayer Package
  • Microsoft OneCore ApplicationModel Sync Desktop FOD Package
  • NetFx3 OnDemand Package
  • ProfessionalEdition
  • QuickAssist Package
  • RollupFix

Behavior activities

MALICIOUS SUSPICIOUS INFO
Scans artifacts that could help determine the target
  • EXCEL.EXE (PID: 4208)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 4208)
Loads dropped or rewritten executable
  • EXCEL.EXE (PID: 4208)
Executable content was dropped or overwritten
  • EXCEL.EXE (PID: 4208)
Reads Environment values
  • EXCEL.EXE (PID: 4208)
Reads settings of System Certificates
  • EXCEL.EXE (PID: 4208)
Creates files in the user directory
  • EXCEL.EXE (PID: 4208)
Reads the software policy settings
  • EXCEL.EXE (PID: 4208)
Reads the machine GUID from the registry
  • EXCEL.EXE (PID: 4208)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 4208)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.xls
|   Microsoft Excel sheet (48%)
.xls
|   Microsoft Excel sheet (alternate) (39.2%)
EXIF
FlashPix
CompObjUserTypeLen:
25
CompObjUserType:
Microsoft Forms 2.0 Form
Title:
CiBQd
Subject:
N
Author:
NYxaYK
LastModifiedBy:
Administrator
RevisionNumber:
602
Software:
Microsoft Excel
TotalEditTime:
1.2 days
CreateDate:
2019:08:30 09:14:50
ModifyDate:
2019:12:02 20:35:23
Pages:
2
Words:
3929
Characters:
7608
Security:
None
CodePage:
Windows Latin 1 (Western European)
Company:
null
Bytes:
12777
Lines:
230
Paragraphs:
36
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts:
Page2
HeadingPairs
null
null

Video and screenshots

Processes

Total processes
99
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start excel.exe splwow64.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
4208
CMD
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\AppData\Local\Temp\SKM_C30819111181835.xls"
Path
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
16.0.12026.20264
Modules
Image
c:\program files\microsoft office\root\office16\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\combase.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\imm32.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso20win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso30win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso40uiwin32client.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.16299.431_none_46b2c6d3edf81841\gdiplus.dll
c:\windows\system32\dwmapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso50win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso98win32client.dll
c:\windows\system32\wtsapi32.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\bcrypt.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsta.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\resourcepolicyclient.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\d3d10warp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\netprofm.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\normaliz.dll
c:\program files\microsoft office\root\office16\msoaria.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\windows.security.authentication.web.core.dll
c:\windows\system32\wintypes.dll
c:\windows\system32\twinapi.appcore.dll
c:\windows\system32\rmclient.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\riched20.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\msiso.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\wininet.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\sppc.dll
c:\windows\system32\webio.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\program files\microsoft office\root\office16\oart.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\ncryptsslp.dll
c:\windows\system32\twinapi.dll
c:\windows\system32\textinputframework.dll
c:\windows\system32\coreuicomponents.dll
c:\windows\system32\coremessaging.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\webservices.dll
c:\windows\system32\dpapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\adal.dll
c:\windows\system32\cryptnet.dll
c:\program files\microsoft office\root\office16\msohev.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\dsreg.dll
c:\windows\system32\msvcp110_win.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\cldapi.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\aepic.dll
c:\windows\system32\propsys.dll
c:\windows\system32\mlang.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\mpr.dll
c:\windows\system32\windows.staterepositoryps.dll
c:\windows\system32\coml2.dll
c:\program files\microsoft office\root\office16\gkexcel.dll
c:\program files\microsoft office\root\office16\gfx.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\slc.dll
c:\windows\system32\srpapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll
c:\windows\system32\uiautomationcore.dll
c:\program files\microsoft office\root\vfs\system\msvcr100.dll
c:\windows\system32\sxs.dll
c:\windows\system32\dataexchange.dll
c:\windows\system32\dcomp.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll
c:\windows\system32\wintrust.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\1033\vbe7intl.dll
c:\program files\microsoft office\root\vfs\system\fm20.dll
c:\windows\system32\directmanipulation.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\usp10.dll
c:\windows\system32\windows.globalization.dll
c:\windows\system32\bcp47langs.dll
c:\windows\system32\globinputhost.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msptls.dll
c:\windows\system32\windowscodecs.dll
c:\program files\microsoft office\root\office16\chart.dll
c:\windows\system32\windows.networking.connectivity.dll
c:\windows\system32\windows.security.authentication.onlineid.dll
c:\windows\system32\onecoreuapcommonproxystub.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeuires.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\1033\vbeuiintl.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft office\root\vfs\system\fm20enu.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\scrrun.dll
c:\windows\system32\appresolver.dll
c:\windows\system32\elscore.dll
c:\windows\system32\onecorecommonproxystub.dll
c:\windows\system32\packager.dll
c:\windows\system32\winspool.drv
c:\windows\system32\zipfldr.dll
c:\windows\system32\edputil.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.16299.431_none_887985224abb0026\comctl32.dll
c:\windows\system32\dui70.dll
c:\windows\system32\duser.dll
c:\windows\system32\chartv.dll
c:\windows\system32\atlthunk.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\winshfhc.dll
c:\windows\system32\wdscore.dll
c:\users\admin\appdata\roaming\microsoft\windows\templates\rtdt.dll

