b8c1f3abe165e1bab5616f0b739f1cb53c642c40ffc92f9f26aec1a73eaf0de2

Analysis

max time kernel
110s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

encoder.exe
Size

10KB
MD5

f1927e7f90416bf39fc7991bbc57e1b3
SHA1

2367249568ca4a34f8824a9313b03d16d1d7c0bc
SHA256

539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505
SHA512

a0ac1811c8944165ba1939e40fe965bba3f7473819cb6f5d1cd4b4e7c203685baec055a6c73359dd1b3ddc79cb05b42d8c7541c29ea466120233423c5a5fcc60
SSDEEP

192:yrj2/2OzcYKNEmkmTjtiIKZIF/2oQlLkMBBm4C:j/2OzcJNEmkmTjkI/92oQjBU7

Score

10^/10

credential_access discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Program Files (x86)\How To Restore Files.txt

Ransom Note

Important !!! Your personal id - aZT4cQBr2pX6ftpG Warning: all your files are infected with an unknown virus. To decrypt your files, you need to contact at [email protected]. The decoder card is received by bitcoin. You can buy bitcoins from the following links://blockchain.info/wallet Do not try to restore files your self, this will lead to the loss of files forever GUARANTEES!!! You can send us 2-3 encoded files. And attach for testing, we will return them to you for FREE

Emails

[email protected]

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	encoder.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	encoder.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	encoder.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
7572	wevtutil.exe
18764	wevtutil.exe
13824	Process not Found
16348	wevtutil.exe
4600	wevtutil.exe
5888	wevtutil.exe
8896	Process not Found
8552	wevtutil.exe
8084	Process not Found
8484	wevtutil.exe
10992	Process not Found
456	wevtutil.exe
5824	wevtutil.exe
15816	wevtutil.exe
9204	Process not Found
11748	Process not Found
7604	wevtutil.exe
5780	wevtutil.exe
9156	Process not Found
20140	Process not Found
18168	wevtutil.exe
14768	wevtutil.exe
12700	wevtutil.exe
8804	wevtutil.exe
9932	Process not Found
12280	Process not Found
14324	wevtutil.exe
14680	Process not Found
14724	wevtutil.exe
17808	Process not Found
5356	wevtutil.exe
12816	wevtutil.exe
19360	wevtutil.exe
5176	wevtutil.exe
13012	wevtutil.exe
6308	wevtutil.exe
448	wevtutil.exe
11552	wevtutil.exe
14308	wevtutil.exe
2812	wevtutil.exe
17288	wevtutil.exe
14480	wevtutil.exe
11416	wevtutil.exe
4392	Process not Found
13432	Process not Found
7544	Process not Found
10376	wevtutil.exe
16848	wevtutil.exe
7400	Process not Found
8120	Process not Found
12108	wevtutil.exe
9008	wevtutil.exe
3964	wevtutil.exe
17208	Process not Found
7040	Process not Found
10576	wevtutil.exe
10272	Process not Found
5924	Process not Found
11052	Process not Found
12736	Process not Found
6104	Process not Found
10912	wevtutil.exe
14232	wevtutil.exe
15820	wevtutil.exe

