'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-01-24 12:57:26.759542 2018-01-24 12:59:17.696623 110 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-01-24 12:57:27 2018-01-24 12:59:17

File Details

File name a7dab59d709c9f26c99f308a683f4d892021789b.docx
File size 50304 bytes
File type Zip archive data, at least v1.0 to extract
CRC32 E0A94025
MD5 c2291efdc095f5b2260de5555db6dde9
SHA1 a7dab59d709c9f26c99f308a683f4d892021789b
SHA256 d883ecb5e1f71637eacffd47151bb691e5a6347287fa0dd9919014d85f94f9cc
SHA512 e512b8f89f64e6c7c90a9fa31a2d9c382aac1f28c31dbfa851e66ac9138c867537670486695b5af82739b3d23d8ffb02529259bef5896fbbf7bc2e135db06319
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1516816768]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

antivm_memory_available details
raises_exception details
create_process_suspended details
Roaming_Profile_Modified details
Startup_File_Accessed details
allocates_rwx details
creates_doc details
antivm_vbox_files details
process_martian details
sysinternals_tools_usage details
antivm_vbox_devices details
antivm_vbox_files details

Screenshots

No screenshots available.

Static Analysis

Strings

Dropped Files

4826c0d860af884d_~wrs{37137e95-48b6-45c7-a8b3-6cbfae359c0b}.tmp

7068f68a7a43dad9_heartbeatcache.xml

6cb89f0036aaef2a_centraltable.laccdb

bf167ffed0a2aa42_~wrs{bb3f54a4-a452-40bb-b040-76736bed89b9}.tmp

85e5847f0adba18f_~wrs{d99efc6d-e3a4-4639-be5b-52b3bc367c6c}.tmp

f00e013971ba5634_76e386dc-c2c6-49f4-b3e0-1a6d7d02881d

47e6d1c4b8dda195_centraltable.accdb

5b4d97ef93bb8900_~$normal.dotm

4bafff6550005a4a_50d6b15d9f2dce1edbb0c098625fbe47_544b2bb0a8631da8bf33337df6899d1e

ef65c59bc2f67fb5_winword.exe_rules.xml

c058a212e20dc2ab_50d6b15d9f2dce1edbb0c098625fbe47_544b2bb0a8631da8bf33337df6899d1e

a2649b55b45df55a_6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04

f811e73ecc7c3215_6bada8974a10c4bd62cc921d13e43b18_beb37abadf39714871232b4792417e04