PID
1240
CMD
C:\WINDOWS\splwow64.exe 8192
Path
C:\WINDOWS\splwow64.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Print driver host for applications
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\splwow64.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winspool.drv
c:\windows\system32\bcrypt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\printisolationproxy.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\driverstore\filerepository\prnms003.inf_amd64_4592475aca2acf83\amd64\printconfig.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\userenv.dll
c:\windows\system32\prntvpt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\shcore.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msiso.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msoxmlmf.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\jscript.dll
c:\windows\system32\amsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sxs.dll

Registry activity

Total events
2113
Read events
1706
Write events
358
Delete events
49

Modification events

PID
Process
Operation
Key
Name
Value
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{B866D7AE-7C99-4C20-AA98-278FC044FB98}
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D5181
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D6C6C
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
4208
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
1
01D014000000001000284FFA2E01000000000000000400000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\EXCEL\4208
0
0B0E103A6D74DCB9E66F4A83DB99A51B9CE2E0230046D999AEF0FAADEAEA016A0410240044FA5D64A89E01008500A907556E6B6E6F776EC9062E226D2B484F4D616659574A5464337373702B3165327141506A326C775347586F6C4A7635624B6E337449506B3D2200
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
es-es
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
de-de
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
fr-fr
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
it-it
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ja-jp
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ko-kr
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
pt-br
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ru-ru
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
tr-tr
2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-US
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
de-de
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
es-es
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
fr-fr
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
it-it
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ja-jp
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ko-kr
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
pt-br
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
ru-ru
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
tr-tr
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
$1:
24313A0070100000010000000000000054B231AE6FA9D50100000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
41:
34313A00701000000000044001000000121434AE6FA9D501D20600003A6D74DCB9E66F4A83DB99A51B9CE2E0121434AE6FA9D5010000000000001000284FFA2E000000000600000020007B000200000000000000000000000000556E6B6E6F776E00000000000000000000000000000000000000000000000000000000000000000000000000000000000DF0ADDE0DF0ADDE0DF0ADDE0DF0ADDE440045004600410055004C00540000000000FFA445020000D289A1D8FD7F000040000000450200000000000045020000A0D0FCA645020000C8F00F0CB900000040A9F8A64502000058F10F0CB900000058F70F0CB900000080F40F0CB900000060CCE1A64502000058F10F0CB900000018F40F0CB900000060CCE1A64502000080F40F0CB9000000340000C00000000058F70F0CB900000058F70F0CB900000090F10F0CB90000009040FCA6450200007040FCA6450200005C0EACB9FD7F00000000000000000000C31EACB9FD7F0000D0CCF8A6450200008A289CB9FD7F0000FEFFFFFFFFFFFFFF9040FCA64502000000CCE1A64502000060CCE1A64502000060CCE1A645020000CE25ACB9FD7F0000B08D01A7450200007040FCA64502000068CDE1A645020000D8CCE1A645020000FEFFFFFFFFFFFFFFE865B4B9FD7F0000FEFFFFFFFFFFFFFF40CDE1A6450200000000000000000000DB01ABB9FD7F000050F10F0CB900000090F10F0CB900000058F70F0CB9000000998EC09A0B23E847D0CCF8A6450200008A289CB9FD7F0000000000000200000060CCE1A64502000090CEF8A645020000D0CCF8A64502000048030000000000001562A9B9FD7F0000B0F10F0CB900000066F59BB9FD7F0000D0CCF8A6450200006380AAB9FD7F0000000000000000000078F10F0CB9000000FEFFFFFFFFFFFFFF96759BB9FD7F00000000000000000000440045004600410055004C00540000004403000000000000C012F2A44502000000000000FD7F00000000F2A44502000090A9F8A64502000080F40F0CB900000090000000FD7F000018F40F0CB900000044030000000000000000000000000000C00CF2A4450200000000FFA4450200009CBBA1D8FD7F0000F006000000000000000000000000000000000000000000001C0000000000000000000000000000007668A1D8FD7F0000000000000000000000000000000000000000FFA44502000001000000FD7F00000000000000000000800DF6A64502000010000000000000007E000000360200000000000045020000700DF6A645020000700DF6A645020000FF030000000000008000000000000000F0030000000000008F000000000000008F000000000000008F000000000000000000000000000000030000000000000060F70F0CB900000040F40F0CB90000000496ADB9FD7F0000493CFFFF6D00000008F40F0C48FEFFFF030000000000000084B5FFA4450200005001FFA445020000FE0000000000000010D7F8A645020000F61FACB9FD7F0000BCB5FFA4450200008F00000000000000FEFFFFFFFFFFFFFFBF9AADB9FD7F0000B0F30F0CB900000066F59BB9FD7F00000000000045020000F800FED7FD7F000000F80F0CB9000000F00600000000000000000000000000009D01A1D8FD7F00008F000000000000001600000000000000440045004600410055004C0054000000907106D8FD7F000002000002FD7F000018F50F0CB90000