Renames multiple (12089) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	encoder.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unlock = "\"c:\\How To Restore Files.txt\""	encoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\searchfiles = "C:\\windows\\searchfiles.exe"	encoder.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	encoder.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
12808	wevtutil.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\EdgeWebView.dat.DATA id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N.svg id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\msointl30.dll id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\flavormap.properties id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_lv.dll id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.tree.dat id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main-selector.css id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dll id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\How To Restore Files.txt	encoder.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\How To Restore Files.txt	encoder.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxMetadata\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_hover.png id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\How To Restore Files.txt	encoder.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\How To Restore Files.txt	encoder.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\new_icons.png id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\it.pak.DATA id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] id-aZT4cQBr2pX6ftpG.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\How To Restore Files.txt	encoder.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\searchfiles.exe	encoder.exe
File opened for modification	C:\windows\searchfiles.exe	encoder.exe
File opened for modification	C:\windows\cllog.bat	encoder.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5632	Process not Found
18916	wevtutil.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.3 = 63726f736f66742e4f66666963652e4964656e746974792e456e61626c6557616d54656c656d65747279426c6f62222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e456e7375726550726f66696c65466f725072696d6172794964656e746974696573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e49676e6f726544697361626c654144414c61746f7057414d4f76657272696465466f725075726557414d222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e53706f41757468436f6e74657874456e61626c6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e5573654964656e7469747943726564656e7469616c734661696c757265496e666f222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e55736553706f436f6f6b696546726f6d53616d6554656e616e74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e44617465546f5573654d6963726f736f6674333635466f72436f6e73756d657273222c20225622203a20227374643a3a77737472696e677c323032302d30342d32315430303a30303a30302e302b30303a303022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e44617465546f5573654d6963726f736f6674333635466f72534d42222c20225622203a20227374643a3a77737472696e677c323032302d30342d32315430303a30303a30302e302b30303a303022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e456e61626c6547726163655769746857414350726f6d6f427573426172222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e456e61626c654d6f6465726e41464f222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e486561727462656174446179734265666f726545787044617465222c20225622203a2022696e7433325f747c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e4e6f456e7469746c656d656e747353656c6653657276696365222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e4e6f456e7469746c656d656e74735472794275794578706572696d656e7454726561746d656e74222c20225622203a2022696e7433325f747c3222207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e53686f77564e6578745369676e4f75744469616c6f67222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e5573655265666163746f726564436f6e666967446570726f766973696f6e222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4c6963656e73696e672e5573655265666163746f726564476574557365724c6963656e7365222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4d616e6167656162696c6974792e436c6f7564506f6c6963792e4e6f6e5075626c6963436c6f7564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4d616e6167656162696c6974792e54656e616e744173736f63696174696f6e4b65792e4e6f6e5075626c6963436c6f7564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4d616e6167656162696c6974792e5573654f637073563255726c496e57696e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4e616e63794f66666963655465616d2e7a686574616e34313232303231222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e416c6c6f7741626f7274517569636b436865636b45777353657276696365222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e416c6c6f7741626f7274517569636b436865636b4f6d657853657276696365222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e4368616e6765476174652e44697361626c6557696e646f7745787465726e616c436c6f73655364784469616c6f67222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e4368616e6765476174652e496e766f6b6546657463684d616e696665737443616c6c6261636b4f6e446f776e6c6f61644d616e6966657374222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e4368616e6765476174652e557365436c6f6e6564496e7374616e6365466f724572726f72222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e4368616e6765476174652e56616c6964617465446f776e6c6f61645265736f7572636573222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e4469616c6f6754776f5761794d6573736167696e67222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e456e61626c654d696e43616368655265667265736820222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e4964656e746974794361636865466f72636552656672657368222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e4f7366496e7374616c6c6572526567697374657242675461736b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e506572557365724964656e746974794d696e4361636865222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e506572557365724964656e74697479526962626f6e4361636865222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f45502e5765624b69743246756c6c4469616c6f67415049222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f4d45582e456e61626c65456e7465727072697365436f6d416464696e536574436f6e6e656374496e7465726e616c5570646174654576656e7473222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f4d45582e456e61626c65456e7465727072697365436f6d416464696e556e68616e646c6564457863657074696f6e4576656e7473222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f6172742e456e61626c65416972537061636547726f757044726167466978222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f6172742e456e61626c65496e736572744d6564696154656c656d65747279222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f6e654e6f74652e4170706c652e43576f726b73706163655573657255736555726c46726f6d526177556e69636f6465537472696e67222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f6e654e6f74652e4368616e6765476174652e53686f77494150456e747279222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f6e654e6f74652e44656570426174636853746f7265456e61626c6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f6e654e6f74652e52656e6465725570646174656457696e333252656458222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f6e654e6f74652e53686f756c645573654e6574436f7374496e73746561644f664d736f426c6f636b696e67222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f75746c6f6f6b2e4c6173744d696c6554656c656d6574727954726163657274222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f75746c6f6f6b2e5063782e417474656d70744f75746c6f6f6b41757468466f7250726f66696c65222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f75746c6f6f6b2e5063782e427567466978466f7255736572486561646572496e4964656e7469747941757468222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f75746c6f6f6b2e5063782e4c696e6b6564496e4b32466978222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f75746c6f6f6b2e5063782e5063784a756e65323031394275674669786573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f75746c6f6f6b2e526970636f72642e33363134383230222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f75746c6f6f6b2e526970636f72642e33393039323635222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4f75746c6f6f6b2e526970636f72642e33393435323833222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5043582e526970636f72642e56534f2e33363432383036222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506572666f726d616e63652e426c6f636b696e6757616974732e4f737250726f63657373222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506572666f726d616e63652e4368616e6765476174652e586c426f6f74436f6d706c657465416674657246696c654f70656e416e6453706c61736853637265656e222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506572736f6e616c697a6174696f6e2e456e61626c65476574496e736967687473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506572736f6e616c697a6174696f6e2e456e61626c6553656e645369676e616c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506572736f6e616c697a6174696f6e2e557365476574496e736967687473466c6f77466f724665746368696e67476f7665726e616e636544617461222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4368616e6765476174652e436865636b56696577496e536c6964654a616e69746f724f62736572766572222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4368616e6765476174652e466f726365536f6674776172654d696e69617475726552656e646572696e67222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4368616e6765476174652e4d657267652e5573655468726f77696e674c69666567756172645374657073222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4368616e6765476174652e536c69646553686f772e52656c65617365536c69646553686f774d616e616765724265666f726547667853687574646f776e222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e48616e646c65434c524372617368222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e53756767657374696f6e732e456e61626c65436f6e74656e745265636f6d6d656e646174696f6e4974656d73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e744f6e6c696e652e4175676c6f6f702e436f70696c6f742e5354466978656450726573466f724e6f546f706963466f72416c6c54656d706c61746573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e50726f6a6563742e50726f6a65637443325253657276657232303133436f6e6e656374696f6e426c6f636b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e50726f6a6563742e50726f6a65637443656e74656e6e69616c53657276657232303133426c6f636b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e50726f6a6563742e50726f6a65637443656e74656e6e69616c53657276657232303133436f6e6e656374696f6e426c6f636b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e434c502e5570646174655374617475734261724f6e50726f66696c65537769746368222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e43656e7472616c697a6564457874656e73696f6e536166657479436865636b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e49524d2e5758505644697361626c654c6f616454656d706c617465734f6e426f6f74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e4973457874656e73696f6e496e4c697374557064617465222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e4d6f6e69746f72656446696c65457874656e73696f6e4c697374222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e50726f74656374696f6e536572766963652e4e657755784d6f64656c222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e53686f756c6452756e436c6f75645365637572697479506f6c696379436865636b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e5573654e6f526566436f756e74416d736953747265616d222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e436c6f7564222c20225622203a20227374643a3a77737472696e677c5075626c696322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e46617374465445222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e4d53495442697a63686174416c6c6f776c697374222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e4d6f636861222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e4f584f416c6c222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e50657270657475616c4c6963656e7365222c20225622203a20227374643a3a77737472696e677c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e5365676d656e74222c20225622203a20227374643a3a77737472696e677c4e4f4e4652444322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e56657273696f6e506172746974696f6e222c20225622203a20227374643a3a77737472696e677c57696e3332416e64726f6964486f7422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e576f7264436f70696c6f74446f67666f6f64222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e416c6c6f775a65726f4c656e67746853656172636853747269	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|9"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|0"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t\|1732105459"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\VersionId = "uint16_t\|0"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ETag = "std::wstring\|\"kPaHyiEEq7x58GEfhgIKAtZSXnJAAGYEMXQDCi7AGJU=\""	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|5"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t\|0"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.2 = 6963652e46696c65494f2e456e61626c65466f726365486f73744d6f6465466f7253796e634261636b6564486f73744f6e4f70656e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4661696c43616c6c73546f5472616e73616374656453747265616d446174614265666f72654373694c6f616446696c65222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4872446f776e6c6f616454656d704173796e634c4d54222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e496e637265617365644279746573427566666572657257696e646f7753697a65222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e496e6372656d656e74616c4f70656e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4973496e74656c6c6967656e745361766550726f6d7074537572766579456e61626c6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e49734f70656e4572726f724469616c6f6741626c65546f42654f76657272696464656e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4c6f636174696f6e5069636b65725468726565446f74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4e65766572466f726365486f73744d6f6465496e436f6c6c61625265636f6e63696c6174696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4f63735072656665746368496e7465726e616c436f6f7264696e6174696f6e456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4f637369576f726b696e67436f7079577269746546696c654d61785265747279436f756e74222c20225622203a2022696e7433325f747c3522207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4f637369576f726b696e67436f7079577269746546696c655265747279496e74657276616c496e4d696c6c697365636f6e6473222c20225622203a2022696e7433325f747c31303022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e50726f746f636f6c48616e646c65722e44697361626c65457863656c53656375726974794469616c6f67222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e50726f746f636f6c48616e646c65722e44697361626c65506f776572506f696e7453656375726974794469616c6f67222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e50726f746f636f6c48616e646c65722e44697361626c65576f726453656375726974794469616c6f67222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e5265667265736855706f6e526573746f726174696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e536572766572496e666f4d736f446176436865636b456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e536861726555726c456e64706f696e744361636865456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e53686f756c645265717565737451756572794578706563746564416363657373222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e536b6970556e636f6d70617261626c65446f776e6c6f61645265766973696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e536b6970576563496e6974447572696e674f70656e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e53747269637453746f726167654c6966656379636c65222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e537472697056657273696f6e494446726f6d55726c4265666f726553656e64696e67546f437369222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e5472696767657253796e63496e7369646548616e646c6542617365446f776e6c6f61644572726f72222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e556e7365745265736f757263654964496646696c655761734e6f745361766564546f536572766572222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e5573654361636865644e6574776f726b436f6e6e656374696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e5573655265666163746f72656453796e634368616e6e656c496e486f73745265766973696f6e7355706461746572222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e557365586d6c48747470436f6d706f6e656e74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e56616c69646174654d617050617468734c697465222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e44656661756c744368616e6e656c436f6f6c646f776e2e42616e6e6572222c20225622203a2022696e7433325f747c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e456e61626c6543616d706169676e436c69656e74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e456e61626c654d6f6465726e466c6f7757697468546965726564476f7665726e616e6365222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e456e61626c654d756c74694c61756e636853757276657943616d706169676e73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e456e61626c6554656c656d657472794576656e745472616e736475636572222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e496e7369646572546f6173744c61756e63686572456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e4d617843616d706169676e73506572417070222c20225622203a2022696e7433325f747c323522207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e4d6178446961676e6f73746963436f6c6c656374696f6e73506572417070222c20225622203a2022696e7433325f747c323022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e4e6f746669636174696f6e4c61756e63686572456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e50726976616379436865636b466f724e6f6e436f6e74726f6c6c657253657276696365466f72537572766579222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e526f616d696e67426173656443616d706169676e537461746573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e526f616d696e674261736564476f7665726e65644368616e6e656c537461746573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e526f616d696e67426173656453757276657941637469766174696f6e5374617473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e466c6f6f64676174652e53757276657973456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e41766f6964556e6e656365737361727944657669636552656372656174654f6e446973706c61794368616e6765222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e436865636b507265666572436d644c697374466f7243616c6c436d64546f7373556e646f222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e456e73757265496e6b5374796c65496e69745769746853757266616365222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e4669784465766963655265456e756d65726174696f6e222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e52756e4d6f646966794465736372697074696f6e436f6d6d616e6441734d6f6465726e496e457863656c222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e5365745465787446696c6c546f426c61636b466f7253656c6563746564486967686c69676874222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e5365745465787446696c6c546f426c61636b466f7253656c6563746564486967686c6967687432222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4368616e6765476174652e5573655368617265644458474941646170746572456e756d65726174696f6e4c6f676963466f7253746172747570222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e436f6d6d616e64732e456e61626c6553657450696374757265417370656374526174696f436d64222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e436f6d6d616e64732e456e61626c655365745461626c655374796c65436d64222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e456e61626c654368616e676550696374757265436f6d6d616e64466f72426c697046696c6c73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e456e61626c655356474c696e65416e6446696c6c436f6d6d616e6473466f72536861706573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e47657443616c6c537461636b466f7246576964656e222c20225622203a2022696e7433325f747c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e49636f46696c746572456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e496e6b2e44656c657465416c6c496e6b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4d617833444d6174657269616c5465787475726553697a65222c20225622203a2022696e7433325f747c3430393622207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4d6f64656c33444f6e6c696e652e426c6f636b6564436f756e7472696573222c20225622203a20227374643a3a77737472696e677c61663b647a3b62683b636e3b63753b65673b69643b69723b69713b6a6f3b6b773b6c623b6c793b6d723b6d613b6b703b6f6d3b71613b73613b73643b73793b746e3b74723b61653b796522207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4d6f64656c33444f6e6c696e652e426c6f636b65644c616e677561676573222c20225622203a20227374643a3a77737472696e677c74722d74723b7a682d636e3b61722d73613b69642d696422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e4d756c74695363656e654465707265636174696f6e732e476574554957696e646f7746726f6d55736572496e74657266616365222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e526574727943726561746544324431466163746f72794f6e44656c61794c6f61644661696c7572654d617852657472696573222c20225622203a2022696e7433325f747c323022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e536b69704661696c656446436f70794f50544573496e46436f7079222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e536e61704c696e655769647468496e50656e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e53746172744174506172656e7454696d65222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e537570706f727454657874496e535647546f5368617065436f6e76657273696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e557365417263546578747572654265666f7265443244222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e5573654c6973744e6f6465222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e5573654c6f676963616c445049466f72566563746f72496d6167655265736f75726365222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726170686963732e557365536d617274496e6b416e616c797a6572466f72496e6b456469746f72222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726f7774682e41697254726166666963436f6e74726f6c2e466f726365456e67696e6553657475704f6e4247546872656164222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726f7774682e41697254726166666963436f6e74726f6c2e4f7074696d697a65526f616d696e6753657474696e67222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726f7774682e41697254726166666963436f6e74726f6c2e547275737442617244656c6179466f726d6174222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e47726f7774682e41697254726166666963436f6e74726f6c2e556e666f726d6174746564427573426172222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e48656c702e496e636c756465436f6d6d616e6454797065222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e4144414c5468726f74746c696e67456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e41766f696453656e64696e675368617265506f696e7448656164657273546f5075626c6963456e64706f696e7473222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4964656e746974792e4368616e6765476174652e4f6e6c7950657273697374536368656d65466f7253657276657255726c73222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d69	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.12 = 224576656e74735c22203a207b205c22436c70547279557067726164654c6162656c4661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e54617267657465644d6573736167696e67222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c224275736261725468656d6553656c656374696f6e5374617475735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e54656c656d65747279222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22436c69656e7453616d706c696e674f76657272696464656e5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2253797374656d4865616c74684d657461646174614e6574776f726b436f73745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224576656e7451756172616e74696e65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f6164586d6c52756c65735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2250726f6365737349646c6551756575654a6f625c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22466c7573684576656e744275666665725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2254656c656d6574727953656e74696e656c56616c75655c22203a207b205c224576656e74466c61675c22203a2030207d207d2c205c224c6f636b65645c22203a2066616c7365207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e54656c6c4d65222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c2254656c6c4d655741435c22203a207b205c224576656e74735c22203a207b205c225175657279526573706f6e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e54657874222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c225265736f75726365436c69656e745c22203a207b205c224576656e74735c22203a207b205c22446573657269616c697a655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656164466f6e74456c656d656e74735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2250757267654d756c7469706c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22526561645265736f757263654d657461446174615c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2257726974655265736f757263654d657461446174615c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22474449417373697374616e745c22203a207b205c224576656e74735c22203a207b205c225265676973746572436c6f7564466f6e7443616c6c6261636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2248616e646c6543616c6c6261636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22466f6e744d616e6167657244657374727563746f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464436c6f7564466f6e745265736f757263655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22466f6e74537562737469747574696f6e5c22203a207b205c224576656e74735c22203a207b205c22436f6c6c656374466f6e74537562737469747574696f6e55736167655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e5472616e736c61746f72222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22416c7465726e6174655472616e736c6174696f6e735265747269657665645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6e7465787475616c53756767657374696f6e734c6f616465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745465787453656c65637465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745472616e736c617465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745472616e736c61746564466565646261636b547269676765725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745472616e736c6174696f6e43616e63656c6c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745472616e736c6174696f6e53756767657374696f6e436c69636b65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224578636c756465644c616e677561676541646465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224578636c756465644c616e677561676552656d6f7665645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d6963726f666565646261636b566f746553656c65637465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6f786d6c5472616e736c617465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253657474696e6773436c6f7365645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253657474696e67734f70656e65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536f75726365446f63756d656e744c616e674368616e6765645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536f75726365546172676574537761707065645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536f75726365546578744c616e674368616e6765645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546172676574446f63756d656e744c616e674368616e6765645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546172676574546578744c616e674368616e6765645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546578745472616e736c617465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472616e736c6174696f6e496e7365727465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472616e736c6174696f6e4c616e6775616765734c6f616465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472616e736c6174696f6e5461624368616e6765645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