06e1d65c72ad0c86_~$dab59d709c9f26c99f308a683f4d892021789b.docx

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{37137E95-48B6-45C7-A8B3-6CBFAE359C0B}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BB3F54A4-A452-40BB-B040-76736BED89B9}.tmp
  • \\?\PIPE\wkssvc
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\76E386DC-C2C6-49F4-B3E0-1A6D7D02881D
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50D6B15D9F2DCE1EDBB0C098625FBE47_544B2BB0A8631DA8BF33337DF6899D1E
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D99EFC6D-E3A4-4639-BE5B-52B3BC367C6C}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50D6B15D9F2DCE1EDBB0C098625FBE47_544B2BB0A8631DA8BF33337DF6899D1E
  • C:\Users\Harry Dresden\AppData\Local\Temp\mso415F.tmp
  • C:\ProgramData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
  • C:\Users\Harry Dresden\AppData\Local\Temp\~$dab59d709c9f26c99f308a683f4d892021789b.docx
File-Opened
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO99LRES.DLL
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Program Files (x86)\Common Files\Microsoft Shared\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL
  • C:\Windows\System32\davclnt.dll
  • C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSYNC.EXE
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO40UIRES.DLL
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSORES.DLL
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\msointl30.dll
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\Windows\Fonts\cour.ttf
  • C:\Windows\Fonts\STENCIL.TTF
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Templates\Normal.dotm
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\218BD889-250F-4009-AC70-37A89D831B8B
  • C:\Windows\Fonts\raavi.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\2B482C5D-3A63-457D-BC30-53A361F3C4C2
  • C:\Users\Harry Dresden\AppData\
  • C:\Windows\Fonts\gulim.ttc
  • C:\Windows\Fonts\LCALLIG.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\83917C1B-CFCF-4F12-BA76-7138123D93FC
  • C:\Windows\Fonts\KUNSTLER.TTF
  • C:\Users\Harry Dresden\Links\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\51792303-9B41-4132-AD62-E72F4D1C08D6
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache
  • C:\Windows\Fonts\CURLZ___.TTF
  • C:\Users\Harry Dresden\AppData\Roaming
  • \??\VBoxMiniRdrDN
  • C:\Windows\Fonts\FRAHV.TTF
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\
  • C:\Windows\Fonts\mingliub.ttc
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso20win32client.dll
  • C:\Windows\Fonts\ONYX.TTF
  • C:\Windows\Fonts\BASKVILL.TTF
  • C:\Windows\Fonts\himalaya.ttf
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\
  • C:\Windows\Fonts\calibrib.ttf
  • C:\Windows\Fonts\ebrima.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers
  • C:\Windows\Fonts\msjh.ttf
  • C:\Windows\Fonts\majalla.ttf
  • C:\Windows\Fonts\tunga.ttf
  • C:\Windows\Fonts\GOTHIC.TTF
  • C:\Windows\Fonts\VINERITC.TTF
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Office\16.0\62e47556\Proofing\RoamingCustom.dic
  • C:\Windows\Fonts\mvboli.ttf
  • C:\Windows\SysWOW64\shell32.dll
  • C:\Windows\Fonts\COPRGTL.TTF
  • C:\Program Files (x86)\Microsoft Office\root\Office16\STARTUP\
  • C:\Windows\Fonts\marlett.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\88DDE652-0345-4105-81DB-355519848C29
  • C:\Windows\SysWOW64\en-US\setupapi.dll.mui
  • C:\Windows\Fonts\upcll.ttf
  • C:\Windows\Fonts\ITCKRIST.TTF
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\Fonts\consola.ttf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Templates\