000000000000000000462841B5FD7F0000B60200B4FD7F0000010000000000000026C408EA0000000081F40F0CB900000002000002FD7F000040A9F8A645020000000000004502000081F40F0CB90000000100000000000000340000C0B9000000B60200B4FD7F0000D084B5B9FD7F0000A884B5B9FD7F00005020FCA645020000D0CCE1A645020000407A2BB2FD7F0000A0D0FCA64502000000000000000000000000000000000000407A2BB2FD7F000000000000000000006F00000000000000F0060000000000000000FFA445020000AB8EA1D8FD7F00000000FFA44502000002000000FD7F0000E006000000000000F0060000000000008806FFA44502000078F40F0CB900000010D7F8A64502000003000000FD7F000010D7F8A64502000010D7F8A64502000018000000000000007668A1D8FD7F000040A9F8A645020000D67B33B6FD7F00000000000000000000658BA7B9FD7F0000A0D0FCA645020000D67B33B6FD7F00003088AFB2FD7F00000100000000000000407A2BB2FD7F000000000000000000000800000000000000CB85D0B4FD7F0000F00DF6A645020000E00600000000000020F90F0CB90000000000000000000000800DF6A645020000A37CD0B4FD7F0000900DF6A64502000020F90F0CB900000094A1A5B160B00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034003800
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common
SessionId
1C217356E59DBC40961A14A173C4B9C4
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\192\52C64B7E
LanguageList
en-US
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.12026&crev=3\0
FilePath
officeclient.microsoft.com\68841F51-88A6-4DEB-BE82-49620921B1D8
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.12026&crev=3\0
StartDate
3072BDAF6FA9D501
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.12026&crev=3\0
EndDate
303227DA38AAD501
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache
LastClean
209EC4AF6FA9D501
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
2
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
Categories
06020000170200000B020000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{B866D7AE-7C99-4C20-AA98-278FC044FB98}
4
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{B866D7AE-7C99-4C20-AA98-278FC044FB98}
Categories
57020000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
4
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
Categories
BF010000CD030000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSTagIds0
5804129,17846737,18409363,17696988,8758344,17339781,17634580,7668685,18658649,18375312,18948102,7214608,18428691,9319450,17126295,18658648,17322183,18384724,5850062,18658650,18674530,18637650,16920930,20789191,17311449,17698821,18409416,7668686,22131214,18948101,7398615,19978122,20026645,17182941,7668692,18711811,22131171,7440607,19153728,17182981,17182942,4859234,18384801,25514583,17322188,17331930,19543138,5601374,17146274,7668683,5898847,8263521,5850584,17622912,8254547,22070208,23729926,18633496,17182980,8988293,18474530,8697678,17922253,4317338,7649375,17372928,21030619,16859363,6636695,17322181,9176926,17956946,5850122,24466059,8448079,6366290,5850463,6690465,17064074,7649377,5850305,5850582,17425358,19223073,8709129,8750272,18917267,5898845,17182979,6166345,17846738,17885409,17182943,23729931,7459348,17322184,6636694,5850583,22131201,17846749,7218753,8430030,5810308,17182982,18970382,22595280,5850061,5898851,17331926,17331923,7668682,7668681,17846753,17698820,7668693,17331927,17846750,17331929,17127502,6137435,6170083,23459486,17127501,17698822,8988294,17846730,17106064,17698823,17846747,17846734,7398614,18948169,22853700,17110992,17846735,17846748,17846736,19261452,19261450,19261453,19261451,6341763,7116053,6366291,18716634,17610659,18716635,17372899,17914001,17102418,18917269,6029780,8750242,17913997,17913998,17913999,17914000,4289286,7463684,17914002,17914003,22872910,5898849,24466061,17962391,5898880,8433728,5898881,5898884,22929427,8701660,18917328,18917326,18949600,18917268,17578125,18917271,22131169,18917330,18949601,25514584,18970383,22595279,22131208,17322179,18208672,22131207,17127511,22131213,8750241,22853699,5850525,22929425,5587867,23414153,4564173,17127509,16815750,18208656,7690258,8263520,22083550,7690253,22872911,7463105,18647262,19978123,25514585,17962392,5601367,25514582,7966755,6647824,17573643,7868952,17445651,17106059,17445650,17106060,17106065,17106063,19744898,17962113,18625879,36467677,19531353,5601379,7202269,23978014,7168707,6059089,5601366,17110988,8709120,18441314,8747207,17311443,18208657,19174148,22349186,9037324,18633497,17311450,8996805,4859233,17969938,18208715,18208705,18208658,17311446,8709078,8709086,8709089,18621250,8709081,20248016,16860185,8750274,7214607,16843347,17339214,20489431,17618826,18384725,7690256,19744899,19732354,5888003,36467808,19732353,7690254,19543137,18375313,18384802,18647260,18647259,18647261,20026646,7657413,7649378,7657414,17842627,8447777,16815754,18970381,19198081,17045407,17045408,8430031,8254544,6301592,17425365,24131419,17322180,17322182,17322187,22929429,8758345,36292435
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSCategoriesSeverities
827 15,1001 15,1000 15,999 15,226 15,1282 50,1338 50,1338 10,1249 10,1039 15,998 15,1282 10,831 15,1249 15,1338 15,1282 15,829 15,1128 15,291 15,1622 50,850 15,828 15,830 15,1255 15,974 15,670 15,671 15,1002 15,669 15,70 50,2086 15,2087 15,2088 15
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSAllCategories
10
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs
CountryCode
std::wstring|GB
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingConfigurableSettings
DC00000000000000803A090041060100010001000000000000000000000000000000000000000000201C0000201C00008051010080510100805101008051010080F4030080F4030080F403002C01000084030000805101000000000084030000805101000A0000001E0000001E000000000000000000000080510100010000000100000000000000000000000000000000000000008D2700008D2700008D2700010000000A000000805101000000300000003000000030000000000084030000805101002C0100008403000080510100050000000500000005000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingConfigurableSettings
DC00000000000000803A0900E3070C00020003000000160003008A03000000000000000000000000201C0000201C00008051010080510100805101008051010080F4030080F4030080F403002C01000084030000805101000000000084030000805101000A0000001E0000001E000000000000000000000080510100010000000100000000000000000000000000000000000000008D2700008D2700008D2700010000000A000000805101000000300000003000000030000000000084030000805101002C0100008403000080510100050000000500000005000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\excel
BuildNumber
16.0.12026
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel
Expires
int64_t|0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingLastSyncTime
E3070C0002000300000016000300B903
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
RoamingLastWriteTime
E3070C0002000300000016000300B903
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|2
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|3
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|4
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|5
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Fonts
CloudFontsVersion
4
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|6
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|7
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|8
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|9
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|10
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|11
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|12
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|13
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|14
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
0.15
506C6174666F726D2E50726576656E74546162466C69636B6572222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E50726976616379436F6E73656E744469616C6F672E44697361626C6543616E63656C427574746F6E222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E507269766163794E6F74696365436F6E73756D6572446C67222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E5072697661637953657474696E67734469616C6F67456E61626C6564222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E53656E6454656C656D657472794F7074696F6E2E53686F77466972737452756E50726F6D7074222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E53656E6454656C656D657472794F7074696F6E2E536B6970496E6E657252696E67436865636B222C20225622203A2022626F6F6C7C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E53686F77416363436865636B657250616E654261636B67726F756E645363616E6E696E674F7074696F6E222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E53686F77416363436865636B65725374617475734261725465616368696E6743616C6C6F7574222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E53686F7750726976616379436F6E74726F6C73496E4261636B7374616765222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E54616262656450616E65734B6579626F617264696E67222C20225622203A2022626F6F6C7C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E5468656D696E672E4578706C696369746C7952657061696E7441707057696E646F77734F6E5468656D654368616E6765222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E5468656D696E672E4D696453657373696F6E5468656D65526F616D696E672E57696E3332222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E5468656D696E672E5573654E65774F6D5468656D654368616E67656448616E646C6572222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E5558506C6174666F726D2E557365466F6E7449636F6E73466F7243617074696F6E436F6E74726F6C73222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E57686174734E65772E454353446174614C6F61646564222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E416464436865636B466F72496E6B4F7245726173657252656164696E657373222C20225622203A2022626F6F6C7C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E426C6F636B4B6579626F6172645768656E496E6B696E674F7245726173696E67222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D3130304B42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D3130304D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D31304D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D314742416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D314D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D3530304B42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D3530304D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D35304D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D354D42416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E4275666665724F6F6D5265616C6C79426967416374696F6E222C20225622203A2022696E7433325F747C3322207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E456E61626C655061747465726E73496E41746E74786E64222C20225622203A2022626F6F6C7C3122207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E46416363446973706F7365222C20225622203A2022626F6F6C7C3022207D2C207B20224622203A20224D6963726F736F66742E4F66666963652E576F72642E576F72642E436C6F736557696E646F774F6E576D456E6453657373696F6E222C20225622203A2022626F6F6C7C3022207D205D207D
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
ChunkCount
uint64_t|15
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData
VersionId
uint16_t|0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel
ETag
std::wstring|"qWbXYMn5E7RBQwCIw3e9ApubaPzh6COXJ4MCwdBvCWM="