416c7465726e6174655472616e736c6174696f6e4578616d706c655265747269657665645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416c7465726e6174655472616e736c6174696f6e436f706965645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464496e4c6f616465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e5558222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22436f6c6f725069636b65725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6d696e67536f6f6e54435348574e445c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224e6f46696c65457874656e73696f6e49636f6e4d617070696e675c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c225344585c22203a207b205c225375624e616d657370616365735c22203a207b205c224d65436f6e74726f6c5c22203a207b205c224576656e74735c22203a207b205c22547261636b65645363656e6172696f5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c225465616368696e6743616c6c6f75745c22203a207b205c224576656e74735c22203a207b205c225465616368696e6743616c6c6f7574416c726561647953686f776e4d617854696d65735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225465616368696e6743616c6c6f7574416c726561647953686f776e5468697353657373696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225465616368696e6743616c6c6f7574546f6f4d616e7953686f776e5468697353657373696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2244796e616d69634470695c22203a207b205c224576656e74735c22203a207b205c22446973706c6179546f706f6c6f6779456e756d65726174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446973706c6179546f706f6c6f67794368616e6765645c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22446f63756d656e745265636f766572795c22203a207b205c224576656e74735c22203a207b205c22496e76616c696461746550616e65735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22546f6f6c746970735c22203a207b205c224576656e74735c22203a207b205c2253686f77546f6f6c7469705c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22416e63686f7252656769737472795c22203a207b205c224576656e74735c22203a207b205c224765744f72437265617465416e63686f7252656769737472795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22526962626f6e546162735c22203a207b205c224576656e74735c22203a207b205c22526962626f6e5461624163746976617465645f466c6f6f64676174655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e576f7264222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c224c696e6b6564496e5c22203a207b205c224576656e74735c22203a207b205c224372656174654c696e6b6564496e526573756d65417373697374616e745461736b50616e655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c2246696c65536176655c22203a207b205c224576656e74735c22203a207b205c225361766541735361766546696c655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22416374436d64476f7375625361766541735c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224f435349464f4353536176655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436d645361766546696c65436f7265325c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2246696c654f70656e5c22203a207b205c224576656e74735c22203a207b205c22446f634e6f7469667943616c6c6261636b5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22446f4e6f746966794d657267654469616c6f675c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22464e4d45696453657446726f6d5873747a46747970466e6d4469725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e697469616c697a6542696e6172794261636b696e6753746f72654361636865735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22436f417574686f72696e675c22203a207b205c224576656e74735c22203a207b205c2253686f77526573747269637465644d6163726f45646974696e674275734261725c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2246586c7255736572507265666572656e63655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224f63735472616e736974696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436f617574684d657267655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c225365745464725265616479466f725472616e736974696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22536164426172546167735c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224f6373446f776e6c6f6164526566557064617465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2244796e616d696353617665496e697469616c496e666f5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22507573684f70526571756573745374617475735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22507573684f70436f6d706c657465645374617475735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22466f726d735c22203a207b205c224576656e74735c22203a207b205c224c6561726e696e67546f6f6c73576b4f6e446f63756d656e744f70656e5c22203a207b205c224576656e74466c61675c22203a203439343038207d207d207d2c205c22446961676e6f737469635c22203a207b205c224576656e74735c22203a207b205c22566563416c6c6f634661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22496e636f73697374656e74526561644f6e6c79446f6350726f70657274795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224f4353425c22203a207b205c224576656e74735c22203a207b205c2256636c6f6b4f6e446f63446973706c61795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2256636c6f6b4f6e53617665436f6d706c6574655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2256636c6f6b4f6e55706c6f6164436f6d706c6574655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c22536176655c22203a207b205c224576656e74735c22203a207b205c22436f61757468436f6e74656e744c6174656e6379496e536176655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436d64446f53617665446f63436f7265436f6d6d616e64416374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436d64446f53617665446f63436f7265416374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22464d617953746172745472616e73616374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224669726553746174654f664175746f536176654f6e436c6f73655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22456964456e737572654f70656e466f72536176655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2242475361766546616c6c6261636b546f46475c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224544505c22203a207b205c224576656e74735c22203a207b205c22446f63756d656e744964656e746974794368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2250726f6f66696e675c22203a207b205c224576656e74735c22203a207b205c2250726f6f66696e674e6f50726f6f66526567696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225453706c4c6f61644c6962726172795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c6f75645370656c6c6572436865636b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224e6f50726f6f6652756e4469666665727346726f6d5061726150726f705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c617373696669636174696f6e4372697469717565526573706f6e7365506572664d61704578636565645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224772616d6d6172436865636b657243616c6c5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22576f72645c22203a207b205c225375624e616d657370616365735c22203a207b205c22426f6f745c22203a207b205c225375624e616d657370616365735c22203a207b205c2254696d696e675c22203a207b205c224576656e74735c22203a207b205c22446174615c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d2c205c22426f6f745c22203a207b205c224576656e74735c22203a207b205c22416464696e4d6f6e69746f7256616c6964617465426f6f745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464696e44697361626c65644469616c6f675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464696e4d6f6e69746f7256616c6964617465426f6f74325c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22576f72644d61696c5c22203a207b205c224576656e74735c22203a207b205c2248724c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872536176655c22203a207b205c2245	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.13 = 76656e74466c61675c22203a2032207d207d207d2c205c22446f6354696c696e675c22203a207b205c224576656e74735c22203a207b205c2254696c696e6749646c6542756e646c654576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2254696c696e6749646c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2254696c696e6749646c654865617274626561745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2254696c696e6749646c654669726542756e646c65644576656e74735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225465787454696c65446f63756d656e7456696577476574456e756d657261746f724576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225465787454696c65446f63756d656e7456696577446973636f6e6e6563745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225465787454696c65446f63756d656e745669657753696e6b52656769737465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225465787454696c65446f63756d656e745669657753696e6b556e72656769737465725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2254687265655761794d657267655c22203a207b205c224576656e74735c22203a207b205c22435254435265766572745265706c61794b706f7353636f70654475726174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2255494d5c22203a207b205c224576656e74735c22203a207b205c224655494d426567696e556e646f4265666f726546426567696e556e646f5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224655494d426567696e556e646f416674657246426567696e556e646f5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224163636573736962696c6974795c22203a207b205c224576656e74735c22203a207b205c22416363436865636b657256696f6c6174696f6e547970655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2247726170686963735c22203a207b205c224576656e74735c22203a207b205c2245326f496e666f466f72446f63756d656e74436f6e7461696e696e674475706c696361746541727469645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22547261636b4368616e6765735c22203a207b205c224576656e74735c22203a207b205c22557463547261636b4368616e67657341646465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2255736572507265666572656e63655c22203a207b205c224576656e74735c22203a207b205c225365744972665c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22436f70696c6f745c22203a207b205c224576656e74735c22203a207b205c2250726f61637469766553756d6d617279456e61626c65645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e4368616e6765476174652e4361636865456e726963686d656e74416363657373546f6b656e222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e526573656172636865722e4e6f64654a5357656250616765457874726163746f72222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e48656c704974656d53706c6974427574746f6e456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e48656c7050726f7669646572456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e497350656f706c654974656d53706c6974427574746f6e456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e4d616a6f724974656d53706c6974427574746f6e456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e4d6178436f6d6d616e64526573756c7473546f52657475726e222c20225622203a2022696e7433325f747c3422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e506172616d657465725465726d50726564696374696f6e456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e51756572794c6f6767696e67456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e536861726564446f63756d656e74456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e53686f756c6453686f7748656c70416374696f6e73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e53686f774f6e6c794974656d4c6162656c49664465736372697074696f6e49734e756c6c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e57617465726d61726b506172616d65746572697a6174696f6e456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5543492e54656c6c4d652e5a65726f417373697374616e6365526573756c7473456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5558506c6174666f726d2e4973506572736f6e6150726f66696c65504358456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5558506c6174666f726d2e52656d6f76654d53414148616e646c6572466f7254657874426f78222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5558506c6174666f726d2e5465616368696e6743616c6c6f757454696d654f6e53637265656e54656c656d65747279222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5558506c6174666f726d2e5468656d696e672e5573654d656469756d4c756d696e616e63655468726573686f6c64222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5558506c6174666f726d2e5569614e6f74696669636174696f6e73466f72427573426172456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5558506c6174666f726d2e5569614e6f74696669636174696f6e73466f725465616368696e6743616c6c6f7574456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e566973696f2e484f50657266496d70726f76656d656e7473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e57686174734e65772e454353446174614c6f61646564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e4275666665724f6f6d3130304b42416374696f6e222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e4275666665724f6f6d3130304d42416374696f6e222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e4275666665724f6f6d31304d42416374696f6e222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e4275666665724f6f6d314742416374696f6e222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e4275666665724f6f6d314d42416374696f6e222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e4275666665724f6f6d3530304b42416374696f6e222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e4275666665724f6f6d3530304d42416374696f6e222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e4275666665724f6f6d35304d42416374696f6e222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e4275666665724f6f6d354d42416374696f6e222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e4275666665724f6f6d5265616c6c79426967416374696f6e222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e456e61626c655061747465726e73496e41746e74786e64222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e576f72642e52616973655569614175746f436f72726563744576656e7457697468456e74697265576f7264222c20225622203a2022626f6f6c7c3122207d205d2c2022464347726f75704d617022203a207b2022464347726f75704d61705f3122203a205b207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b656447726170686963734164617074657231222c20225622203a20227374643a3a77737472696e677c33323930323b303b303b303b383434343234393330373838333230323b323b303b303b303b303b3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b656447726170686963734164617074657232222c20225622203a20227374643a3a77737472696e677c33323930323b303b303b303b383434343234393330373838323936373b323b303b303b303b303b3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b656447726170686963734164617074657233222c20225622203a20227374643a3a77737472696e677c33323930323b303b303b303b383434343234393330373838333231313b323b303b303b303b303b3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b656447726170686963734164617074657234222c20225622203a20227374643a3a77737472696e677c33323930323b303b303b303b383434343234393330373934313932373b323b303b303b303b303b3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b656447726170686963734164617074657235222c20225622203a20227374643a3a77737472696e677c33323930323b303b303b303b383732353732343238343635343239363b323b303b303b303b303b3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e426c6f636b6564477261706869637341646170746572436f756e74222c20225622203a2022696e7433325f747c3522207d205d2c2022464347726f75704d61705f3222203a205b207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e476c6f62616c5265736f75726365496e666f4361636865456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e53686f756c644d69677261746546726f6d4f72617069222c20225622203a2022626f6f6c7c3122207d205d2c2022464347726f75704d61705f3322203a205b207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e42697a426172222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e766173426f6f742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e766173446f63756d656e7452656164792d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e766173466c6f6f64676174652d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734c6963656e73696e674469616c6f6752656e65772d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734c6f63616c4f70656e446f63756d656e742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734c6f63616c53617665446f63756d656e742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734f444253617665446f63756d656e742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734f6e6544726976654f70656e446f63756d656e742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734f6e65447269766553617665446f63756d656e742d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734f757453706163654f70656e2d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d43616e7661734f757453706163655361766541732d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d466c6f6f6447617465222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f66666963652d496e41707050757263686173652d57696e3332222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c65537572666163652e4f75745370616365222c20225622203a2022626f6f6c7c3022207d205d207d207d	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigIds = "std::wstring\|P-R-1098158-1-5,P-R-76757-1-2,P-R-54903-1-3,P-R-26146-7-17,P-D-29635-1-1,P-D-27087-1-9,P-R-79688-1-3,P-R-53532-1-5,P-R-51436-1-6,P-R-51427-18-12,P-R-40464-18-9,P-X-98518-6-9,P-R-38390-18-21,blockedgraphicsadapter5:475899,P-R-35099-2-4,P-R-61408-18-3,P-R-55746-2-5,P-R-53512-1-4,P-R-46974-18-18,P-R-38953-1-11,P-R-36551-18-18,P-R-71414-1-6,P-R-40253-6-19,P-R-40254-6-18,P-R-35401-6-7,P-R-32107-22-22,P-R-39146-14-15,P-R-39147-14-20,P-R-28546-6-11,P-R-28165-6-28,P-R-24980-8-48,P-R-24390-5-12,P-R-18279-2-65,P-D-34200-4-5,P-R-51145-2-7,P-R-29928-2-20,P-R-67932-1-4,P-R-67201-1-4,P-R-64545-1-4,P-R-64035-1-4,P-R-53515-18-9,P-R-53280-1-6,P-R-52247-1-5,P-R-51958-1-5,P-R-51842-1-5,P-R-51277-2-6,P-R-47451-18-20,P-R-45919-18-19,P-R-45085-18-12,P-R-41442-18-18,P-R-38085-12-9,P-R-18744-6-22,P-D-34239-1-6,P-R-1034169-10-7,P-E-28677-C1-3,P-R-55122-8-8,P-R-50255-10-9,P-R-44907-1-9,P-R-45314-10-16,P-R-44965-C1-6,P-X-1240823-2-3,P-E-38231-C1-4,P-R-1245662-16-4,P-R-94560-14-12,P-R-94189-14-13,P-R-93882-14-26,P-R-54728-16-23,P-R-54698-16-16,P-R-54658-18-19,P-R-38306-18-3,P-R-35717-5-30,P-R-34019-4-3,win32devicecanarycf:541484,win32devicecanarycf:541484,P-X-53845-1-9,P-X-53772-1-3,P-X-51790-1-3,P-R-1025232-24-9,P-R-71358-1-4,P-R-70941-1-4,P-R-69065-1-3,P-R-67160-1-7,P-R-59781-1-4,P-R-55631-1-4,P-R-54215-1-4,P-R-53751-1-4,P-R-53752-1-4,P-R-53526-1-4,P-R-52110-1-4,P-R-49765-15-32,P-R-48818-17-25,P-R-50679-1-4,P-R-50486-18-12,P-R-44830-18-13,P-R-49416-4-14,P-R-48457-2-6,P-R-47974-16-18,P-R-46544-18-11,P-R-45609-14-6,P-R-45197-2-6,P-R-44046-18-11,P-R-44015-18-20,P-R-43723-2-6,P-R-41742-18-32,P-R-40980-18-16,P-R-40359-2-10,P-R-39029-5-18,P-R-38835-18-48,P-R-37676-18-46,P-R-36310-4-5,P-R-35945-10-5,P-R-35165-2-7,P-R-35143-4-4,P-R-33553-4-6,P-R-33536-12-13,P-R-29809-1-7,P-R-26968-3-9,P-R-18425-8-62,P-R-18426-5-30,P-R-18424-4-34,fiser190:377704,happy03172020-1:61977,happy02062020-0:28428,P-R-53545-4-5,P-R-50711-18-11,P-R-49736-6-22,P-R-48467-18-18,P-R-32106-7-33,P-R-30085-1-9,P-R-29138-38-83,P-R-29315-36-69,P-R-25009-1-8,P-R-24363-1-13,P-R-21631-10-64,P-R-19898-1-22,P-R-19814-1-62,P-R-19012-1-57,P-X-1015554-2-5,P-X-50220-1-3,P-X-49730-1-3,P-R-69347-1-5,P-R-64574-1-4,P-R-54116-1-4,P-R-53585-18-18,P-R-52594-18-5,P-R-52386-1-4,P-R-50980-2-4,P-R-50938-1-4,P-R-50152-18-20,P-R-49175-18-22,P-R-47260-18-23,P-R-44156-18-26,P-R-43284-18-19,P-R-43285-12-22,P-R-42482-1-4,P-R-40990-12-15,P-R-39333-18-28,P-R-35439-12-21,P-R-33215-18-19,P-R-31352-12-25,P-D-34269-2-5,grski455cf:578554,gruse488:570358,grico406:19777,P-R-49830-18-15,P-R-40586-18-27,P-R-32996-18-24,P-D-40316-9-5,P-R-50429-18-8,P-R-65295-18-30,P-R-61861-1-4,P-R-61737-1-4,P-R-51777-18-8,P-R-50920-1-6,P-R-50366-18-19,P-R-35985-14-23,P-R-35891-18-5,P-R-32004-2-5,P-X-1276509-1-5,P-R-1280425-13-17,P-R-68336-2-4,P-R-67286-2-6,P-R-51513-2-4,i0d76970:598689,P-R-79963-1-2,P-R-52043-1-3,P-R-51764-1-4,P-R-49388-2-6,P-R-48335-4-16,P-R-47308-3-9,P-R-42392-2-4,P-R-39073-1-5,P-R-1123376-10-12,P-R-1009855-12-14,P-R-98856-18-48,P-R-43489-30-15,P-R-38410-12-23,P-X-1291246-2-3,P-X-1019581-1-3,P-X-1006174-1-5,P-R-66436-1-4,P-R-62873-1-4,P-R-51097-1-5,P-R-50706-18-7,P-R-50055-18-7,P-R-49315-18-5,P-R-42660-18-35,P-R-36649-8-9,ch371179:600396,oemic639:397753,oeall843:375887,P-R-42379-2-3,P-R-42378-2-3,P-R-66539-1-4,P-R-66538-1-4,P-R-65278-1-4,P-R-65279-1-4,P-R-59180-1-4,P-R-48070-1-5,P-R-47386-1-4,P-R-55342-2-2,P-R-53377-2-6,P-R-52481-2-5,P-R-49759-2-8,P-R-46100-20-9,P-R-38510-2-10,P-R-37550-20-13,P-R-32186-28-29,P-R-58135-2-4,P-R-56618-1-3,P-R-56027-1-4,P-R-46145-18-18,P-R-33892-1-8,P-R-33696-1-5,P-R-55749-1-4,P-R-53662-1-4,P-R-52246-1-4,P-R-52245-1-4,P-R-52238-1-5,P-R-43644-6-13,P-R-39912-1-2,P-R-39283-4-10,P-R-50380-18-18,P-R-50379-18-17,P-R-68146-1-5,P-R-63409-1-5,P-R-50542-18-14,P-R-50500-18-16,P-R-48365-18-24,P-R-48161-18-32,P-R-46597-1-4,P-R-33737-1-4,P-E-29662-C1-3,P-R-29303-2-20,P-R-56654-2-4,P-R-51703-1-5,P-R-50133-2-9,P-R-47242-18-11,P-R-46410-1-5,P-R-45550-18-46,P-R-45490-16-9,P-R-44885-18-20,P-R-42512-1-3,P-R-40169-8-13,P-R-32143-5-18,P-R-37313-18-22,P-R-36664-4-4,P-R-35476-2-5,P-R-35407-4-3,P-R-35237-14-11,P-R-35150-2-4,P-R-35129-2-4,P-R-35056-4-5,P-R-34889-8-4,P-R-34044-2-4,P-R-33718-6-5,P-R-33459-1-5,P-R-30292-4-8,P-R-28644-1-4,P-R-24037-1-7,P-R-23445-3-7,P-R-23434-3-7,P-R-18513-1-30,P-D-34699-4-4,P-D-34697-2-4,P-D-34675-1-4,P-D-34673-1-4,P-D-34654-1-4,P-D-34587-3-5,P-D-34266-1-4,P-D-34262-1-5,P-D-34260-1-5,P-D-34258-2-5,P-D-32465-1-5,P-D-32459-2-4,P-D-32458-5-4,P-X-1083427-2-5,P-R-69529-1-5,P-R-65011-1-3,P-R-53622-18-4,P-R-50541-2-7,P-R-49893-22-9,P-R-36932-2-13,jh8ab447:380633,P-R-69232-18-13,P-R-23681-2-7,P-D-32502-2-3,P-D-32501-2-3,P-D-32415-2-3,P-R-64513-18-11,P-R-51916-84-31,P-R-23746-32-46,P-R-38248-20-26,P-R-1286642-1-3,P-R-1280186-1-3,P-R-1267084-2-6,P-R-1258784-3-5,P-R-1245296-4-6,P-R-1236953-4-6,P-R-1157570-2-4,P-R-1132821-2-4,P-R-1119013-1-3,P-R-1098796-1-3,P-R-1094445-1-3,P-R-1080412-1-3,P-R-1069769-2-4,P-R-1068115-1-3,P-R-1045118-2-4,P-R-25269-14-21,P-R-1044408-1-3,P-R-1044141-7-9,P-R-1037887-1-3,P-R-1037879-1-3,P-R-1036293-1-3,P-R-1036292-1-3,P-R-1036289-2-4,P-R-1036288-1-3,P-R-1036068-2-4,P-R-1035933-2-4,P-R-1035149-2-4,P-R-1033817-1-3,P-R-1028168-1-3,P-R-1009717-3-5,P-R-1000061-2-4,P-R-117548-2-4,P-R-111682-1-3,P-R-105731-36-38,P-R-104435-13-15,P-R-100294-1-3,P-R-99633-1-3,P-R-98929-2-4,P-R-98250-1-3,P-R-94299-1-3,P-R-93077-1-3,P-R-86118-1-3,P-R-80517-7-9,P-R-78112-4-6,P-R-77140-2-4,P-R-76918-2-4,P-R-76721-1-3,P-R-75440-2-4,P-R-73676-1-3,P-R-72449-7-10,P-R-72030-4-6,P-R-68069-2-4,P-R-66975-1-3,P-R-65567-1-3,P-R-62212-2-4,P-R-60602-3-5,P-R-52633-1-3,P-R-52171-2-4,P-R-52011-2-4,P-R-51921-8-10,P-R-51258-8-10,P-R-50752-2-4,P-R-50681-2-4,P-R-50599-4-6,P-R-50596-4-8,P-R-50553-1-3,P-R-49597-3-5,P-R-49458-2-4,P-R-48530-7-9,P-R-47948-1-4,P-R-46580-3-5,P-R-46484-10-12,P-R-46122-1-3,P-R-45858-2-4,P-R-43966-2-4,P-R-43502-19-21,P-R-41430-1-3,P-R-40751-8-10,P-R-40273-4-6,P-R-39238-5-7,P-R-38682-3-5,P-R-37588-2-4,P-R-34355-8-10,P-R-26266-4-9,P-R-26834-3-8,P-R-24662-16-22,P-R-27479-6-11,P-R-26056-7-15,P-R-27006-7-12,P-R-30338-3-7,P-R-30178-79-81,P-R-30053-8-10,P-R-27458-1-5,P-R-25822-16-19,P-R-25083-6-9,P-R-24690-43-47,P-R-24689-2-5,P-R-24666-2-5,P-R-24663-6-11,P-R-24659-7-10,P-R-23744-7-9,P-R-23739-7-9,P-R-23736-14-17,P-R-23734-7-9,P-R-23730-21-24,P-R-23723-10-12,P-D-32588-1-3,P-D-32534-1-3,P-D-32524-1-3,P-D-32518-1-3,P-D-32512-1-3,P-D-32509-1-3,P-D-32485-1-4,P-D-32484-1-4,P-D-32405-1-3,P-R-1087141-4-7,P-R-49160-12-12,P-R-47601-18-13,P-R-46834-12-14,P-R-46202-18-11,P-R-44018-18-13,P-R-43355-18-12,P-R-35337-16-7,P-R-33916-1-5,P-R-33580-8-9,P-X-117400-1-3,P-R-59175-18-4,P-R-53292-14-10,P-R-49130-18-23,P-R-46913-18-8,P-R-37449-18-15,uxmediumiconluminance:353455,P-R-48549-18-11,P-R-19262-1-12,P-E-44774-2-9,P-R-44869-16-16,P-R-33918-1-11,P-R-1128630-1-7,P-R-1098412-1-5,P-R-1091267-1-55,P-R-81720-1-2,P-R-58406-1-5,P-D-50697-2-4,P-D-29719-1-1,P-D-29718-1-1,P-D-29593-1-6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|2"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.10 = 726555726c416e6448616e646c65526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e556e7061636b55726c436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22486c696e6b5c22203a207b205c224576656e74735c22203a207b205c224d736f4872486c696e6b43726561746546726f6d537472696e675c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d534f5c22203a207b205c224576656e74735c22203a207b205c22434d736f4f4c446f634e657744657374727563746f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f63616c446f63756d656e74496e666f557073656c6c4576656e745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f63616c446f63756d656e74496e666f466c796f757444726f707065645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2248616e646c65417574684661696c7572655f5573654578697374696e6743726564735f47656e657269634661696c7572655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f4f4c446f6342617365476574504b4d436c69656e7445785c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f536572766572496e666f476574536572766572496e666f5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745265636f766572794872476574447270436f72655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745265636f766572794d736f4872426567696e4d6f646966794472705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225469746c654261725361766555694d616e616765725772697465537461747573546f5469746c654261725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f6164437369446c6c466f72436c69636b3252756e456e7669726f6e6d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2249735365727665724361636865645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d616e75616c5361766555736167655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2246696c6553746f72655c22203a207b205c224576656e74735c22203a207b205c22465344436f7272757074696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2247617262616765436f6c6c656374696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c225a65726f4279746546696c6555706c6f6164417474656d707465645c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c2252756e74696d6550726f706572746965735c22203a207b205c224576656e74735c22203a207b205c22496e636f6d70617469626c6543736956657273696f6e44657465637465645c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c224f66666963655c22203a207b205c225375624e616d657370616365735c22203a207b205c2246696c65494f5c22203a207b205c225375624e616d657370616365735c22203a207b205c224353495c22203a207b205c225375624e616d657370616365735c22203a207b205c2253746f726167655c22203a207b205c224576656e74735c22203a207b205c2243616368654f707469637356325c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d2c205c224d6f6373695c22203a207b205c224576656e74735c22203a207b205c22557064617465486f73745469705c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4772617068696373222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22415243457863657074696f6e53636f70655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2245326f5669657752656e646572506572666f726d616e636541637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224172745669657756616c69646174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224175746f6669745368617065546f54657874436d645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546f704c6576656c456666656374447261775c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224372656174654269746d617046726f6d506c6174666f726d4269746d61705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e6b496e70757453757266616365426173655570646174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250617468576964656e657246576964656e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250617468576964656e657246576964656e53696d706c65506174685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224776697a536d61727441727450726f7065727469657354656c656d657472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243726561746544657669636544334431305c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22537065637472655472616e73636f646541637469766974795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22496e73657274496e646976696475616c4d6f64656c334441637469766974795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f61646564496d61676550726f706572746965735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22496e736572744d6f64656c334441637469766974795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22537065637472654372656174655363656e6541