  • C:\Windows\Fonts\calibrii.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\71FD5FF9-FB04-4B94-95CF-F362AB85F4C7
  • C:\Windows\Fonts\FTLTLT.TTF
  • C:\Windows\SysWOW64\en-US\SETUPAPI.dll.mui
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
  • C:\Windows\Fonts\JOKERMAN.TTF
  • C:\Windows\Fonts\TEMPSITC.TTF
  • C:\Windows\Fonts\WINGDNG2.TTF
  • C:\Windows\Fonts\BRITANIC.TTF
  • C:\Windows\Fonts\GADUGI.TTF
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50D6B15D9F2DCE1EDBB0C098625FBE47_544B2BB0A8631DA8BF33337DF6899D1E
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\49196BB5-66DD-4A41-B334-5325D2D5E6C5
  • C:\Windows\Fonts\cambria.ttc
  • C:\Windows\Fonts\BKANT.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\{B873B1AD-6171-49BF-89FE-C4666F2C8444} (0) - 3872 - winword.exe - OTeleMediumCost.dat
  • C:\Windows\Fonts\GIGI.TTF
  • C:\Windows\Fonts\MSJH.TTC
  • C:\Windows\Fonts\FRADMCN.TTF
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso30win32client.dll
  • C:\Windows\Fonts\taile.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\6E4E86D9-CE48-4E5A-BDC2-529EA93CE6D2
  • C:\Windows\System32\en-US\shdocvw.dll.mui
  • C:\Windows\SysWOW64\
  • C:\Windows\Fonts\BERNHC.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\4A1D1BE3-CA4C-4C42-AE17-C9AD7D0BDD26
  • C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSYNC.EXE
  • C:\Windows\Fonts\CHILLER.TTF
  • C:\Windows\Fonts\framd.ttf
  • C:\Windows\Fonts\simfang.ttf
  • C:\Windows\Fonts\dokchamp.ttf
  • C:\Windows\Fonts\VLADIMIR.TTF
  • C:\Windows\Fonts\impact.ttf
  • C:\Windows\Fonts\malgun.ttf
  • C:\Windows\Fonts\BROADW.TTF
  • C:\Windows\Fonts\COLONNA.TTF
  • C:\Windows\Fonts\upcel.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\398C73D5-F266-4B67-A792-8EFC910B2A68
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
  • C:\Windows\Fonts\kartika.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D81F3CE6-A0F2-4E05-91A2-9A4B8276F8BE
  • C:\Program Files (x86)\Microsoft Office\root\Office16\CHART.DLL
  • C:\Windows\Fonts\l_10646.ttf
  • C:\Windows\Fonts\upckl.ttf
  • C:\Windows\Fonts\SEGOEUISL.TTF
  • C:\Users\Harry Dresden\Documents\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\62CA747E-A81B-485E-B093-BF90DBBAE9EC
  • C:\Windows\Fonts\BRLNSDB.TTF
  • C:\Windows\Fonts\segoepr.ttf
  • C:\Windows\Fonts\micross.ttf
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Windows\Fonts\PALSCRI.TTF
  • C:\Windows\Fonts\upcfl.ttf
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\SysWOW64\en-US\CRYPT32.dll.mui
  • C:\Windows\Fonts\simkai.ttf
  • C:\Windows\Fonts\FELIXTI.TTF
  • C:\Windows\Fonts\utsaah.ttf
  • C:\Users\Harry Dresden\Favorites\desktop.ini
  • C:\Windows\Fonts\upcil.ttf
  • C:\Windows\Fonts\PAPYRUS.TTF
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0
  • C:\Windows\WindowsShell.Manifest
  • C:\Windows\Fonts\HATTEN.TTF
  • C:\Windows\Fonts\seguisb.ttf
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\msointl30.dll
  • C:\Windows\Fonts\segoesc.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\1430F911-5AD3-4749-AFAC-24A34E4FD4A9
  • C:\Windows\Fonts\mangal.ttf
  • C:\Windows\System32\wpdshext.dll
  • C:\Windows\Fonts\mingliu.ttc
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\60B61A8B-72E6-431D-B56F-E4939E48D96C
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\7611C3D4-0673-442E-850F-6C64C041E91E
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\{B873B1AD-6171-49BF-89FE-C4666F2C8444} (0) - 3872 - winword.exe - OTele.dat