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel
Expires
int64_t|1575336123
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\EXCEL\4208
0
0B0E103A6D74DCB9E66F4A83DB99A51B9CE2E0230046D999AEF0FAADEAEA016A0410240044FA5D64A89E01008500A907556E6B6E6F776EC9062E2271576258594D6E354537524251774349773365394170756261507A6836434F584A344D437764427643574D3D2200
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Licensing\CachedLicenseData
excel.exe
02E0C11717D3479948A6D31022DB7415E01000000000000000300034003100310031002D003000380033002D00300034003300370032003900000001000000010000000600000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
!:
20213A0070100000000000400100000083A8B0B06FA9D5018400000002000000740000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0073006B006D005F006300330030003800310039003100310031003100380031003800330035002E0078006C007300000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D5181
2D5181
04000000701000003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004B004D005F004300330030003800310039003100310031003100380031003800330035002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000C084B0B06FA9D50181512D0081512D0000000000E0020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D5181
2D5181
04000000701000003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004B004D005F004300330030003800310039003100310031003100380031003800330035002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000C084B0B06FA9D50181512D0081512D0000000000E0020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel
ImmersiveWorkbookDirtySentinel
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel
ImmersiveWorkbookDirtySentinel
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0
MSForms
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0
MSComctlLib
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\VBA\Forms3\Controls
EnableActiveXControlArchitetureIndependent
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\VBA\Forms3\Controls
EnableActiveXControlMSWebBrowserArchiteturePersistenceIssue
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D5181
2D5181
04000000701000003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004B004D005F004300330030003800310039003100310031003100380031003800330035002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000C084B0B06FA9D50181512D0081512D0000000000E0020000001800000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D5828
2D5828
04000000701000003900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0053004B004D005F004300330030003800310039003100310031003100380031003800330035002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000001000000962728A66FA9D50128582D0028582D0000000000E00200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{37050C37-AD6B-4AEB-A8AB-068F6F8CD799}\2.0
Microsoft Forms 2.0 Object Library
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{37050C37-AD6B-4AEB-A8AB-068F6F8CD799}\2.0\FLAGS
6
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{37050C37-AD6B-4AEB-A8AB-068F6F8CD799}\2.0\0\win32
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{37050C37-AD6B-4AEB-A8AB-068F6F8CD799}\2.0\HELPDIR
C:\Users\admin\AppData\Local\Temp\VBE
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\WOW6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
FOLDERID_Desktop
C:\Users\admin\Desktop\
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
FOLDERID_Documents
C:\Users\admin\Documents\
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU
FOLDERID_Desktop
C:\Users\admin\Desktop\
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU
FOLDERID_Documents
C:\Users\admin\Documents\
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
LastBootTime
0000000000000000
4208
EXCEL.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\192\52C64B7E
@%SystemRoot%\System32\urlmon.dll,-4200
Open File - Security Warning
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
LastBootTime
129FE55D00000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\2D6C6C
2D6C6C
04000000701000002A00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C007600640073002E0078006C0073007800000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000001000000DD4EC7B46FA9D5016C6C2D006C6C2D0000000000E0020000640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E3070C0002000300000016000E00380100000000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_CanvasLocalSaveDocument_Win32
TransactionId
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
AppIdOnAction
4294967295
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
CallDelta
86400
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
MaxWait
2000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
MessageId
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
Provider
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
SetUserAction
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
ShouldShowBadging
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasLocalSaveDocument_Win32
TimeToNextcall
2019-12-04T00:22:15Z
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
AppIdOnAction
4294967295
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
CallDelta
86400
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
MaxWait
2000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
MessageId
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
Provider
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
SetUserAction
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