637469766974795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224d6f64656c334452656e64657241637469766974795c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4964656e74697479222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22456e7375726550726f7669646572496e697465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574506572736f6e50726f66696c6553657475705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224964656e74697479536e617073686f745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657450726f7669646572466f7241757468536368656d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472794964656e74697479506172656e744d617463685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22526f616d696e6750726f7879496e69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536861726564437265645265667265736846726f6d53746f72655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22526561644f6e6546726f6d43726564656e7469616c4c6973745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22435265616453796e635461736b52756e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f6d61696e4a6f696e65644f72436c6f7564446f6d61696e4a6f696e656453657373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744164616c416363657373546f6b656e46726f6d4372656450726f76696465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574536572766963655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574436f6e666967546f6b656e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574426c6f636b696e67536572766963655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22506f70756c617465536572766963654d61705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657441757468656e74696361746564536572766963655469636b65745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22526566726573684964656e7469746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765745365727669636555726c466f7246656465726174696f6e50726f7669646572416e616c797369735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225365727669636555726c5374617475735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2241637175697265536572766963655469636b6574466f724144414c5c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c2253697465735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e496e736967687473222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c22496e73696768747350616e655c22203a207b205c224576656e74735c22203a207b205c22415c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22445c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2248746d6c5072656665746368526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22535c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436163686546696c654e6f7456616c69645c22203a207b205c224576656e74466c61675c22203a20323536207d207d2c205c225375624e616d657370616365735c22203a207b205c224f66666963655c22203a207b205c224576656e74735c22203a207b205c2253797374656d616c69645c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c22496e7369676874735c22203a207b205c224576656e74735c22203a207b205c22496e73696768747350616e655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e73696768747350616e65305c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e73696768747350616e65725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253797374656d5c22203a207b205c224576656e74735c22203a207b205c224163746976697479715c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224163746976697479735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d2c205c22536d6172744c6f6f6b75705c22203a207b205c224576656e74735c22203a207b205c22415c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f7079466561747572654761746573315c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f7079466561747572654761746573325c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574466561747572654761746573315c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657446656174757265476174657331305c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657446656174757265476174657331315c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657446656174757265476174657331325c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657446656174757265476174657331335c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657446656174757265476174657331355c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574466561747572654761746573325c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574466561747572654761746573335c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574466561747572654761746573345c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574466561747572654761746573355c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574466561747572654761746573365c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574466561747572654761746573375c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574466561747572654761746573385c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574466561747572654761746573395c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22535c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2248746d6c5072656665746368526571756573745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225265667265736843616368656446696c65735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446f776e6c6f61645265736f757263655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2241757468656e7469636174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22526573756c7447726f7570546f52656e6465725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253656e64576562536f636b6574526571756573745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22576562536f636b657450696e67506f6e674c6174656e63795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446961676e6f737469635c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c2238564d65686c6c5c22203a207b205c225375624e616d657370616365735c22203a207b205c22356b69614b3747426b7a505746675c22203a207b205c224576656e74735c22203a207b205c22373139305c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c22385c22203a207b205c225375624e616d657370616365735c22203a207b205c227a424b387872415553554e52497859484e4b55415c22203a207b205c224576656e74735c22203a207b205c22393133335c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224f66666963655c22203a207b205c224576656e74735c22203a207b205c2253797374656d644d617463685c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c22496e7369676874735c22203a207b205c224576656e74735c22203a207b205c22536d6172744c6f6f6b75705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536d6172744c6f6f6b75705f5f5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536d6172744c6f6f6b75705f5f5f5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253797374656d5c22203a207b205c224576656e74735c22203a207b205c2241637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253797374656d68633863674f6a46515c22203a207b205c224576656e74735c22203a207b205c22383635335c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d2c205c22556952756e74696d655c22203a207b205c224576656e74735c22203a207b205c22437265617465576562536f636b65745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2250726f636573735265717565737451756575655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22496e74656e745365727669636550726f78794f6e436f6e6e656374696f6e436c6f7365645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f6e436f6e6e656374696f6e436c6f7365645c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4c6963656e73696e67222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c224c6963656e73696e67427573626172416374696f6e5c22203a207b205c224576656e74466c61675c22203a203439343038207d2c205c22487244697370617463685375625461736b53746172745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22517569636b56616c69646174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253617665416c6c536b75696473546f52656769737472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2257616974546f52657472794865617274626561745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536561726368466f7253657373696f6e546f6b656e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224e554c56616c69646174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2256616c69646174	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.6 = 3132207d2c205c224f666669636543686174436f6d6d616e64436f61757468696e6757697468416c6c4775657374734f724d697373696e67456d61696c456469746f72735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22476f546f4c6f636174696f6e416374696f6e487562416374696f6e4a756d70546f417574686f725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22436f6175746847616c6c65727955736572557064617465417574686f724c6f636174696f6e5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22436f6175746847616c6c65727955736572557064617465456d61696c416e64436861745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22436f6e7461637443617264416374696f6e487562416374696f6e53686f77436f6e74616374436172645c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22436f6175746847616c6c657279557365724a756d70546f417574686f725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22436f6175746847616c6c657279557365724f70656e53696e676c65466c796f75745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22456d61696c416374696f6e487562416374696f6e53656e64456d61696c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224f666669636543686174436f6d6d616e6453657456616c75655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224d736f494d5365727669636573536642506861736531496d70726f76656d656e7473456e61626c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224368617443616c6c6f757455736572496e697455495c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d736f494d5365727669636573497357616343686174456e61626c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d736f494d536572766963657353664257616343686174456e61626c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d736f494d536572766963657353664357616343686174456e61626c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617455494d6f64656c4f6e55494576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224368617443616c6c6f7574557365724f6e5061727469636970616e744c6973744368616e6765645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6175746847616c6c65727955736572437265617465416374696f6e4875624c69737446726f6d536e617073686f745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22436f6175746847616c6c65727955736572437265617465466c65784c69737446726f6d536e617073686f745c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22436f6c6c61625c22203a207b205c225375624e616d657370616365735c22203a207b205c22436f617574686f725c22203a207b205c225375624e616d657370616365735c22203a207b205c22436f617574686f72446f63756d656e7448656c7065725c22203a207b205c224576656e74735c22203a207b205c22547269676765725265747269657665446f63756d656e74436f617574686f72735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225265747269657665456469746f72735461626c654d616e616765725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225265747269657665527463557365725c22203a207b205c224576656e74466c61675c22203a20353132207d207d207d207d207d207d207d2c205c2241744d656e74696f6e5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22446f63756d656e744163746976697479496e746567726174696f6e5c22203a207b205c224576656e74735c22203a207b205c224164645265636f7665726564416374697669746965735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2250726f6365737341744d656e74696f6e4e6f74696669636174696f6e734c6973745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22436f6d6d656e74734e6f74696669636174696f6e436f6c6c6563746f7252656d6f766564436f6d6d656e74735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2250726f63657373436f6d6d656e74734e6f74696669636174696f6e734c6973745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22536176654c6f67466f725265636f766572795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22437265617465446f63756d656e7441637469766974794c6f674d616e616765725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2244656c657465436f6d6d656e7441637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22446973636172644c6f63616c416374697669746965735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2244656c6574655265706c7941637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2243726561746541744d656e74696f6e41637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2244656c65746541744d656e74696f6e41637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2244656c6574654d6f6465726e436f6d6d656e7441637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224372656174654d6f6465726e41744d656e74696f6e41637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224f70656e4c6f6746726f6d5265636f766572795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2244656c6574654d6f6465726e5265706c7941637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225064616c6d446f63756d656e7441637469766974794c6f674d616e616765725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22456e73757265446f63756d656e744163746976697479436170747572655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22456e737572654c6f67507265526571735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d6574726f4f70656e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243726561746555736572496e666f466f72417574686f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22437265617465556e69717565417574686f72566563746f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243726561746555736572496e666f46726f6d417574686f72566563746f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224973436c6f7564446f63756d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225365745361766564507265526571735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224372656174655265766973696f6e53657441637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574436f6d6d656e74436f6e74656e744964656e7469666965725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f67436f6d6d656e744174747269627574696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472794372656174654c6f675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536176654c6f675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253657453617665645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224162616e646f6e4c6f675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224372656174655461736b41637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225461736b4372656174696f6e41637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22526561737369676e5461736b41637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656f70656e5461736b41637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6d706c6574655461736b41637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224465736b746f704261636b73746167655c22203a207b205c224576656e74735c22203a207b205c22536176654173526563656e74436c69636b65645c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2253617665417344656661756c745365727669636553656c656374696f6e5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224f70656e526563656e74446f63756d656e747356696577436c69636b65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f70656e526563656e74446f63756d656e7473566965775769746846656174757265456e61626c6564436c69636b65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22424743616c634d616e6167657250726f6365737353657456616c75657350726f635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22424743616c6349646c655461736b46457865637574655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22506c6163657347726f757065724163636f756e74496e666f5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657474696e67537461727465644d5255536c61624765744d72754461746554696d6547726f7570547970655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f70656e526563656e744c6f636174696f6e7356696577436c69636b65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224e617669676174696f6e5265616453697465526f6f74427956726f6f6d5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224e617669676174696f6e52656164446f634c6962466f6c646572427956726f6f6d5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224f666669636553706163655c22203a207b205c225375624e616d657370616365735c22203a207b205c224465736b746f704261636b73746167654e617669676174696f6e5c22203a207b205c224576656e74735c22203a207b205c224c617a794c6f616446696c6543616368655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224c6f616446726f6d46696c6543616368655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2253617665496e746f46696c6543616368655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2252656164546869735043526f6f745c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c22526561644c6f63616c466f6c6465725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225265616453697465526f6f74427956726f6f6d5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224765744974656d57656244617655726c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2247657452656d6f74654974656d496e666f726d6174696f6e5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2252656164446f634c6962466f6c646572427956726f6f6d5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22526561644d696772617465644f4443466f6c646572427956726f6f6d5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d2c205c22504358506572736f6e6150686f746f5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f757453706163655c22203a207b205c224576656e74735c22203a207b205c22557064617465506c616365735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224372656174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486964655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225365744d72754c697374466f72486f6d65506167655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c65616e75705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536861726564576974684d65506f70756c6174654c6973745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174654d52554974656d735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f70656e4469736d6973735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224e65774469736d6973735c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c224465736b746f704261636b73746167655c22203a207b205c224576656e74735c22203a207b205c224261636b73746167654469736d69737365645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224175746f5265636f76657279436f6d7061726557697468556e736176656456657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224175746f5265636f7665727944656c657465556e736176656456657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224175746f5265636f766572794f70656e556e736176656456657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224175746f5265636f76657279506f70756c617465556e736176656456657273696f6e4c6973745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e69744e65774e6176466f6c6465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224e6577536572766963654c6973745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c225368617265506f696e7453697465735c22203a207b205c224576656e74735c22203a207b205c2247726f75707353697465735265717565737449636f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e745369746573496e697469616c697a655369746573436f6c6c656374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e74536974657350726f63657373526573756c74466f724964656e746974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e7453697465734964656e74697479436163686552657175657374526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e7453697465735265717565737453697465734361636865645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e7453697465735265717565737453697465734173796e6350726f63657373526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e7453697465735265717565737453697465734173796e635c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224372656174654c6f636174696f6e735c22203a207b205c224576656e74735c22203a207b205c2244656661756c744964656e74697479456d7074795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253686172696e674c6567616379436c69656e745c22203a207b205c224576656e74735c22203a207b205c22476574446174615c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22486f6d65506167655c22203a207b205c224576656e74735c22203a207b205c22506c6163654368616e6765536c6162436f6e646974696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e53686f77486f6d65506167655c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c225365617263685c22203a207b205c224576656e74735c22203a207b205c225365656e4279557365725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224f666669636553746172745c22203a207b205c224576656e74735c22203a207b205c22536574757054656d706c61746550726f706572746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243757272656e745549416374697665506c6163654368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22547269676765725468756d626e61696c416374696f6e52756e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22446f63756d656e744e6f74696669636174696f6e735c22203a207b205c224576656e74735c22203a207b205c2252656769737465724f6e49646c65466561747572654761746544697361626c65645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d7275536572766963654170695c22203a207b205c225375624e616d657370616365735c22203a207b205c22446f63756d656e74735c22203a207b205c224576656e74735c22203a207b205c2252656164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225772697465526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e526571756573745375636365656465	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|12"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0 = 4d736f3a3a436865636b73756d52656769737472793a3a446174617c75696e7436345f747c333331343930303934303232393133383539303b456373436f6e666967526573706f6e7365446174617c7b202256657222203a2022696e7433325f747c30222c2022436f6e6649647322203a20227374643a3a77737472696e677c502d522d313039383135382d312d352c502d522d37363735372d312d322c502d522d35343930332d312d332c502d522d32363134362d372d31372c502d442d32393633352d312d312c502d442d32373038372d312d392c502d522d37393638382d312d332c502d522d35333533322d312d352c502d522d35313433362d312d362c502d522d35313432372d31382d31322c502d522d34303436342d31382d392c502d582d39383531382d362d392c502d522d33383339302d31382d32312c626c6f636b6564677261706869637361646170746572353a3437353839392c502d522d33353039392d322d342c502d522d36313430382d31382d332c502d522d35353734362d322d352c502d522d35333531322d312d342c502d522d34363937342d31382d31382c502d522d33383935332d312d31312c502d522d33363535312d31382d31382c502d522d37313431342d312d362c502d522d34303235332d362d31392c502d522d34303235342d362d31382c502d522d33353430312d362d372c502d522d33323130372d32322d32322c502d522d33393134362d31342d31352c502d522d33393134372d31342d32302c502d522d32383534362d362d31312c502d522d32383136352d362d32382c502d522d32343938302d382d34382c502d522d32343339302d352d31322c502d522d31383237392d322d36352c502d442d33343230302d342d352c502d522d35313134352d322d372c502d522d32393932382d322d32302c502d522d36373933322d312d342c502d522d36373230312d312d342c502d522d36343534352d312d342c502d522d36343033352d312d342c502d522d35333531352d31382d392c502d522d35333238302d312d362c502d522d35323234372d312d352c502d522d35313935382d312d352c502d522d35313834322d312d352c502d522d35313237372d322d362c502d522d34373435312d31382d32302c502d522d34353931392d31382d31392c502d522d34353038352d31382d31322c502d522d34313434322d31382d31382c502d522d33383038352d31322d392c502d522d31383734342d362d32322c502d442d33343233392d312d362c502d522d313033343136392d31302d372c502d452d32383637372d43312d332c502d522d35353132322d382d382c502d522d35303235352d31302d392c502d522d34343930372d312d392c502d522d34353331342d31302d31362c502d522d34343936352d43312d362c502d582d313234303832332d322d332c502d452d33383233312d43312d342c502d522d313234353636322d31362d342c502d522d39343536302d31342d31322c502d522d39343138392d31342d31332c502d522d39333838322d31342d32362c502d522d35343732382d31362d32332c502d522d35343639382d31362d31362c502d522d35343635382d31382d31392c502d522d33383330362d31382d332c502d522d33353731372d352d33302c502d522d33343031392d342d332c77696e333264657669636563616e61727963663a3534313438342c77696e333264657669636563616e61727963663a3534313438342c502d582d35333834352d312d392c502d582d35333737322d312d332c502d582d35313739302d312d332c502d522d313032353233322d32342d392c502d522d37313335382d312d342c502d522d37303934312d312d342c502d522d36393036352d312d332c502d522d36373136302d312d372c502d522d35393738312d312d342c502d522d35353633312d312d342c502d522d35343231352d312d342c502d522d35333735312d312d342c502d522d35333735322d312d342c502d522d35333532362d312d342c502d522d35323131302d312d342c502d522d34393736352d31352d33322c502d522d34383831382d31372d32352c502d522d35303637392d312d342c502d522d35303438362d31382d31322c502d522d34343833302d31382d31332c502d522d34393431362d342d31342c502d522d34383435372d322d362c502d522d34373937342d31362d31382c502d522d34363534342d31382d31312c502d522d34353630392d31342d362c502d522d34353139372d322d362c502d522d34343034362d31382d31312c502d522d34343031352d31382d32302c502d522d34333732332d322d362c502d522d34313734322d31382d33322c502d522d34303938302d31382d31362c502d522d34303335392d322d31302c502d522d33393032392d352d31382c502d522d33383833352d31382d34382c502d522d33373637362d31382d34362c502d522d33363331302d342d352c502d522d33353934352d31302d352c502d522d33353136352d322d372c502d522d33353134332d342d342c502d522d33333535332d342d362c502d522d33333533362d31322d31332c502d522d32393830392d312d372c502d522d32363936382d332d392c502d522d31383432352d382d36322c502d522d31383432362d352d33302c502d522d31383432342d342d33342c66697365723139303a3337373730342c686170707930333137323032302d313a36313937372c686170707930323036323032302d303a32383432382c502d522d35333534352d342d352c502d522d35303731312d31382d31312c502d522d34393733362d362d32322c502d522d34383436372d31382d31382c502d522d33323130362d372d33332c502d522d33303038352d312d392c502d522d32393133382d33382d38332c502d522d32393331352d33362d36392c502d522d32353030392d312d382c502d522d32343336332d312d31332c502d522d32313633312d31302d36342c502d522d31393839382d312d32322c502d522d31393831342d312d36322c502d522d31393031322d312d35372c502d582d313031353535342d322d352c502d582d35303232302d312d332c502d582d34393733302d312d332c502d522d36393334372d312d352c502d522d36343537342d312d342c502d522d35343131362d312d342c502d522d35333538352d31382d31382c502d522d35323539342d31382d352c502d522d35323338362d312d342c502d522d35303938302d322d342c502d522d35303933382d312d342c502d522d35303135322d31382d32302c502d522d34393137352d31382d32322c502d522d34373236302d31382d32332c502d522d34343135362d31382d32362c502d522d34333238342d31382d31392c502d522d34333238352d31322d32322c502d522d34323438322d312d342c502d522d34303939302d31322d31352c502d522d33393333332d31382d32382c502d522d33353433392d31322d32312c502d522d33333231352d31382d31392c502d522d33313335322d31322d32352c502d442d33343236392d322d352c6772736b6934353563663a3537383535342c67727573653438383a3537303335382c677269636f3430363a31393737372c502d522d34393833302d31382d31352c502d522d34303538362d31382d32372c502d522d33323939362d31382d32342c502d442d34303331362d392d352c502d522d35303432392d31382d382c502d522d36353239352d31382d33302c502d522d36313836312d312d342c502d522d36313733372d312d342c502d522d35313737372d31382d382c502d522d35303932302d312d362c502d522d35303336362d31382d31392c502d522d33353938352d31342d32332c502d522d33353839312d31382d352c502d522d33323030342d322d352c502d582d313237363530392d312d352c502d522d313238303432352d31332d31372c502d522d36383333362d322d342c502d522d36373238362d322d362c502d522d35313531332d322d342c69306437363937303a3539383638392c502d522d37393936332d312d322c502d522d35323034332d312d332c502d522d35313736342d312d342c502d522d34393338382d322d362c502d522d34383333352d342d31362c502d522d34373330382d332d392c502d522d34323339322d322d342c502d522d33393037332d312d352c502d522d313132333337362d31302d31322c502d522d313030393835352d31322d31342c502d522d39383835362d31382d34382c502d522d34333438392d33302d31352c502d522d33383431302d31322d32332c502d582d313239313234362d322d332c502d582d313031393538312d312d332c502d582d313030363137342d312d352c502d522d36363433362d312d342c502d522d36323837332d312d342c502d522d35313039372d312d352c502d522d35303730362d31382d372c502d522d35303035352d31382d372c502d522d34393331352d31382d352c502d522d34323636302d31382d33352c502d522d33363634392d382d392c63683337313137393a3630303339362c6f656d69633633393a3339373735332c6f65616c6c3834333a3337353838372c502d522d34323337392d322d332c502d522d34323337382d322d332c502d522d36363533392d312d342c502d522d36363533