  • C:\Windows\Fonts\BOD_R.TTF
  • C:\Windows\Fonts\MATURASC.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\F3721A83-BE42-474E-A0FE-86C399B43BD1
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\459A34E0-3D69-4909-8E7B-40D4C989545E
  • C:\ProgramData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\54235051-D104-456C-B62E-7BBA73FA48DC
  • C:\Windows\Fonts\BRUSHSCI.TTF
  • C:\Windows\Fonts\latha.ttf
  • C:\Windows\Fonts\HARNGTON.TTF
  • C:\Windows\Fonts\CALIST.TTF
  • C:\Windows\Fonts\COOPBL.TTF
  • C:\Windows\Fonts\ariblk.ttf
  • C:\Windows\Fonts\corbel.ttf
  • C:\Users\Harry Dresden\Searches\desktop.ini
  • C:\Windows\Fonts\GLECB.TTF
  • C:\Windows\Fonts\gautami.ttf
  • C:\Windows\Fonts\NIAGSOL.TTF
  • C:\Windows\Fonts\msyi.ttf
  • C:\Windows\Fonts\cordia.ttf
  • C:\Windows\Fonts\lvnm.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\BEE1372A-C6B0-45A5-B2DF-946BCF71815A
  • C:\Windows\Fonts\nrkis.ttf
  • C:\Windows\Fonts\comic.ttf
  • C:\Windows\Fonts\JUICE___.TTF
  • C:\Windows\Fonts\shruti.ttf
  • C:\Windows\Fonts\angsa.ttf
  • C:\Windows\Fonts\BRADHITC.TTF
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Windows\Fonts\ARIALN.TTF
  • C:\Windows\System32\en-US\wpdshext.dll.mui
  • C:\Windows\Fonts\GILLUBCD.TTF
  • C:\Windows\Fonts\ITCEDSCR.TTF
  • C:\Windows\Fonts\LFAX.TTF
  • C:\Windows\Fonts\daunpenh.ttf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Word\STARTUP\
  • C:\Windows\Fonts\Vani.ttf
  • C:\Windows\Fonts\angsau.ttf
  • C:\Windows\Fonts\msuighur.ttf
  • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
  • C:\Windows\Fonts\TCM_____.TTF
  • C:\Windows\Fonts\SNAP____.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\
  • C:\Windows\Fonts\TCCEB.TTF
  • C:\Windows\Fonts\REFSAN.TTF
  • C:\Windows\Fonts\trado.ttf
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\A42028F2-CFF8-48B7-B283-04ADC903CA42
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\02F53DDF-4F31-4BA0-97DE-29F451F29819
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\
  • C:\Windows\Fonts\batang.ttc
  • C:\Windows\Fonts\MOD20.TTF
  • C:\Windows\Fonts\LTYPE.TTF
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Templates
  • C:\Windows\Fonts\ERASLGHT.TTF
  • C:\Windows\Fonts\browa.ttf
  • C:\Users\Harry Dresden\Desktop\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\FEE4C9D3-C3C3-4DD8-9A8A-E5EE2FB996B2
  • C:\Windows\Fonts\CALIFR.TTF
  • C:\Windows\Fonts\WINGDNG3.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\
  • C:\Users\desktop.ini
  • C:\Program Files (x86)\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\
  • C:\Windows\Fonts\Gabriola.ttf
  • C:\Windows\Fonts\PRISTINA.TTF
  • C:\Windows\Fonts\GILSANUB.TTF
  • C:\Windows\System32\
  • C:\Windows\Fonts\ENGR.TTF
  • C:\Windows\Fonts\times.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D5741299-7A7A-4BE1-86B6-ADB88C449156
  • C:\Windows\Fonts\ITCBLKAD.TTF
  • C:\Windows\Fonts\SHOWG.TTF
  • C:\Windows\Fonts\kalinga.ttf
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\Windows\Fonts\aparaj.ttf
  • C:\Windows\Fonts\sylfaen.ttf
  • C:\Windows\Fonts\LSANS.TTF
  • C:\Windows\Fonts\PER_____.TTF
  • C:\Windows\Fonts\kaiu.ttf
  • C:\Windows\Fonts\segoeuil.ttf
  • C:\Windows\Fonts\simsun.ttc
  • C:\Windows\Fonts\mriam.ttf
  • C:\Windows\Fonts\RAGE.TTF
  • C:\Windows\Fonts\iskpota.ttf
  • C:\Windows\Fonts\Shonar.ttf
  • C:\Users\Harry Dresden\Videos\desktop.ini
  • C:\Windows\Fonts\LATINWD.TTF
  • C:\Windows\Fonts\BSSYM7.TTF
  • C:\Windows\Fonts\mriamc.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office