ShouldShowBadging
1
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:BizBar
TimeToNextcall
2019-12-04T00:22:16Z
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_InAppPurchase_Win32
TransactionId
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
AppIdOnAction
4294967295
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
CallDelta
86400
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
MaxWait
2000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
MessageId
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
Provider
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
SetUserAction
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
ShouldShowBadging
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_InAppPurchase_Win32
TimeToNextcall
2019-12-04T00:22:45Z
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_CanvasOutSpaceSaveAs_Win32
TransactionId
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
AppIdOnAction
4294967295
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
CallDelta
86400
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
MaxWait
2000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
MessageId
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
Provider
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
SetUserAction
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
ShouldShowBadging
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasOutSpaceSaveAs_Win32
TimeToNextcall
2019-12-04T00:22:45Z
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageData\1:en-US:Office_CanvasBoot_Win32
TransactionId
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
AppIdOnAction
4294967295
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
CallDelta
86400
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
MaxWait
2000
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
MessageId
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
Provider
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
SetUserAction
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
ShouldShowBadging
0
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\TargetedMessagingService\MessageMetadata\0_MsgId:Office_CanvasBoot_Win32
TimeToNextcall
2019-12-04T00:22:45Z
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Documents
LastPurgeTime
26255543
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\RulesLastAudienceReported
excel.exe
Production
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSTagIds0
17846737,5804129,17696988,18409363,17339781,8758344,17634580,18375312,18658649,7668685,18948102,18428691,7214608,9319450,17126295,18658648,17322183,5850062,18384724,18658650,18637650,18674530,20789191,16920930,17311449,17698821,18409416,7668686,22131214,18948101,7398615,20026645,19978122,17182941,7668692,7440607,22131171,18711811,19153728,17182981,17182942,4859234,25514583,18384801,17322188,17331930,5601374,19543138,17146274,7668683,5898847,17622912,5850584,8263521,8254547,22070208,18633496,23729926,17182980,8988293,18474530,8697678,17922253,7649375,4317338,17372928,21030619,16859363,6636695,17322181,9176926,24466059,5850122,17956946,6366290,8448079,5850463,6690465,7649377,17064074,5850305,5850582,17425358,8750272,8709129,19223073,5898845,18917267,17182979,6166345,17885409,17846738,17182943,23729931,17322184,7459348,6636694,5850583,22131201,8430030,7218753,17846749,5810308,17182982,18970382,22595280,5850061,5898851,17331926,7668682,17331923,7668681,17698820,17846753,7668693,17331927,17846750,17331929,17127502,6137435,23459486,6170083,17127501,17698822,8988294,17106064,17846730,17698823,17846747,17846734,7398614,17110992,22853700,18948169,17846735,17846748,17846736,19261452,19261450,19261453,19261451,6341763,7116053,6366291,17610659,18716634,18716635,17372899,17102418,17914001,18917269,6029780,8750242,17913997,17913998,17913999,4289286,17914000,7463684,17914002,17914003,5898849,22872910,17962391,24466061,8433728,5898880,5898881,5898884,22929427,8701660,18917328,18917326,18949600,17578125,18917268,18917271,22131169,18917330,18970383,25514584,18949601,22595279,17322179,22131208,18208672,22131207,17127511,22131213,8750241,22853699,5850525,5587867,22929425,4564173,23414153,17127509,18208656,16815750,7690258,8263520,22083550,7463105,22872911,7690253,19978123,18647262,25514585,5601367,17962392,7966755,25514582,6647824,17573643,7868952,17445651,17106059,17445650,17106060,17106065,17106063,17962113,19744898,18625879,19531353,36467677,5601379,7202269,23978014,7168707,6059089,17110988,5601366,8709120,18441314,17311443,8747207,19174148,18208657,22349186,17311450,18633497,9037324,8996805,4859233,17969938,18208715,18208705,18208658,17311446,8709078,8709086,8709089,18621250,8709081,20248016,16860185,7214607,8750274,16843347,20489431,17339214,17618826,18384725,7690256,19744899,19732354,5888003,19732353,36467808,7690254,19543137,18375313,18384802,18647260,18647259,18647261,20026646,7657413,7649378,7657414,17842627,8447777,16815754,18970381,19198081,17045407,17045408,8430031,8254544,6301592,17425365,24131419,17322180,17322182,17322187,22929429,8758345,36292435
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
ULSCategoriesSeverities
827 15,1001 15,1000 15,1282 50,226 15,999 15,1338 50,1338 10,1249 10,998 15,1039 15,831 15,1282 10,1249 15,1338 15,1282 15,829 15,1128 15,291 15,850 15,1622 50,828 15,1255 15,830 15,974 15,670 15,671 15,1002 15,669 15,70 50,2086 15,2087 15,2088 15
4208
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\General
LastAutoSavePurgeTime
26255547