382d312d342c502d522d36353237382d312d342c502d522d36353237392d312d342c502d522d35393138302d312d342c502d522d34383037302d312d352c502d522d34373338362d312d342c502d522d35353334322d322d322c502d522d35333337372d322d362c502d522d35323438312d322d352c502d522d34393735392d322d382c502d522d34363130302d32302d392c502d522d33383531302d322d31302c502d522d33373535302d32302d31332c502d522d33323138362d32382d32392c502d522d35383133352d322d342c502d522d35363631382d312d332c502d522d35363032372d312d342c502d522d34363134352d31382d31382c502d522d33333839322d312d382c502d522d33333639362d312d352c502d522d35353734392d312d342c502d522d35333636322d312d342c502d522d35323234362d312d342c502d522d35323234352d312d342c502d522d35323233382d312d352c502d522d34333634342d362d31332c502d522d33393931322d312d322c502d522d33393238332d342d31302c502d522d35303338302d31382d31382c502d522d35303337392d31382d31372c502d522d36383134362d312d352c502d522d36333430392d312d352c502d522d35303534322d31382d31342c502d522d35303530302d31382d31362c502d522d34383336352d31382d32342c502d522d34383136312d31382d33322c502d522d34363539372d312d342c502d522d33333733372d312d342c502d452d32393636322d43312d332c502d522d32393330332d322d32302c502d522d35363635342d322d342c502d522d35313730332d312d352c502d522d35303133332d322d392c502d522d34373234322d31382d31312c502d522d34363431302d312d352c502d522d34353535302d31382d34362c502d522d34353439302d31362d392c502d522d34343838352d31382d32302c502d522d34323531322d312d332c502d522d34303136392d382d31332c502d522d33323134332d352d31382c502d522d33373331332d31382d32322c502d522d33363636342d342d342c502d522d33353437362d322d352c502d522d33353430372d342d332c502d522d33353233372d31342d31312c502d522d33353135302d322d342c502d522d33353132392d322d342c502d522d33353035362d342d352c502d522d33343838392d382d342c502d522d33343034342d322d342c502d522d33333731382d362d352c502d522d33333435392d312d352c502d522d33303239322d342d382c502d522d32383634342d312d342c502d522d32343033372d312d372c502d522d32333434352d332d372c502d522d32333433342d332d372c502d522d31383531332d312d33302c502d442d33343639392d342d342c502d442d33343639372d322d342c502d442d33343637352d312d342c502d442d33343637332d312d342c502d442d33343635342d312d342c502d442d33343538372d332d352c502d442d33343236362d312d342c502d442d33343236322d312d352c502d442d33343236302d312d352c502d442d33343235382d322d352c502d442d33323436352d312d352c502d442d33323435392d322d342c502d442d33323435382d352d342c502d582d313038333432372d322d352c502d522d36393532392d312d352c502d522d36353031312d312d332c502d522d35333632322d31382d342c502d522d35303534312d322d372c502d522d34393839332d32322d392c502d522d33363933322d322d31332c6a683861623434373a3338303633332c502d522d36393233322d31382d31332c502d522d32333638312d322d372c502d442d33323530322d322d332c502d442d33323530312d322d332c502d442d33323431352d322d332c502d522d36343531332d31382d31312c502d522d35313931362d38342d33312c502d522d32333734362d33322d34362c502d522d33383234382d32302d32362c502d522d313238363634322d312d332c502d522d313238303138362d312d332c502d522d313236373038342d322d362c502d522d313235383738342d332d352c502d522d313234353239362d342d362c502d522d313233363935332d342d362c502d522d313135373537302d322d342c502d522d313133323832312d322d342c502d522d313131393031332d312d332c502d522d313039383739362d312d332c502d522d313039343434352d312d332c502d522d313038303431322d312d332c502d522d313036393736392d322d342c502d522d313036383131352d312d332c502d522d313034353131382d322d342c502d522d32353236392d31342d32312c502d522d313034343430382d312d332c502d522d313034343134312d372d392c502d522d313033373838372d312d332c502d522d313033373837392d312d332c502d522d313033363239332d312d332c502d522d313033363239322d312d332c502d522d313033363238392d322d342c502d522d313033363238382d312d332c502d522d313033363036382d322d342c502d522d313033353933332d322d342c502d522d313033353134392d322d342c502d522d313033333831372d312d332c502d522d313032383136382d312d332c502d522d313030393731372d332d352c502d522d313030303036312d322d342c502d522d3131373534382d322d342c502d522d3131313638322d312d332c502d522d3130353733312d33362d33382c502d522d3130343433352d31332d31352c502d522d3130303239342d312d332c502d522d39393633332d312d332c502d522d39383932392d322d342c502d522d39383235302d312d332c502d522d39343239392d312d332c502d522d39333037372d312d332c502d522d38363131382d312d332c502d522d38303531372d372d392c502d522d37383131322d342d362c502d522d37373134302d322d342c502d522d37363931382d322d342c502d522d37363732312d312d332c502d522d37353434302d322d342c502d522d37333637362d312d332c502d522d37323434392d372d31302c502d522d37323033302d342d362c502d522d36383036392d322d342c502d522d36363937352d312d332c502d522d36353536372d312d332c502d522d36323231322d322d342c502d522d36303630322d332d352c502d522d35323633332d312d332c502d522d35323137312d322d342c502d522d35323031312d322d342c502d522d35313932312d382d31302c502d522d35313235382d382d31302c502d522d35303735322d322d342c502d522d35303638312d322d342c502d522d35303539392d342d362c502d522d35303539362d342d382c502d522d35303535332d312d332c502d522d34393539372d332d352c502d522d34393435382d322d342c502d522d34383533302d372d392c502d522d34373934382d312d342c502d522d34363538302d332d352c502d522d34363438342d31302d31322c502d522d34363132322d312d332c502d522d34353835382d322d342c502d522d34333936362d322d342c502d522d34333530322d31392d32312c502d522d34313433302d312d332c502d522d34303735312d382d31302c502d522d34303237332d342d362c502d522d33393233382d352d372c502d522d33383638322d332d352c502d522d33373538382d322d342c502d522d33343335352d382d31302c502d522d32363236362d342d392c502d522d32363833342d332d382c502d522d32343636322d31362d32322c502d522d32373437392d362d31312c502d522d32363035362d372d31352c502d522d32373030362d372d31322c502d522d33303333382d332d372c502d522d33303137382d37392d38312c502d522d33303035332d382d31302c502d522d32373435382d312d352c502d522d32353832322d31362d31392c502d522d32353038332d362d392c502d522d32343639302d34332d34372c502d522d32343638392d322d352c502d522d32343636362d322d352c502d522d32343636332d362d31312c502d522d32343635392d372d31302c502d522d32333734342d372d392c502d522d32333733392d372d392c502d522d32333733362d31342d31372c502d522d32333733342d372d392c502d522d32333733302d32312d32342c502d522d32333732332d31302d31322c502d442d33323538382d312d332c502d442d33323533342d312d332c502d442d33323532342d312d332c502d442d33323531382d312d332c502d442d33323531322d312d332c502d442d33323530392d312d332c502d442d33323438352d312d342c502d442d33323438342d312d342c502d442d33323430352d312d332c502d522d313038373134312d342d372c502d522d34393136302d31322d31322c502d522d34373630312d31382d31332c502d522d34363833342d31322d31342c502d522d34363230322d31382d31312c502d522d34343031382d31382d31332c502d522d34333335352d31382d31322c502d522d33353333372d31362d372c502d522d33333931362d312d352c502d522d33333538302d382d392c502d582d3131373430302d312d332c502d522d35393137352d31382d342c502d522d35333239322d31342d31302c502d522d34393133302d31382d32332c502d522d34363931332d31382d382c502d522d33373434392d31382d31352c75786d656469756d69636f6e6c756d696e616e63653a3335333435352c502d522d34383534392d31382d31312c502d522d31393236322d312d31322c502d452d34343737342d322d392c502d522d34343836392d31362d31362c502d522d33333931382d312d31312c502d522d313132383633302d312d372c502d522d313039383431322d312d352c502d522d313039313236372d312d35352c502d522d38313732302d312d322c502d522d35383430362d312d352c502d442d35303639372d322d342c502d442d32393731392d312d312c502d442d32393731382d312d312c502d442d32393539332d312d36222c2022434322203a20227374643a3a77737472696e677c4742222c2022446566436f6e667322203a20227374643a3a77737472696e677c6f6673683663326231746c61316133312c6f666372756934797664756c626633312c6f6668706578336a7a6e65706f6f3331222c202245787054696d6522203a2022696e7436345f747c3137333231303534	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|4"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|8"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.7 = 645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22506c616365735c22203a207b205c224576656e74735c22203a207b205c2252656164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225772697465526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e526571756573745375636365656465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224d736f53686172696e675c22203a207b205c224576656e74735c22203a207b205c22434d736f53686172696e675365727669636548656c706572456e64476574486f73744361706162696c69746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572476574486f73744361706162696c69746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e6447657455736572417474726962757465735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c70657247657455736572417474726962757465735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e644765744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065724765744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e645365744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065725365744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e644765745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065724765745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e645365745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065725365745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572436865636b5065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c70657247657453686172696e67496e666f726d6174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572426567696e5365745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c70657247657453686172696e6756657273696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f6465726e4261636b73746167655c22203a207b205c224576656e74735c22203a207b205c224261636b737461676550616765436f6e74726f6c55736572437265617465436f6e74726f6c557365725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224465736b746f704261636b73746167654e617669676174696f6e5c22203a207b205c224576656e74735c22203a207b205c224e617669676174696f6e5461736b496e766f6b655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225461736b496e766f6b654f6e52656164466f6c6465725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224465736b746f7053686172696e675c22203a207b205c224576656e74735c22203a207b205c22436f6c6c616250616e6555736572536574436f6c6c616250616e654d6f64655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c616250616e6555736572436c69636b53686172696e674c696e6b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c616250616e6555736572497343757272656e74446f63456e746572707269736550726f7465637465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22446f63756d656e7473536861726564576974684d655c22203a207b205c224576656e74735c22203a207b205c22446f63756d656e7473536861726564576974684d6552657175657374446f63756d656e7473536861726564576974684d654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7473536861726564576974684d6552657175657374436163686564446f63756d656e7473536861726564576974684d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7473536861726564576974684d654964656e74697479436163686552657175657374526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7473536861726564576974684d6552657175657374436163686564446f63756d656e7473466f724661696c757265735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22486973746f727955585c22203a207b205c224576656e74735c22203a207b205c224163746976697479506167654d616e6167657252656769737465725669736962696c697479436f6e74726f6c6c65725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224275734261724f70656e4c6f63616c56657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434163746976697469657341676772656761746f72496e69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434163746976697469657341676772656761746f7252657475726e4572726f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243437369446f63756d656e74537461746545787465726e616c556e7265676973746572446f63756d656e744c697374656e65725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243486973746f727941637469766974696573466163746f727952656672657368416674657252656e616d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f62616c744163746976697469657346696c6556657273696f6e4c697374557064617465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243536f61704461746150726f7669646572496e69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765436c6f73655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765436f707956657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765436f707956657273696f6e496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f7279506167654372656174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765526573746f726556657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f72795061676553656c65637456657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616e654e6f6e436c69636b61626c654974656d53656c65637465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f63616c41637469766974696573426567696e526566726573685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6666696365436f6c6c61624163746976697479436f6d6d616e644d534f446f63756d656e7450726f76696465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e74436865636b4f757446696c65546f4c6f63616c466f6c6465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546f67676c65486964655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546f67676c6553686f775c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225759574143616c6c6f757453686f7743616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e416374697669747943616c6c6f757450726573656e7443616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e41637469766974794765744c6173745669657754696d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e416374697669747946696e6443757272656e74557365724c6f67696e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e416374697669747943616c6c6f7574436c69636b65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253686f77536d616c6c53637265656e435759574143616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d7275416461707465725c22203a207b205c224576656e74735c22203a207b205c224872416464446f63756d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c6163655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e74576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c616365576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e745061746857697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c6163655061746857697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e74496e6465785c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c616365496e6465785c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22487252656d6f7665506174685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22417070446f63735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745c22203a207b205c225375624e616d657370616365735c22203a207b205c2241637469766174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6173744f70656e6564446f63756d656e744d657461646174615c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f6465726e446f6354656d706c617465536572766963655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225361766550726f6d707448656c7065725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e74436861745c22203a207b205c224576656e74735c22203a207b205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572436f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572436f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572446973636f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572446973636f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e63496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e6352657472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e657253746172745265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e657253746f705265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572436f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572436f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572446973636f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572446973636f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e7453746174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e745374617465496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e74537461746552657472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e7453746174655265747279496e6e65724c6f6f705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f61646361737465725265667265736850657273697374656e7453746174654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f616463617374657253746172745265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f616463617374657253746f705265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253686172696e6755495c22203a207b205c225375624e616d657370616365735c22203a207b205c22436f6c6c616250616e65557365725c22203a207b205c224576656e74735c22203a207b205c22536861726550616e65436f6d706c657465446973706c61795c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2253686172654469616c6f675c22203a207b205c224576656e74735c22203a207b205c224e61766967617465546f5765624469616c6f675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253656e6441734174746163686d656e745c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d2c205c224544505c22203a207b205c224576656e74735c22203a207b205c22506f6c6963794d657461646174615c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c225369746573536572766963654170695c22203a207b205c224576656e74735c22203a207b205c22526571756573744173796e635c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225265616446726f6d43616368655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d2c205c224576656e74735c22203a207b205c22536861726564436f6d6d656e74735f447261667443617264556e6d6f756e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224544502a5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22456e74657270726973654461746150726f74656374696f6e2a5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d736f456e74657270726973654461746150726f74656374696f6e2a5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e44796e616d696343616e76	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|10"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.1 = 3539222c20224554616722203a20227374643a3a77737472696e677c5c226b5061487969454571377835384745666867494b41745a53586e4a41414759454d58514443693741474a553d5c22222c202246434d617022203a205b207b20224622203a20224d6963726f736f66742e4f66666963652e4163636573732e4669785468656d654368616e676551727952657061696e74222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4163636573732e4c696e6b65645461626c654d616e616765722e536561726368222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4163636573732e5175657279496d70726f76656d656e7473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4163636573732e5175657279496d70726f76656d656e74732e45434c4d756c746953656c656374222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e41697253706163652e436f6d62696e654261636b656e6444696d656e73696f6e436f6d6d616e6473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4175674c6f6f702e4c6963656e73654665617475726573456e61626c65644f72436865636b222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4175674c6f6f702e576f726b666c6f7744697361626c65642e5265706c6163654f626a656374576f726b666c6f77222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4358452e48696464656e466f6e74734d736f466f6e745069636b657257696e3332222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e43686172742e416c6c6f7753657456616c756573576974686f7574457863656c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e43686172742e4368616e6765476174652e46436c6561724d6f6e696b6572222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e43686172742e436f6c6c656374536861706550726f7073427567466978222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e43686172742e4d6170436861727459656c6c6f7744617461222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e43686172742e5069766f744368617274496e7665727446696c6c427567466978222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e43686172742e536c69646553686f7748696465546f6f6c74697073222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e436c69636b3252756e2e417070564d61785265747279436f756e74222c20225622203a2022696e7433325f747c313422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e436c69636b3252756e2e417070564d6178526574727954696d654c696d6974222c20225622203a2022696e7433325f747c363030303022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e436c69636b3252756e2e417070565265747279496e74657276616c222c20225622203a2022696e7433325f747c3230303022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e436c69636b3252756e2e5573655265666163746f72656453687574646f776e50726f636573736573222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e436c69636b3252756e2e5573655465616d734164646f6e222c20225622203a20227374643a3a77737472696e677c656e61626c656422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e436c69636b3252756e2e5573655465616d734f6e557064617465427573696e657373222c20225622203a20227374643a3a77737472696e677c656e61626c656422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e436c69636b3252756e2e5573655465616d734f6e55706461746550726f506c7573222c20225622203a20227374643a3a77737472696e677c656e61626c656422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e437573746f6d6572566f6963652e4164646974696f6e616c4461746154797065456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e437573746f6d6572566f6963652e426c6f636b466565646261636b457870657269656e636542617365644f6e5072697661637953657474696e6773222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e437573746f6d6572566f6963652e426c6f636b537572766579457870657269656e636542617365644f6e5072697661637953657474696e6773222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e437573746f6d6572566f6963652e436f686572656e6365457870657269656e6365456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e437573746f6d6572566f6963652e446961676e6f73746963735341532e55706c6f6164657254797065222c20225622203a2022696e7433325f747c3322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e437573746f6d6572566f6963652e456e61626c65466565646261636b5632536368656d61222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e437573746f6d6572566f6963652e466565646261636b446973616d626967756174696f6e53637265656e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e437573746f6d6572566f6963652e486f73746564466565646261636b5461736b50616e65222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e437573746f6d6572566f6963652e486f73746564537572766579456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e437573746f6d6572566f6963652e536173466565646261636b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446961676e6f73746963732e44697361626c654661737446696c746572222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e414354522e5468726f74746c654361706163697479222c20225622203a2022696e7433325f747c313022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e414354522e5468726f74746c65496e74657276616c4d736563222c20225622203a2022696e7433325f747c3130303022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e4261636b7374616765496e6170704e61765632456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e4368616e6765476174652e4d6f6465726e436f6d6d656e74732e49735265706c7954696d657374616d704c6f6767696e67456e61626c6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e4368616e6765476174652e4d6f6465726e436f6d6d656e74732e4a53476174652e4e657743617264426f7264657273222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e4368616e6765476174652e4d6f6465726e436f6d6d656e74732e4a53476174652e50616e65546162466f6375734669786573222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e4368616e6765476174652e4d6f6465726e436f6d6d656e74732e50726f636573734368616e676573496e766f6b65456c7365506f7374222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e4368616e6765476174652e4d736f2e4f757453706163652e446570726563617465536574496d6167654173796e63222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e4368616e6765476174652e4f666669636553746172742e466978466f7241444f33393032343239222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e4368616e6765476174652e4f757453706163652e536861726564576974684d652e44697361626c65446f63756d656e74735265717565737449665573696e674167674d7275222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e436865636b41637469766974794c6f67546f456e61626c654d656e74696f6e73222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e456e61626c655369746573467269656e646c7950617468222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e486973746f72794c6567616379436c65616e7570456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e486973746f7279556e696f6e466978456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e486f6d65506167652e436f6c6c61707369626c65536c616273222c20225622203a2022696e7433325f747c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e496e4170704e61762e43726561746552656e616d6544656c657465222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e4d736f2e4f666669636553746172742e466978466f7241444f333838363036375632222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e4f44656c74612e53747265616d4d6f6465222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e446f63732e576f7069222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4543532e4361636865457870697279496e4d696e222c20225622203a2022696e7433325f747c37323022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4543532e436f6e666967496444656c696d69746572496e4c6f67222c20225622203a20227374643a3a77737472696e677c3b22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4543532e436f6e6669674c6f67546172676574222c20225622203a20227374643a3a77737472696e677c64656661756c7422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4543532e44697361626c65436f6e6669674c6f67222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4543532e456e61626c65536d61727445546167222c20225622203a2022696e7433325f747c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e454353546573742e746573747661726961626c65222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e457863656c2e496e7369676874732e456e61626c65436f6d706c65785069766f745461626c65496e5069766f745461626c655265636f6d6d656e646572222c20225622203a20224d736f3a3a416e79547970657c75696e7431365f747c323b626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e457863656c2e496e7369676874732e456e61626c655069766f745461626c655265636f6d6d656e646572222c20225622203a20224d736f3a3a416e79547970657c75696e7431365f747c323b626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e457863656c2e496e7369676874732e5069766f745461626c655265636f6d6d656e64657252616e6b65725632222c20225622203a20224d736f3a3a416e79547970657c75696e7431365f747c323b626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e457863656c2e4e616d656453686565745669657750657273697374656e6365222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4578706572696d656e746174696f6e2e436f6e66696746657463684d616e61676572456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4578706572696d656e746174696f6e2e44796e616d6963447069222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4578706572696d656e746174696f6e2e457870466972737453657373696f6e5461736b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4578706572696d656e746174696f6e2e4665617475726551756572794c6f676765722e456e61626c655374617469634c6f6767696e67222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4578706572696d656e746174696f6e2e5472696d41707049644c697374546f4665746368222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e4578706572696d656e746174696f6e2e57696e333244657669636543616e617279222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4368616e6765476174652e416c7761797346616c6c6261636b466f7253796e634261636b6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4368616e6765476174652e44657072656361746546696c65536572766572496e666f54797065222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4368616e6765476174652e456e61626c654261636b67726f756e6455706c6f6164222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4368616e6765476174652e5573654e65774d736f446f6354656c656d65747279496e697450617468222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e436865636b5265766973696f6e53747265616d457175616c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e436f6c6c616250726f7053746f726543616368655265736574436865636b6572222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e436f7079546f43616c6c6261636b456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4373694c696d6974656446616c6c6261636b546f486c696e6b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e44534c49422e456e61626c654c6162656c73556e757365644f72436c6561726564436865636b222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e446570726563617465436865636b5374617274735769746846696c654e616d65457869737473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e446973616d626967756174654373694e6574776f726b436f6e6e65637469766974794572726f72222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e446973636f52657472795374726174656779222c20225622203a2022696e7433325f747c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e446973636f5374726963744d6f6465456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e446f63732e4d736f2e4f757473706163652e496e6974436163686546726f6d464948222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e4472675570646174655265666572656e63657353796368726f6e6f7573222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e46696c65494f2e44796e616d6963467261676d656e7453697a65222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f6666	