  • C:\Windows\System32\oleaccrc.dll
  • C:\Windows\Fonts\simhei.ttf
  • C:\Program Files (x86)\Common Files\Microsoft Shared\
  • C:\Windows\Fonts\FORTE.TTF
  • C:\Windows\System32\en-US\MPR.dll.mui
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSORES.DLL
  • C:\Windows\Fonts\FRSCRIPT.TTF
  • C:\Windows\Fonts\MISTRAL.TTF
  • C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
  • C:\Windows\System32\en-US\d2d1.dll.mui
  • C:\Windows\Fonts\upcjl.ttf
  • C:\Windows\Fonts\CASTELAR.TTF
  • C:\Windows\Fonts\BELL.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\27AE1074-21E3-40FA-AE57-4027C89A1728
  • C:\Windows\Fonts\BAUHS93.TTF
  • C:\Users\Harry Dresden\Downloads\desktop.ini
  • C:\Users\Harry Dresden\Contacts\desktop.ini
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\2B6C7C22-BAAE-4D80-8E6A-3176CC4E5946
  • C:\Windows\Fonts\ntailu.ttf
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\
  • C:\Windows\Fonts\msmincho.ttc
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
  • C:\Windows\Fonts\HTOWERT.TTF
  • C:\Windows\Fonts\MSYH.TTC
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\0136C3E2-C15B-4825-B21D-FD8681596A3A
  • C:\Windows\Fonts\MTEXTRA.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\41998CBE-23F6-4A35-9D07-30563B2494C7
  • C:\Windows\Fonts\FRABK.TTF
  • C:\Windows\Fonts\
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO99LRES.DLL
  • C:\Windows\Fonts\IMPRISHA.TTF
  • C:\Windows\Fonts\SCRIPTBL.TTF
  • \\?\PIPE\wkssvc
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\3F7A38BA-8B2B-4C7D-817A-A29170E7C939
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Windows\Fonts\georgia.ttf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D8906D2F-B5FB-47A7-A48C-64280468337B
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso99Lwin32client.dll
  • C:\Windows\Fonts\ELEPHNT.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\OTele\
  • C:\Windows\Fonts\OCRAEXT.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\DC7D18FE-1987-4CC1-A220-8C2AB3F89FE4
  • C:\Users\Harry Dresden\Music\desktop.ini
  • C:\Users
  • C:\Windows\Fonts\ERASBD.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\141E62F4-A1F6-4895-AAD3-8A2A95D4A1E2
  • C:\Windows\Fonts\GARA.TTF
  • C:\Windows\Fonts\FRADM.TTF
  • C:\Windows\Fonts\RAVIE.TTF
  • C:\Windows\Fonts\nyala.ttf
  • C:\Windows\Fonts\trebuc.ttf
  • C:\Windows\Fonts\webdings.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\166A7C48-F18B-4F49-AD05-CA648AF56FB1
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\12E38A7D-EDAC-40BC-8980-4A83DF7AAB2E
  • C:\Windows\Fonts\ARLRDBD.TTF
  • C:\Windows\Fonts\browau.ttf
  • C:\Windows\Fonts\NIAGENG.TTF
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso98win32client.dll
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Users\Harry Dresden\AppData\Local\Temp\mso415F.tmp
  • C:\Windows\Fonts\andlso.ttf
  • C:\Windows\Fonts\INFROMAN.TTF
  • C:\Windows\System32
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\B3F75FA2-5E0D-426B-BC60-74C92AEBECEB
  • C:\Windows\Fonts\REFSPCL.TTF
  • C:\Windows\Fonts\kokila.ttf
  • C:\Windows\Fonts\verdana.ttf
  • C:\Windows\Fonts\ROCK.TTF
  • C:\Program Files (x86)\Microsoft Office\root\Office16\WWLIB.DLL
  • C:\Windows\Fonts\estre.ttf
  • C:\Windows\Fonts\segoeui.ttf
  • C:\Users\Harry Dresden\AppData\Local\Temp\a7dab59d709c9f26c99f308a683f4d892021789b.docx
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Proof\
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  • C:\Windows\Fonts\symbol.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\68CF3A26-FE19-459A-A97F-7DAFCB3AD924