Files activity

Executable files
1
Suspicious files
5
Text files
4
Unknown types
6

Dropped files

PID
Process
Filename
Type
4208
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\rtdt.dll
executable
MD5: 5363ce18b4052ecea9bf805f9f6dbdd3
SHA256: 1ac115a67bff6cd95a7150651807e8ffe5b67c3ada7897138ee2d01a4c7dd3b9
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\VB65E5.tmp
––
MD5:  ––
SHA256:  ––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\vds.xlsx.zip
document
MD5: e086b75e082ca291ea2b5054f6db6cb6
SHA256: 388624acc1c29bffe623bd200bddb0f73c0375c8cb0c96ba208344567fb8f4d9
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DF174B2BFD28BB847C.TMP
––
MD5:  ––
SHA256:  ––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~$vds.xlsx
––
MD5:  ––
SHA256:  ––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DF8BB14BC035E16D81.TMP
––
MD5:  ––
SHA256:  ––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\vds.xlsx
document
MD5: e086b75e082ca291ea2b5054f6db6cb6
SHA256: 388624acc1c29bffe623bd200bddb0f73c0375c8cb0c96ba208344567fb8f4d9
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\786D2000
––
MD5:  ––
SHA256:  ––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\msohtmlclip1_PendingDelete
––
MD5:  ––
SHA256:  ––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFA9806757755F8C1B.TMP
––
MD5:  ––
SHA256:  ––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\{0D245EA2-BC87-403A-B9BF-C27B6F6F1F07}\basecamp:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\{0D245EA2-BC87-403A-B9BF-C27B6F6F1F07}\basecamp
binary
MD5: 280443000c5e43d396564fc40531e1c8
SHA256: 75003cf7e3d731fd62d3f643f6db95636f16d62e2f85c283a33b088e7890505b
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\VB65E4.tmp
––
MD5:  ––
SHA256:  ––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\68841F51-88A6-4DEB-BE82-49620921B1D8
xml
MD5: 2c43afc5d2e86cce9c444ac23b382b09
SHA256: a52ebebba5ec32b22b7938dac78cf6f731e97382c8d82a6c85eebedc70599f59
4208
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
binary
MD5: 4fcb2a3ee025e4a10d21e1b154873fe2
SHA256: 90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
4208
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GX40DJG9L5N7WTGHV33S.temp
––
MD5:  ––
SHA256:  ––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DF901CDE733F9959AE.TMP
––
MD5:  ––
SHA256:  ––
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
tlb
MD5: 46060c4cc8c01fe4ba73b1c35b5535b7
SHA256: 65617b6b687dfc62c9f36d8504f8f3bb419ad10e1ffbee33c7a1e2ebd10fdabe
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\.ses
text
MD5: 6c4f4ee37113ff82723bcd1b080f7e70
SHA256: 2d4835b6a2dcf333fe3b26ce3d1db7d342500b647ef8759485ba7f0fab895daf
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6B1C85E9.emf
emf
MD5: e16a806016925395cf510111f1179b15
SHA256: 31cf4f12d4d843f5e6e41bee96d21ed86a3e3dd5833d531e81efe75b088c33f3
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A81506E3.emf
emf
MD5: a361b3ba419228dd028adb2645693cf7
SHA256: ba332eeae5b3584ae1c4359744deaf51b2944704753d6294b57c44c3752657ff
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D44BFBEA.emf
emf
MD5: 4c8c0801326f0c962e87b206d8ef52f1
SHA256: de413f2bf420c5ab089a382f414e355c874924e07297d2167fcd963f446197e0
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\95FACB88.emf
emf
MD5: ecfc0cc69f9cb85f62dfc41be72ff0ec
SHA256: a4c6a04ae687275f4db5de808ba38af076de12f20cbaaa00eadaa86855814af3
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_9.ttf
pi2
MD5: a0a989f2e6a7b7edbe7cc64ec77e3829
SHA256: f0338a27d7ce3a39ee72a3333bfbc656517010a4fa8e526ccb89e47c71451f37
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json
text
MD5: da0bd83a887299f6a4a2b5acf6c88af1
SHA256: 4339ef6fc484d48533e9da01ab8016b060f3c378c63ed58ee5ffd869121fc362
4208
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\oleObject1.bin
binary
MD5: c69e9dd0302d34af7961e115121f05fd
SHA256: 0249680033faadfd7f027e904911c9e0186f8f589ca96f6799fd1bc1c93cbfc4