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.11 = 6553657373696f6e546f6b656e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2243616e52756e4665617475726543616368655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22506572666f726d4c6963656e73696e674e6f74696669636174696f6e735c22203a207b205c224576656e74466c61675c22203a20323536207d207d2c205c225375624e616d657370616365735c22203a207b205c224c5655585c22203a207b205c224576656e74735c22203a207b205c224e6f456e7469746c656d656e74735c22203a207b205c224576656e74466c61675c22203a203439343038207d2c205c224e6f456e7469746c656d656e74734578706572696d656e74547269676765725c22203a207b205c224576656e74466c61675c22203a203439343038207d207d207d2c205c224f6666696365436c69656e744c6963656e73696e675c22203a207b205c224576656e74735c22203a207b205c224c6963656e7365436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6567616379416374697669747953756363657373436f756e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c656761637941637469766974794661696c757265436f756e745c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c22436c69656e745c22203a207b205c224576656e74735c22203a207b205c224653686f756c6441637469766174655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224865617274626561745c22203a207b205c224576656e74735c22203a207b205c22577269746543616368655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225265616443616368655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22517569636b56616c69646174696f6e5c22203a207b205c224576656e74735c22203a207b205c224c6f61644c6963656e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2246756c6c56616c69646174696f6e5c22203a207b205c224576656e74735c22203a207b205c224c6f61644c6963656e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2250726f706572746965735c22203a207b205c224576656e74735c22203a207b205c224765744c6963656e736543617465676f72795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546f6b656e697a654c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174654c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224272616e64696e675c22203a207b205c224576656e74735c22203a207b205c2247657441707056616c75655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657450726f6475637456616c75655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253686f756c645573654d6963726f736f66743336354272616e64696e675c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2254656e616e745c22203a207b205c224576656e74735c22203a207b205c22496e697454656e616e7449645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224e756c5c22203a207b205c225375624e616d657370616365735c22203a207b205c22466574636865725c22203a207b205c224576656e74735c22203a207b205c224765744e756c4f626a656374466f724964656e746974795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2246657463684d6f64656c46726f6d4f6c735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224765744c6963656e73654665617475726573466f724964656e746974795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2243726561746552657175657374426f64795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f64656c5c22203a207b205c224576656e74735c22203a207b205c224765744c6963656e736543617465676f72795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22476574416c6c4c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446573657269616c697a655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225061727365526177526573706f6e73655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2243616e52756e46656174757265526573756c74735c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224d6f64655c22203a207b205c224576656e74735c22203a207b205c224765744d6f64655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224170695c22203a207b205c224576656e74735c22203a207b205c22437265617465526571756573745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253656e64526571756573745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2252656365697665526573706f6e73655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2253746f726167655c22203a207b205c224576656e74735c22203a207b205c2247657453746f72616765506174685c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f61644d6f64656c735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22476574556e766572696669656453746f72616765506174685c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f61644d6f64656c5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2252656e616d6546696c65546f55736555706461746564486173685c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2256616c69646174696f6e5c22203a207b205c224576656e74735c22203a207b205c22517569636b56616c69646174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2256616c696461746f725c22203a207b205c224576656e74735c22203a207b205c224d61746368696e67486172776172656449645c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d2c205c22466c6f77735c22203a207b205c224576656e74735c22203a207b205c22536561726368466f72534341546f6b656e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4d6f786965222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74466c61675c22203a203438383936207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4f6666696365222c20225622203a20227374643a3a77737472696e677c7b205c224c6f636b65645c22203a2066616c73652c205c225375624e616d657370616365735c22203a207b205c224e61747572616c4c616e67756167655c22203a207b205c224c6f636b65645c22203a2066616c73652c205c225375624e616d657370616365735c22203a207b205c224372697469717565735c22203a207b205c224c6f636b65645c22203a2066616c73652c205c224576656e74735c22203a207b205c2250726f636573734175676c6f6f704372697469717565735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f636573734175676c6f6f7041646443726974697175655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4f75746c6f6f6b222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c224465736b746f705c22203a207b205c225375624e616d657370616365735c22203a207b205c2253796e635c22203a207b205c224576656e74735c22203a207b205c2253796e6350757267654f66666c696e654974656d735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2256696577735c22203a207b205c224576656e74735c22203a207b205c224872566965774c6f6164436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22566965774d6f64655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e506572666f726d616e6365222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c22506572665363656e6172696f5c22203a207b205c224576656e74735c22203a207b205c2253636f70655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e506572736f6e616c697a6174696f6e222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c2246696c65496e736967687443616368654d616e616765725c22203a207b205c224576656e74735c22203a207b205c2250757267654578706972656443616368655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225369676e616c50726f636573736f725c22203a207b205c224576656e74735c22203a207b205c2253656e645369676e616c5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e50726f6772616d6d6162696c697479222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c2254656c656d657472795c22203a207b205c224576656e74735c22203a207b205c22446e61416464496e4c6f6164586c6c46696c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446e61416464496e4c6f616445787465726e616c446c6c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446e61416464496e4c6f6164446e6146696c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464696e43726173685c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22416464696e735c22203a207b205c224576656e74735c22203a207b205c22417070416464496e4c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22417070416464496e55736167655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464696e446f634c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7465726e616c536574436f6e6e6563745c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e5365637572697479222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c22506f6c696379546970735c22203a207b205c224576656e74735c22203a207b205c224d616e61676572436f6e74696e7565436c617373696669636174696f6e436c6173736966794368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c617373696669636174696f6e436c6173736966794368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22436c705c22203a207b205c224576656e74735c22203a207b205c224c6162656c55736167655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224f7574636f6d6555736167655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224f66666963654a534765744c6162656c44657461696c735c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436c70506f6c696379466574636843616c6c4261636b537563636573735c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224d616e6461746f72794c6162656c6c696e674469616c6f675c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224f626a6563744d6f64656c4765744c6162656c5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224f626a6563744d6f64656c5365744c6162656c5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224f626a6563744d6f64656c506f6c696379436f6d706c657465496e697469616c697a655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253656c6563744a757374696669636174696f6e4f7074696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253656e7369746976697479466c796f7574416e63686f72547261636b416e645265766f6b65427574746f6e436c69636b5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c225265676973746572446f63756d656e745c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436c70506f6c69637946657463685c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436c70506f6c696379466574636843616c6c4261636b4661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224372656174654c6963656e736546726f6d53657269616c697a65644c6963656e73655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2250726f74656374696f6e53657269616c697a654c6963656e73655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2246657463684c6162656c7346726f6d5365727665725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657444656661756c744c6162656c49445c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744c6162656c735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744f7574636f6d6573466f724c6162656c4368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f6365737341756469744f6e506f6c6963794d617463685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f6365737341756469744f6e5265706c79466f72776172645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f6365737341756469744f70656e48656c7065725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744175646974496e666f506f6c6963794d617463685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744175646974496e666f4c6162656c416374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744175646974496e666f46696c65416374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6162656c696e67457870657269656e63655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224164644c6162656c4f627365727665725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656d6f76654c6162656c4f627365727665725c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c22436c705c22203a207b205c224576656e74735c22203a207b205c22446b6550726f746563746564436f6e74656e745c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d2c205c224d6163726f5c22203a207b205c224576656e74735c22203a207b205c22426c6f636b4d6163726f46726f6d496e7465726e6574506f6c69637953657474696e675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22456e636f756e74657265645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22456e61626c65645c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2246696c65426c6f636b5c22203a207b205c224576656e74735c22203a207b205c2246696c65426c6f636b496e666f726d6174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224f43585c22203a207b205c224576656e74735c22203a207b205c2254727573746564456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224e6f6e54727573746564456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22416363657373456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22426c6f636b6564657874656e73696f6e735c22203a207b205c224576656e74735c22203a207b205c2246696c65457874656e73696f6e4c69737446726f6d536572766963655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22536563757265526561646572486f73745c22203a207b205c224576656e74735c22203a207b205c224f70656e496e4f53525c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d2c205c	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.9 = 5c22436163686553657269616c697a65546f53747265616d5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224361636865536f6c7574696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22457773526566726573685c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2245786563757465416374696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2246616c6c6261636b546f46697273744c6976654964496e4f454d5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2246616c6c6261636b546f46697273744c6976654964496e526962626f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2246657463684361636865536f6c7574696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22496e7374616c6c4d616e696665737452656164795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f61644d696e43616368655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224d69734d61746368696e67526962626f6e4964656e74697479496e666f5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225072657061726553686f775461736b70616e6556325c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2252656d6f766546726f6d526962626f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253686f775465616368696e6743616c6c6f75745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225461736b70616e65417070436d64496e7374616c6c6174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2255585c22203a207b205c224576656e74735c22203a207b205c224c61756e63684f6d657853534f436f6e73656e744469616c6f675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416761766555784d696e6f72426c6f636b65645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2241707044656c6574656446726f6d446f63756d656e745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224469616c6f67436c6f7365645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224469616c6f674f70656e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253686f77496e666f626172436f6e73656e74566965775c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253686f774c6f6164696e6753746174655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253686f775265616374566965775c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22416464696e50726566657463685c22203a207b205c224576656e74735c22203a207b205c22507265666574636849636f6e735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22507265666574636855726c5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225072656c6f61644d616e69666573745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253616e64626f78507265666574636855726c5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2241637469766174696f6e5c22203a207b205c224576656e74735c22203a207b205c224352656d6f74657250726f78795c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2253696e676c655369676e4f6e5c22203a207b205c224576656e74735c22203a207b205c22446973706c617953534f436f6e73656e7450616765466f7241706943616c6c5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224578656375746547657453534f546f6b656e496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2247657441757468546f6b656e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d2c205c224576656e74735c22203a207b205c224f445041637469766174696f6e466f7254616761353572735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f4450417070436f6d6d616e64735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434f4d416464696e4f7065726174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f4450417070436f6d6d616e647343616368655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f4450417070436f6d6d616e6473496e7374616c6c54696d655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f4450417070436f6d6d616e6473526962626f6e436c69636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224557534c69626c657443616c6c735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446565704c696e6b696e67436865636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446565704c696e6b696e67446f63756d656e744f70656e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446565704c696e6b696e67446f63756d656e7453686f77547275737455495c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446565704c696e6b696e675472757374526573756c745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224577734c6173745570646174655374617475734974656d436c69636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224577734c6173745570646174655374617475734974656d53686f776e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2247656e314163746976697479416767726567617465644261736553756272756c655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2247656e314163746976697479416767726567617465644661696c757265436f756e745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2247656e3141637469766974794167677265676174656453756363657373436f756e74576974685461675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f44504170704d616e6167656d656e744d656e755c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f4450496e73657274696f6e4469616c6f675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f445050617273654e65774d616e69666573744572726f725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f44505265636f6d6d656e64656447616c6c657279436c69636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f4450526962626f6e427269646765526962626f6e436c69636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f445053616e64626f7841637469766174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f45504d616e696665737450617273696e675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22526962626f6e427574746f6e436c69636b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253746f7265557365725374617475735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253746f7265557365725374617475734572726f725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224f445041637469766174696f6e466f7254616761353572715c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224f44504c6174656e63795c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e466565646261636b222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c2253617665526573706f6e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e46696c65494f222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c224353495c22203a207b205c224576656e74735c22203a207b205c225265717565737441646170746572556e657870656374656443616c6c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416d49416c6f6e6550726f63657373526573706f6e73655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472616e73616374656453747265616d446174615570646174655472616e73616374696f6e436f6d6d69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472616e73616374656453747265616d446174614d657267655472616e73616374696f6e436f6d6d69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224343616368656446696c655363686564756c6546696c6555706c6f6164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243656c6c53746f726167654f6e426c6f624865617052657175657374526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243656c6c53746f726167654f6e426c6f624865617052657175657374526573756c74434d555c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e49734f6e6c79436c69656e7452657175657374436f6d706c6574655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22437369446176436c69656e7453656e64526571756573745374617475735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574446f63756d656e7446726f6d55726c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224343616368656446696c654373694c6f616446696c655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224343616368656446696c654373695361766546696c655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22446f63756d656e74466163746f72794372656174654e6577446f63756d656e745c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22446f63756d656e7452656e616d655375626d6974576f726b4974656d5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22464d617050617468735c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22476574536861726555726c466f72436f6e7461696e65724173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22476574536861726555726c466f7246696c654173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22476574576f706955726c46726f6d46696c654964656e7469666965724173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2249446f63756d656e7447657456657273696f6e4c6973745c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2249446f63756d656e74526573746f72654173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224973446f776e6c6f616465644261736556616c69644e6f48617368436865636b5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253796e634261636b65645265636f6e63696c65725472795265636f6e63696c65546f4c6174657374416674657256657273696f6e4e6f74466f756e645c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253796e634261636b65645265636f6e63696c65725472616e736974696f6e4f6e6c696e655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2254727944657374726f794f666669636546696c6543616368655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22576f706942726f77736542726f777365546f436f6e7461696e65724173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d207d2c205c225375624e616d657370616365735c22203a207b205c2253746f726167655c22203a207b205c224576656e74735c22203a207b205c2243616368654f70746963735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f7074696373446f776e6c6f61644572726f72446973747269627574696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f7074696373446f776e6c6f61644572726f72446973747269627574696f6e7337446179735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f70746963734572726f72735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637346696c6553746f726546696c6553697a65446973747269627574696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637355706c6f61644572726f72446973747269627574696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637355706c6f61644572726f72446973747269627574696f6e7337446179735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f7074696373576f726b696e67436f707946696c6553697a65446973747269627574696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656d6f766546696c65456e7472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637350657246696c655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253746172744f666669636546696c6543616368655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d2c205c225375624e616d657370616365735c22203a207b205c2243656e7472616c5461626c655c22203a207b205c224576656e74735c22203a207b205c22436865636b536368656d6156657273696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436c65617243616368655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22437265617465446174616261736546696c655573696e6754656d706c6174655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2243726561746544617461536f757263654661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2244617461736f757263654f70656e4661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2246696c65436163686550726f70657274696573526f774e6f74466f756e645c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224d69677261746546696c654e616d6546726f6d496e695c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22526f77736574556e6b6e6f776e4661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22536368656d61557067726164655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c224661756c744d616e6167656d656e745c22203a207b205c224576656e74735c22203a207b205c224661756c745265636f766572795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224661756c745265706f72745c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d207d207d2c205c2250726f746f636f6c5061727365725c22203a207b205c224576656e74735c22203a207b205c2250617273655572695c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7061636b55726c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496672496e697441726773576f72645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2248724c61756e636855726c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22464c6f6164436d644c696e65436f72655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2250726f746f636f6c48616e646c65725c22203a207b205c224576656e74735c22203a207b205c225472794f70656e696e674c6f7248797065724c696e6b496e4e6174697665436c69656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f746f636f6c48616e646c65724d61696e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22556e7061636b4c696e6b5c22203a207b205c224576656e74735c22203a207b205c22556e7061636b4c696e6b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7061636b4c696e6b4173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7061636b4c696e6b5769746848696e745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225254435c22203a207b205c224576656e74735c22203a207b205c2246696e6453657373696f6e456e64706f696e7452756e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22446f63756d656e74536861726555726c5c22203a207b205c224576656e74735c22203a207b205c22556e7061636b536861	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|11"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Paul"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech HW Voice Activation - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Paul - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{14E74C62-DC97-43B0-8F2F-581496A65D60}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech Recognition Engine - de-DE Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Sie haben %1 als Standardstimme ausgewählt."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR fr-FR Locale Handler"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Universal Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "既定の音声として%1を選びました"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "MS-1040-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR it-IT Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR ja-JP Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Discrete;Continuous"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; message=NativeSupported; address=NativeSupported; media=NativeSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "L1031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "5218064"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR en-US Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Ayumi"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Haruka"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = 49553b76dbc112bcd96e2ce32f82aa3750d88abb05779f5fac65e84c5363077e	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "en-US"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech Recognition Engine - en-US Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\M1040Elsa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\MSTTSLocfrFR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "6;18;22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "11.0.2016.0129"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "SR en-US Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech SW Voice Activation - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\tn1040.bin"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft David"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\tn3082.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe

Suspicious behavior: RenamesItself 6 IoCs

pid	Process
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe
2384	encoder.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	encoder.exe
Token: SeSecurityPrivilege	15092	wevtutil.exe
Token: SeBackupPrivilege	15092	wevtutil.exe
Token: SeSecurityPrivilege	2392	wevtutil.exe
Token: SeBackupPrivilege	2392	wevtutil.exe
Token: SeSecurityPrivilege	5872	wevtutil.exe
Token: SeBackupPrivilege	5872	wevtutil.exe
Token: SeSecurityPrivilege	12468	wevtutil.exe
Token: SeBackupPrivilege	12468	wevtutil.exe
Token: SeSecurityPrivilege	3220	wevtutil.exe
Token: SeBackupPrivilege	3220	wevtutil.exe
Token: SeSecurityPrivilege	17712	wevtutil.exe
Token: SeBackupPrivilege	17712	wevtutil.exe
Token: SeSecurityPrivilege	3396	wevtutil.exe
Token: SeBackupPrivilege	3396	wevtutil.exe
Token: SeSecurityPrivilege	1532	wevtutil.exe
Token: SeBackupPrivilege	1532	wevtutil.exe
Token: SeSecurityPrivilege	17344	wevtutil.exe
Token: SeBackupPrivilege	17344	wevtutil.exe
Token: SeSecurityPrivilege	4108	wevtutil.exe
Token: SeBackupPrivilege	4108	wevtutil.exe
Token: SeSecurityPrivilege	3356	wevtutil.exe
Token: SeBackupPrivilege	3356	wevtutil.exe
Token: SeSecurityPrivilege	1444	wevtutil.exe
Token: SeBackupPrivilege	1444	wevtutil.exe
Token: SeSecurityPrivilege	3648	wevtutil.exe
Token: SeBackupPrivilege	3648	wevtutil.exe
Token: SeSecurityPrivilege	6704	wevtutil.exe
Token: SeBackupPrivilege	6704	wevtutil.exe
Token: SeSecurityPrivilege	6696	wevtutil.exe
Token: SeBackupPrivilege	6696	wevtutil.exe
Token: SeSecurityPrivilege	13424	wevtutil.exe
Token: SeBackupPrivilege	13424	wevtutil.exe
Token: SeSecurityPrivilege	17296	wevtutil.exe
Token: SeBackupPrivilege	17296	wevtutil.exe
Token: SeSecurityPrivilege	6656	wevtutil.exe
Token: SeBackupPrivilege	6656	wevtutil.exe
Token: SeSecurityPrivilege	19516	wevtutil.exe
Token: SeBackupPrivilege	19516	wevtutil.exe
Token: SeSecurityPrivilege	6452	wevtutil.exe
Token: SeBackupPrivilege	6452	wevtutil.exe
Token: SeSecurityPrivilege	9624	wevtutil.exe
Token: SeBackupPrivilege	9624	wevtutil.exe
Token: SeSecurityPrivilege	15488	wevtutil.exe
Token: SeBackupPrivilege	15488	wevtutil.exe
Token: SeSecurityPrivilege	13176	wevtutil.exe
Token: SeBackupPrivilege	13176	wevtutil.exe
Token: SeSecurityPrivilege	19708	wevtutil.exe
Token: SeBackupPrivilege	19708	wevtutil.exe
Token: SeSecurityPrivilege	18144	wevtutil.exe
Token: SeBackupPrivilege	18144	wevtutil.exe
Token: SeSecurityPrivilege	14068	wevtutil.exe
Token: SeBackupPrivilege	14068	wevtutil.exe
Token: SeSecurityPrivilege	14056	wevtutil.exe
Token: SeBackupPrivilege	14056	wevtutil.exe
Token: SeSecurityPrivilege	6572	wevtutil.exe
Token: SeBackupPrivilege	6572	wevtutil.exe
Token: SeSecurityPrivilege	20284	wevtutil.exe
Token: SeBackupPrivilege	20284	wevtutil.exe
Token: SeSecurityPrivilege	12052	wevtutil.exe
Token: SeBackupPrivilege	12052	wevtutil.exe
Token: SeSecurityPrivilege	8280	wevtutil.exe
Token: SeBackupPrivilege	8280	wevtutil.exe
Token: SeSecurityPrivilege	12588	wevtutil.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2644	OfficeClickToRun.exe
1160	OfficeClickToRun.exe
16016	SearchApp.exe
19908	SearchApp.exe
9844	SearchApp.exe
9532	SearchApp.exe
11876	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 4504	2384	encoder.exe	89
PID 2384 wrote to memory of 4504	2384	encoder.exe	89
PID 2384 wrote to memory of 4504	2384	encoder.exe	89
PID 2384 wrote to memory of 6876	2384	encoder.exe	116
PID 2384 wrote to memory of 6876	2384	encoder.exe	116
PID 2384 wrote to memory of 6876	2384	encoder.exe	116
PID 2384 wrote to memory of 13484	2384	encoder.exe	117
PID 2384 wrote to memory of 13484	2384	encoder.exe	117
PID 2384 wrote to memory of 13484	2384	encoder.exe	117
PID 13484 wrote to memory of 12556	13484	cmd.exe	119
PID 13484 wrote to memory of 12556	13484	cmd.exe	119
PID 13484 wrote to memory of 12556	13484	cmd.exe	119
PID 12556 wrote to memory of 15092	12556	cmd.exe	120
PID 12556 wrote to memory of 15092	12556	cmd.exe	120
PID 12556 wrote to memory of 15092	12556	cmd.exe	120
PID 13484 wrote to memory of 2392	13484	cmd.exe	121
PID 13484 wrote to memory of 2392	13484	cmd.exe	121
PID 13484 wrote to memory of 2392	13484	cmd.exe	121
PID 13484 wrote to memory of 5872	13484	cmd.exe	122
PID 13484 wrote to memory of 5872	13484	cmd.exe	122
PID 13484 wrote to memory of 5872	13484	cmd.exe	122
PID 13484 wrote to memory of 12468	13484	cmd.exe	692
PID 13484 wrote to memory of 12468	13484	cmd.exe	692
PID 13484 wrote to memory of 12468	13484	cmd.exe	692
PID 13484 wrote to memory of 3220	13484	cmd.exe	124
PID 13484 wrote to memory of 3220	13484	cmd.exe	124
PID 13484 wrote to memory of 3220	13484	cmd.exe	124
PID 13484 wrote to memory of 17712	13484	cmd.exe	125
PID 13484 wrote to memory of 17712	13484	cmd.exe	125
PID 13484 wrote to memory of 17712	13484	cmd.exe	125
PID 13484 wrote to memory of 3396	13484	cmd.exe	776
PID 13484 wrote to memory of 3396	13484	cmd.exe	776
PID 13484 wrote to memory of 3396	13484	cmd.exe	776
PID 13484 wrote to memory of 1532	13484	cmd.exe	850
PID 13484 wrote to memory of 1532	13484	cmd.exe	850
PID 13484 wrote to memory of 1532	13484	cmd.exe	850
PID 13484 wrote to memory of 17344	13484	cmd.exe	128
PID 13484 wrote to memory of 17344	13484	cmd.exe	128
PID 13484 wrote to memory of 17344	13484	cmd.exe	128
PID 13484 wrote to memory of 4108	13484	cmd.exe	129
PID 13484 wrote to memory of 4108	13484	cmd.exe	129
PID 13484 wrote to memory of 4108	13484	cmd.exe	129
PID 13484 wrote to memory of 3356	13484	cmd.exe	130
PID 13484 wrote to memory of 3356	13484	cmd.exe	130
PID 13484 wrote to memory of 3356	13484	cmd.exe	130
PID 13484 wrote to memory of 1444	13484	cmd.exe	774
PID 13484 wrote to memory of 1444	13484	cmd.exe	774
PID 13484 wrote to memory of 1444	13484	cmd.exe	774
PID 13484 wrote to memory of 3648	13484	cmd.exe	132
PID 13484 wrote to memory of 3648	13484	cmd.exe	132
PID 13484 wrote to memory of 3648	13484	cmd.exe	132
PID 13484 wrote to memory of 6704	13484	cmd.exe	700
PID 13484 wrote to memory of 6704	13484	cmd.exe	700
PID 13484 wrote to memory of 6704	13484	cmd.exe	700
PID 13484 wrote to memory of 6696	13484	cmd.exe	134
PID 13484 wrote to memory of 6696	13484	cmd.exe	134
PID 13484 wrote to memory of 6696	13484	cmd.exe	134
PID 13484 wrote to memory of 13232	13484	cmd.exe	135
PID 13484 wrote to memory of 13232	13484	cmd.exe	135
PID 13484 wrote to memory of 13232	13484	cmd.exe	135
PID 13484 wrote to memory of 13424	13484	cmd.exe	772
PID 13484 wrote to memory of 13424	13484	cmd.exe	772
PID 13484 wrote to memory of 13424	13484	cmd.exe	772
PID 13484 wrote to memory of 17296	13484	cmd.exe	771

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	encoder.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	encoder.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	encoder.exe

C:\Users\Admin\AppData\Local\Temp\encoder.exe
"C:\Users\Admin\AppData\Local\Temp\encoder.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all
  2⤵
  PID:4504
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\How To Restore Files.txt
  2⤵
  PID:6876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\cllog.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:13484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:12556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:15092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "AMSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "AirSpaceChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:12468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:17712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:17344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "FirstUXPerf-Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "General Logging"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "IHM_DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    PID:13232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:13424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:17296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:19516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:9624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:15488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:13176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationFrameServer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:19708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProc"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:18144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProcD3D"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:14068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationAsyncWrapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:14056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationContentProtection"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:20284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:12052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMP4"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMediaEngine"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:12588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformanceCore"
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:9592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:7908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    PID:9580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Admin"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Debug"
    3⤵
    PID:14976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Operational"
    3⤵
    PID:10156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:12188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:19844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:11948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:8804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:15820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:10616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:19824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:15504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:10732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:18328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:19412
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:14064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:13672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:8112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:9160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:19088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:17352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:17392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:20436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    - Clears Windows event logs
    PID:12108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:13728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:9548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:8716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:11640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:14716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:13064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:19280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:10708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    PID:9640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:14408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:7492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:14340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:12768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:5488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:15368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:10600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:10808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    PID:17428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:9684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:8284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:12724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:10056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:7304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    PID:9132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:9696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:6328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:19464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:19064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:19068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:19108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:20236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:18880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:19268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:19136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    - Clears Windows event logs
    PID:8484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:10624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:13916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:9680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    - Clears Windows event logs
    PID:13012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:13060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:19388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:13892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:19380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    - Clears Windows event logs
    PID:12816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:16060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:16024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:14160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:14128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:13980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:14044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:13368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    - Clears Windows event logs
    PID:5888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:9224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:12856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:13948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:20124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    PID:20092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    PID:12676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:12612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    PID:12812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:12544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    PID:7212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:13944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:6908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:14224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:14324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:14328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:6904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:13284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:19428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:11516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:10076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    PID:15068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:15108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:7464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:8488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:8812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:9576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:12956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:19056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:7432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:15144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:8528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:6004
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:10716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:14804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:14952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:14868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    PID:14748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:14608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:14548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    - Clears Windows event logs
    PID:14480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:7364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:19160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:7636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:7368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:5196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:10556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:15200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:16936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    - Clears Windows event logs
    PID:14768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:7240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:20052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    PID:19536
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    - Clears Windows event logs
    PID:11552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:18768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:19168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:6520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:14120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:20156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    PID:19276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:9560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:15132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:10116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:8172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:16532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:11668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:13556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:8220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:8268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:15576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:8544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:8136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:12984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:13888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:20364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    PID:8704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:8968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:12524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:15056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:7476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:7728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:7604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:5580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:18676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:19132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:7036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:12260
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    - Clears Windows event logs
    PID:19360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:15192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:8700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    PID:14132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    PID:9940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:17108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:20272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    - Clears Windows event logs
    PID:448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:17440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:8808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
    3⤵
    PID:6244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
    3⤵
    PID:9484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
    3⤵
    PID:15388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
    3⤵
    PID:15544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
    3⤵
    PID:15524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
    3⤵
    PID:15612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:15788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:15464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
    3⤵
    PID:15480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:17036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:8620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:11416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:19568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:11496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:13156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:11428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:15856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:6176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:10784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:15288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:11664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:10760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:11576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:7668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:13020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:11452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    - Clears Windows event logs
    PID:10576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:8752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:19036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:9552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:16184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:12640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:15768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:8912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:15404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:8960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:8864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
    3⤵
    PID:15396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
    3⤵
    PID:8644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
    3⤵
    PID:11192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
    3⤵
    PID:20184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
    3⤵
    PID:19652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
    3⤵
    PID:16064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
    3⤵
    PID:9488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:11032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:13204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:13644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    - Clears Windows event logs
    - System Location Discovery: System Language Discovery
    PID:14308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
    3⤵
    PID:6584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
    3⤵
    PID:12504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
    3⤵
    PID:14452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5412
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:14912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
    3⤵
    PID:15432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:14736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
    3⤵
    PID:8636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
    3⤵
    PID:16408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
    3⤵
    PID:10284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
    3⤵
    PID:16200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:16032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
    3⤵
    PID:16268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
    3⤵
    PID:8408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
    3⤵
    PID:15408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:14832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
    3⤵
    PID:16208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
    3⤵
    PID:9804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
    3⤵
    PID:6460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:11476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
    3⤵
    PID:17596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
    3⤵
    PID:6300
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:10780
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:8516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:11896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
    3⤵
    PID:8944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
    3⤵
    PID:14536
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
    3⤵
    PID:11484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:15072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
    3⤵
    PID:14732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
    3⤵
    PID:7028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
    3⤵
    PID:12932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:14028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:7032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:6156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    - Clears Windows event logs
    PID:14724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:7616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:15944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:16168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:16232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:16248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:8228
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
    3⤵
    PID:8560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
    3⤵
    PID:16424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
    3⤵
    PID:9960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
    3⤵
    PID:9376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
    3⤵
    PID:11596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
    3⤵
    PID:17004
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
    3⤵
    PID:9496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
    3⤵
    PID:20224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
    3⤵
    PID:15776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
    3⤵
    PID:9664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
    3⤵
    PID:6388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
    3⤵
    PID:16004
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
    3⤵
    PID:9420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
    3⤵
    PID:19772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
    3⤵
    PID:19032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:19104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:14276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:8652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
    3⤵
    PID:7316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
    3⤵
    PID:19480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:14740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:7816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:14576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:8080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15180
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
    3⤵
    PID:20444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:19828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:6916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:15748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:16100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:10312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
    3⤵
    PID:9772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
    3⤵
    PID:9512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
    3⤵
    PID:10040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:8836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
    3⤵
    PID:9876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
    3⤵
    PID:5748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
    3⤵
    PID:19948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
    3⤵
    PID:10540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
    3⤵
    PID:19936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
    3⤵
    PID:20296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
    3⤵
    PID:8340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
    3⤵
    PID:11960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
    3⤵
    PID:18556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
    3⤵
    PID:15784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:7704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    - Clears Windows event logs
    PID:16848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
    3⤵
    PID:16292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
    3⤵
    PID:17496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
    3⤵
    PID:16844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
    3⤵
    PID:684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
    3⤵
    PID:11756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15260
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
    3⤵
    PID:15308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
    3⤵
    PID:17248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
    3⤵
    PID:11708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
    3⤵
    PID:11432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
    3⤵
    PID:7792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:16348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
    3⤵
    PID:11972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
    3⤵
    PID:19372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
    3⤵
    PID:11992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
    3⤵
    PID:14252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
    3⤵
    PID:18760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
    3⤵
    PID:6760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
    3⤵
    PID:19944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:19952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:6180
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:7252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
    3⤵
    PID:18416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
    3⤵
    PID:7488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:16072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
    3⤵
    PID:15028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
    3⤵
    PID:16520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
    3⤵
    PID:10900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
    3⤵
    PID:7584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
    3⤵
    PID:6552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:10964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
    3⤵
    PID:20128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:11548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:12272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
    3⤵
    PID:8200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
    3⤵
    PID:6352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
    3⤵
    PID:7648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
    3⤵
    PID:11372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:10848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
    3⤵
    PID:20424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
    3⤵
    PID:10200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
    3⤵
    PID:7812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:10844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
    3⤵
    PID:19920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:19732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:7752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:17068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:7848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:12124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:15780
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
    3⤵
    PID:13664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
    3⤵
    PID:8452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
    3⤵
    PID:15364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    - Clears Windows event logs
    PID:15816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:7404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:13624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:8876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:10864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:9928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
    3⤵
    PID:6348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
    3⤵
    PID:7444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:16104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:16548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
    3⤵
    PID:15440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
    3⤵
    PID:10420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:10376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:12624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:10596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:12924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
    3⤵
    PID:7820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
    3⤵
    PID:17508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
    3⤵
    PID:17628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
    3⤵
    PID:17568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
    3⤵
    PID:10048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:10176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:17464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
    3⤵
    PID:17484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:12316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:7468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:19196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:9672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
    3⤵
    PID:12492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
    3⤵
    PID:15212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
    3⤵
    PID:17076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
    3⤵
    PID:6640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    - Clears Windows event logs
    PID:5824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:14628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    - Clears Windows event logs
    PID:18168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
    3⤵
    PID:11348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:14332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:11684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
    3⤵
    PID:10084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
    3⤵
    PID:12468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
    3⤵
    PID:10896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
    3⤵
    PID:15256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
    3⤵
    PID:6768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
    3⤵
    PID:9980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
    3⤵
    PID:14124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
    3⤵
    PID:13116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:14580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:18440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    - Clears Windows event logs
    PID:12700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:17384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:7132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:16432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:7212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:19348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
    3⤵
    PID:12812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12228
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:14052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
    3⤵
    PID:13828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:7492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
    3⤵
    PID:9640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
    3⤵
    PID:10680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
    3⤵
    PID:20084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
    3⤵
    PID:7080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
    3⤵
    PID:8936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:18384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
    3⤵
    - System Time Discovery
    PID:18916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:17296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
    3⤵
    PID:13076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
    3⤵
    PID:17804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
    3⤵
    PID:12328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
    3⤵
    PID:14044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:19432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
    3⤵
    PID:19616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
    3⤵
    PID:9920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
    3⤵
    PID:11176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
    3⤵
    PID:19996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:12636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:12488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
    3⤵
    PID:9288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:12036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
    3⤵
    PID:20192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:13036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:7020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:19312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:19100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
    3⤵
    PID:19392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:16640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
    3⤵
    PID:19136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
    3⤵
    PID:6256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:19368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
    3⤵
    PID:15236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
    3⤵
    PID:14556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
    3⤵
    PID:19080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
    3⤵
    PID:15940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
    3⤵
    PID:14816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
    3⤵
    PID:14648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
    3⤵
    PID:12692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
    3⤵
    PID:15068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
    3⤵
    PID:10584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
    3⤵
    PID:17380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
    3⤵
    PID:20288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
    3⤵
    PID:18100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
    3⤵
    PID:14884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:14608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:14380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Power Settings
    PID:12808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:7736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:5196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
    3⤵
    PID:15272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
    3⤵
    PID:16936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
    3⤵
    PID:7976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
    3⤵
    PID:9860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:12604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
    3⤵
    PID:19336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:12140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:10676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
    3⤵
    PID:8112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
    3⤵
    PID:12148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:18372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
    3⤵
    PID:9576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
    3⤵
    PID:15248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:14196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
    3⤵
    PID:16756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
    3⤵
    PID:13716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
    3⤵
    PID:7288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
    3⤵
    PID:12324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
    3⤵
    PID:14348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
    3⤵
    PID:17056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
    3⤵
    PID:12668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
    3⤵
    PID:5496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
    3⤵
    PID:15592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:16648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:6708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:19576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:16568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
    3⤵
    PID:12640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
    3⤵
    PID:8964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
    3⤵
    PID:13084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
    3⤵
    PID:16068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
    3⤵
    - Clears Windows event logs
    PID:18764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
    3⤵
    PID:17360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    - Clears Windows event logs
    PID:6308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:20184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:10484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:9412
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
    3⤵
    PID:15688
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:9060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
    3⤵
    - Clears Windows event logs
    PID:7604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:16560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:5808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:18804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:15056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:6312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
    3⤵
    PID:15252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
    3⤵
    PID:7440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
    3⤵
    PID:7600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
    3⤵
    PID:7624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
    3⤵
    PID:11500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
    3⤵
    PID:7344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:19536
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:13156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    - Clears Windows event logs
    PID:5176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
    3⤵
    PID:9084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
    3⤵
    PID:11864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
    3⤵
    PID:17320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
    3⤵
    PID:20212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
    3⤵
    PID:14808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
    3⤵
    PID:20156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
    3⤵
    PID:18188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
    3⤵
    PID:15012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
    3⤵
    PID:15480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
    3⤵
    PID:9048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
    3⤵
    PID:8220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
    3⤵
    PID:17348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
    3⤵
    PID:11460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
    3⤵
    PID:14636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
    3⤵
    - Clears Windows event logs
    PID:14232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
    3⤵
    PID:8124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
    3⤵
    PID:7536
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
    3⤵
    PID:16296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
    3⤵
    PID:16084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
    3⤵
    PID:16248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
    3⤵
    PID:6372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
    3⤵
    PID:18012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
    3⤵
    PID:20224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
    3⤵
    PID:6388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
    3⤵
    PID:10020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
    3⤵
    PID:8944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
    3⤵
    PID:16556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
    3⤵
    PID:19104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
    3⤵
    PID:14744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
    3⤵
    PID:9872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:6400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:9108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:10912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
    3⤵
    PID:12020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
    3⤵
    PID:20036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
    3⤵
    PID:6268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:20204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:19796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
    3⤵
    PID:16092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
    3⤵
    PID:16148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
    3⤵
    PID:10040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:5748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
    3⤵
    PID:19816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
    3⤵
    PID:11912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
    3⤵
    PID:15612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
    3⤵
    PID:9524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
    3⤵
    PID:16224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
    3⤵
    PID:16848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:16292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
    3⤵
    PID:540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
    3⤵
    PID:15324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
    3⤵
    PID:12264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
    3⤵
    PID:11432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\cllog.bat" "
  2⤵
  PID:11420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:18652
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe el
      4⤵
      System Location Discovery: System Language Discovery
      PID:12396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "AMSI/Debug"
    3⤵
    PID:13436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "AirSpaceChannel"
    3⤵
    PID:18396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    PID:14416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    PID:16128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    PID:9676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    PID:13352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    PID:13236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "FirstUXPerf-Analytic"
    3⤵
    PID:18132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "General Logging"
    3⤵
    PID:18164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:8400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "IHM_DebugChannel"
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    PID:9564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    PID:16836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    PID:13568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    PID:18784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    PID:7416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Clears Windows event logs
    PID:5780
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    PID:20452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
    3⤵
    - Clears Windows event logs
    PID:17288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Clears Windows event logs
    PID:3964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationFrameServer"
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProc"
    3⤵
    PID:8272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProcD3D"
    3⤵
    PID:14036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationAsyncWrapper"
    3⤵
    PID:20284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationContentProtection"
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDS"
    3⤵
    PID:9580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:18856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMP4"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13412
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMediaEngine"
    3⤵
    PID:16500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:12936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformanceCore"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:14264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:9452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:12632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    PID:12540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Admin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Debug"
    3⤵
    PID:12676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:20124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:20068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:12900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:10000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:16024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:12188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:13132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:10120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:9704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:14340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:8300
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:14408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:19156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:12076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:12208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:9824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:9136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:13424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:15512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:11944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:13892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:11644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:9132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:10056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:12596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:11108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:12816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:13408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:17764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:15980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:6752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    PID:13284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:6904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:12840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:19140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:17364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:19460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:19472
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    PID:13760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:15168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:14928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:7332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:11560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:14784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:10696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:11516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:20408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:19700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:8476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:14516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:14860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:9028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:16160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:14776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:14484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:7484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:19152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    - Clears Windows event logs
    PID:7572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:7264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:17064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:14612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:14508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:7684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:12652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:9976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    - Clears Windows event logs
    PID:456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:9160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:18232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:8248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:10624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    PID:19028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    - Clears Windows event logs
    PID:8552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    PID:17936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:16888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    PID:10232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:12232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    PID:16448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:7296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:12320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:13316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:14168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    PID:17100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:15156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:19444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:15388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:11452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:15840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:9552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:10792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:19036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:15084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:10296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:9832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:16600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:10976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:18648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:7128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:15744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:8756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:12984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:13488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:19632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:8172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:16680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:15232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:15528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    PID:9488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    PID:7832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:20400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:9380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:17028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:17656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:10744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:13604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    PID:12048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:9880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:11576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:10724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:8692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:14292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:18444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:11104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:9728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:6584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:17036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    PID:12340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    PID:12776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:14212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:6300
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:8516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:12932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:6624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:11896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:7616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:16164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:16136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:15896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    PID:8572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:17004
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:16168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:16804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:7720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:19232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:14276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:18932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:19480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    - Clears Windows event logs
    PID:9008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:6164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:13124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:15456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:17376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:13872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:14892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:17120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    PID:18500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:8040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:11532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
    3⤵
    - Clears Windows event logs
    PID:8804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:16216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:9188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:18892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:11880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:15380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:17536
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:11916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:16116

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:16016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:19908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9844

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:11876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini

Filesize
1KB

MD5
295052ada9176801c1f1d81d387f4992

SHA1
95c3d6ebbb929d21749454de8ddc4365dfefcc34

SHA256
c39a33a6061a0871cddeac67d07aeda977b2b795aca31c5e0e48ff7a4a127e37

SHA512
5585c055d93fde2cf65227398d76471c895634e04e8483575b30d5117d1646030dab2798e8a4a4881e3d462ea61a5fe7b3428b5c7d3352effd1e46199abe9da9

Download Submit
C:\Program Files (x86)\How To Restore Files.txt

Filesize
493B

MD5
d9ff104f1d8ddafcb02e65bc0f689979

SHA1
6b1829c0ec28214e170fda7669a63ba210fcefe5

SHA256
f24f3ca02b8cdfb2f545ee1789f9a2319879c51878bffa857afe0024f2fae7ca

SHA512
98e19961b1c9c4c7de9ea254635045dd68ba3785af3c50d5ccd232ef553b92df66a60ad697ed8da1d260a89987a39d187c39cbb67e27a9c66e93b2770ee70bc3

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
0e218bdbede02d9b4f71ff0a38eab850

SHA1
de04409d9c801d5a7bbcd755c881974d73955cbb

SHA256
290dd3ac2162ca3a455187f1cb2532bfb817e6c64b40b8dc7c08e0df08ce7687

SHA512
fa3a9b98d910880ff38e079bb51fb1fc667444a756eff8644f290af534936c3cc35b8ed2b216a66ec2089ee94f25fe68cbcff2e6dbf80ae0f62b65f6f1ea6db6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

Filesize
2KB

MD5
3fc4cb62571a1aadd402ea1b7e35b8f9

SHA1
7dd93466dbc262925f9118b928a28e449f42adbf

SHA256
5be3653af85df5beb3553793536155ed1eb6b68b27e37788a3225563d5617ca4

SHA512
e95ec9ac6f4f8f76a19893ea5e022a99c2ea3c8e9d0ef625424ed226cb46f1390ff1d2949388ebf0275abf226b615a7488e08f92672d2a38c7dc87ef77e92e9f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
9KB

MD5
763450f7c2741887d5a7589134e2d48c

SHA1
5a3defc6d15845e92be51ff65d2efd021f2be0c5

SHA256
90189c8871498abb8481921a1dcffd202e04a189b12e75a2db4df0c08106647c

SHA512
59bc3daa9f1019183d8a31358979bfced271473296d00339a2e57de57cdc7fd83794df70e54b1dd0f8fee3c9b631cb8675fe1df7f93b72554f089a41ef2886c4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1QK7O5FT\microsoft.windows[1].xml

Filesize
97B

MD5
119d5549058808834ec1c87b1cea7a4f

SHA1
63759e3d591f610563fe492380e8f7b40a3108d1

SHA256
e3d4d8cb80b0baf7216c3e3f1b002b6d73449ccd128935b0a88044a5b9a92db1

SHA512
8e7a67f6ecc1b4251a9c2118dfa04b1c1090acd46707d21896e9dd6bbf0c52d9f5874afea370f90b64239c72a2f075f73bbae7851acd8f261e097737337b1c20

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1QK7O5FT\microsoft.windows[1].xml

Filesize
97B

MD5
ae38241894974f85f2c700e1aa907462

SHA1
29502acc9780d1ff56f145f2f821a45ab1c56090

SHA256
bd3ef58a43198b9f15527c4a2bc148c63abe75a73f5152c2d8c1fe620846c696

SHA512
1e4263c0b43bfd2458560d8e9cdd7f2156957d48a62669043c524551d9c7ccdd5027eeef750bece7351103fc71496008946d52382993a5c877ae01a2f9787417

Download Submit
C:\windows\cllog.bat

Filesize
166B

MD5
c3322041ca54a67a1f3108f5c558ada5

SHA1
4a15fd1570ca2adf8c478f8a6baed5444d6c7d9d

SHA256
0c632d77298ee5c0dfd96ead16883ffb16c4efc36b2ba5bd5a72d1e7c6cefb5f

SHA512
614d1be590b15314c8e076215b5c0307f969ffbae56933cd1fb738b8517e6e4986c99d6a247b3373cabce5314468b5ae36c2d80c2991a1d03a90ea2b3a0efce6

Download Submit
memory/9532-29839-0x0000014328140000-0x0000014328160000-memory.dmp

Filesize
128KB

Download
memory/9532-29825-0x0000013B25900000-0x0000013B25A00000-memory.dmp

Filesize
1024KB

Download
memory/9532-29829-0x0000014328180000-0x00000143281A0000-memory.dmp

Filesize
128KB

Download
memory/9532-29824-0x0000013B25900000-0x0000013B25A00000-memory.dmp

Filesize
1024KB

Download
memory/9532-29848-0x0000014328750000-0x0000014328770000-memory.dmp

Filesize
128KB

Download
memory/9844-29774-0x000002214BD00000-0x000002214BD20000-memory.dmp

Filesize
128KB

Download
memory/9844-29785-0x000002214B9C0000-0x000002214B9E0000-memory.dmp

Filesize
128KB

Download
memory/9844-29800-0x000002214C100000-0x000002214C120000-memory.dmp

Filesize
128KB

Download
memory/11876-29940-0x000001A3C3A00000-0x000001A3C3B00000-memory.dmp

Filesize
1024KB

Download
memory/11876-29941-0x000001A3C3A00000-0x000001A3C3B00000-memory.dmp

Filesize
1024KB

Download
memory/11876-29945-0x000001ABC5D20000-0x000001ABC5D40000-memory.dmp

Filesize
128KB

Download
memory/11876-29966-0x000001ABC60F0000-0x000001ABC6110000-memory.dmp

Filesize
128KB

Download
memory/11876-29955-0x000001ABC57E0000-0x000001ABC5800000-memory.dmp

Filesize
128KB

Download
memory/16016-29645-0x000001ABE65B0000-0x000001ABE65D0000-memory.dmp

Filesize
128KB

Download
memory/19908-29681-0x000002423B230000-0x000002423B250000-memory.dmp

Filesize
128KB

Download
memory/19908-29668-0x000002423ABA0000-0x000002423ABC0000-memory.dmp

Filesize
128KB

Download
memory/19908-29653-0x000002423ABE0000-0x000002423AC00000-memory.dmp

Filesize
128KB

Download