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
19
TCP/UDP connections
31
DNS requests
18
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
4208 EXCEL.EXE GET 200 52.109.76.6:443 https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.12026&crev=3 IE
xml
whitelisted
4208 EXCEL.EXE GET 200 2.18.232.120:443 https://fs.microsoft.com/fs/4.9/flatFontAssets.pkg unknown
compressed
whitelisted
4208 EXCEL.EXE POST 200 52.109.88.10:443 https://roaming.officeapps.live.com/rs/RoamingSoapService.svc NL
text
text
whitelisted
4208 EXCEL.EXE GET 200 13.107.3.128:443 https://config.edge.skype.com/config/v2/Office/excel/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bDC746D3A-E6B9-4A6F-83DB-99A51B9CE2E0%7d&LabMachine=false US
text
whitelisted
–– –– POST 200 40.90.22.184:443 https://login.live.com/RST2.srf US
xml
xml
whitelisted
–– –– POST 400 40.90.22.184:443 https://login.live.com/ppsecure/deviceaddcredential.srf US
text
text
whitelisted
–– –– POST 400 40.90.22.184:443 https://login.live.com/ppsecure/deviceaddcredential.srf US
text
text
whitelisted
–– –– POST 400 40.90.22.184:443 https://login.live.com/ppsecure/deviceaddcredential.srf US
text
text
whitelisted
–– –– POST 400 40.90.22.184:443 https://login.live.com/ppsecure/deviceaddcredential.srf US
text
text
whitelisted
4208 EXCEL.EXE POST –– 52.114.132.74:443 https://self.events.data.microsoft.com/OneCollector/1.0/ US
binary
––
––
whitelisted
4208 EXCEL.EXE POST –– 172.104.91.16:443 https://live-en.com/1111 JP
text
––
––
malicious
4208 EXCEL.EXE GET 200 52.109.52.36:443 https://messaging.office.com/lifecycle/legacygetcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.12026&lc=en-US&platform=10%3A0%3A16299%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA044%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BDC746D3A-E6B9-4A6F-83DB-99A51B9CE2E0%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofaa1msspvo2xw31%2Cofgg6vdq3anjh131%2Cof3ttwdwizkwt531%2Cofskuekmq22yki31%22%7D JP
xml
whitelisted
4208 EXCEL.EXE GET –– 52.109.52.36:443 https://messaging.office.com/lifecycle/legacygetcustommessage16?app=1&ui=en-US&src=Office_CanvasLocalSaveDocument_Win32&messagetype=Canvas&hwid=04111-083-043729&ver=16.0.12026&lc=en-US&platform=10%3A0%3A16299%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA044%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BDC746D3A-E6B9-4A6F-83DB-99A51B9CE2E0%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofaa1msspvo2xw31%2Cofgg6vdq3anjh131%2Cof3ttwdwizkwt531%2Cofskuekmq22yki31%22%7D JP
––
––
whitelisted
–– –– GET 200 2.16.186.74:80 http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl unknown
der
whitelisted
–– –– GET 200 2.16.186.74:80 http://crl.microsoft.com/pki/crl/products/Microsoft%20Code%20Signing%20PCA(2).crl unknown
der
whitelisted
–– –– GET 200 2.16.186.74:80 http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl unknown
der
whitelisted
–– –– GET 200 2.16.186.74:80 http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl unknown
der
whitelisted
–– –– GET 200 2.16.186.74:80 http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl unknown
der
whitelisted
–– –– GET 200 2.21.38.54:80 http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl FR
der
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
4208 EXCEL.EXE 52.109.76.6:443 Microsoft Corporation IE whitelisted
4208 EXCEL.EXE 52.109.88.10:443 Microsoft Corporation NL whitelisted
4208 EXCEL.EXE 2.18.232.120:443 Akamai International B.V. –– whitelisted
4208 EXCEL.EXE 13.107.3.128:443 Microsoft Corporation US whitelisted
–– –– 40.90.22.184:443 Microsoft Corporation US unknown
4208 EXCEL.EXE 52.114.132.74:443 Microsoft Corporation US unknown
4208 EXCEL.EXE 172.104.91.16:443 Linode, LLC JP malicious
4208 EXCEL.EXE 52.109.52.36:443 Microsoft Corporation JP unknown
4208 EXCEL.EXE 52.109.76.31:443 Microsoft Corporation IE whitelisted
–– –– 2.16.186.74:80 Akamai International B.V. –– whitelisted
–– –– 2.21.38.54:80 GTT Communications Inc. FR malicious
–– –– 40.90.22.190:443 Microsoft Corporation US unknown

DNS requests

Domain IP Reputation
self.events.data.microsoft.com 52.114.132.74
whitelisted
officeclient.microsoft.com 52.109.76.6
whitelisted
fs.microsoft.com 2.18.232.120
whitelisted
roaming.officeapps.live.com 52.109.88.10
whitelisted
config.edge.skype.com 13.107.3.128
whitelisted
login.live.com 40.90.22.184
40.90.22.192
40.90.22.188
whitelisted
live-en.com 172.104.91.16
malicious
messaging.office.com 52.109.52.36
whitelisted
nexusrules.officeapps.live.com 52.109.76.31
whitelisted
dns.msftncsi.com 131.107.255.255
whitelisted
www.microsoft.com 2.21.38.54
whitelisted
crl.microsoft.com 2.16.186.120
2.16.186.74
whitelisted
ocsp.verisign.com 23.37.43.27
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.