  • C:\Windows\Fonts\VIVALDII.TTF
  • C:\Windows\Fonts\BOOKOS.TTF
  • C:\Users\Harry Dresden\AppData
  • C:\Windows\Fonts\gisha.ttf
  • C:\Windows\Fonts\msyh.ttf
  • C:\Windows\Fonts\arial.ttf
  • C:\Windows\Fonts\tahoma.ttf
  • C:\Windows\Fonts\MAGNETOB.TTF
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
  • C:\Windows\Fonts\BRLNSR.TTF
  • C:\Windows\Fonts\TCCM____.TTF
  • C:\Windows\Fonts\frank.ttf
  • C:\Windows\Fonts\simsunb.ttf
  • C:\Users\Harry Dresden\AppData\Local\Microsoft
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms\C642E3AC-C787-461C-8130-49BC8B3B8E54
  • C:\Windows\Fonts\FRAMDCN.TTF
  • C:\Windows\Fonts\ahronbd.ttf
  • C:\Windows\Fonts\simpo.ttf
  • C:\Windows\Fonts\PLAYBILL.TTF
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO40UIRES.DLL
  • C:\Program Files (x86)\Microsoft Office\root\Office16\1033\WWINTL.DLL
  • C:\Windows\Fonts\LaoUI.ttf
  • C:\Windows\SysWOW64\ieframe.dll
  • C:\Windows\SysWOW64\en-US\USER32.dll.mui
  • C:\Windows\Fonts\NIRMALA.TTF
  • C:\Windows\Fonts\PARCHM.TTF
  • C:\Windows\Fonts\POORICH.TTF
  • C:\Windows\Fonts\BOD_CR.TTF
  • C:\Program Files (x86)\Microsoft Office\root\Office16\
  • C:\Windows\Fonts\ROCKEB.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\5DD973A5-6B8F-40E7-93DC-F099B3954B65
  • C:\Users\Harry Dresden\AppData\LocalLow
  • C:\Windows\Fonts\ERASDEMI.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\B146098F-4064-49C1-985D-AEC3D779A81B
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
  • C:\Windows\Fonts\vijaya.ttf
  • C:\Windows\Fonts\LBRITE.TTF
  • C:\Users\Harry Dresden\Pictures\desktop.ini
  • C:\Windows\Fonts\AGENCYR.TTF
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Windows\Fonts\msyhbd.ttf
  • C:\Windows\Fonts\ALGER.TTF
  • C:\Windows\Fonts\BOD_BLAR.TTF
  • C:\Windows\Fonts\COPRGTB.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\D5CA04B0-F36E-4671-9B61-C281C22245A8
  • C:\Windows\SysWOW64\en-US\ieframe.dll.mui
  • C:\Windows\Fonts\GOUDYSTO.TTF
  • C:\Windows\Fonts\moolbor.ttf
  • C:\Windows\Fonts\CENSCBK.TTF
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
  • C:\Windows\Fonts\meiryo.ttc
  • C:\Windows\Fonts\constan.ttf
  • C:\Windows\Fonts\ROCC____.TTF
  • C:\Windows\Fonts\msgothic.ttc
  • C:\Windows\Fonts\simpfxo.ttf
  • C:\Windows\Fonts\ERASMD.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\7DF8FCF3-C8C9-4CF7-8416-171D71D0C04A
  • C:\Windows\Fonts\pala.ttf
  • C:\Program Files (x86)\Microsoft Office\root\Office16\OART.DLL
  • C:\Users\
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\p.pfx.ms
  • C:\Windows\Fonts\MTCORSVA.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\clienttemplates.content.office.net\
  • C:\Windows\Fonts\OUTLOOK.TTF
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\ECB4A42C-1CD2-416B-A8EE-28711F2E4748
  • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
  • C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mso40uiwin32client.dll
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\C88FD7A6-07CC-42CE-ABF8-77F23D1FCFAC
  • C:\Windows\Fonts\rod.ttf
  • C:\Windows\Fonts\PERTILI.TTF
  • C:\Windows\Fonts\calibri.ttf
  • C:\Windows\Fonts\GILC____.TTF
  • C:\Windows\Fonts\GOUDOS.TTF
  • C:\Windows\Fonts\euphemia.ttf
  • C:\Windows\Fonts\lucon.ttf
  • C:\Windows\Fonts\CENTURY.TTF
  • C:\Windows\Fonts\LHANDW.TTF
  • C:\Users\Harry Dresden\Saved Games\desktop.ini
  • C:\Windows\Fonts\GIL_____.TTF
  • C:\Windows\Fonts\OLDENGL.TTF
  • C:\Windows\Fonts\arabtype.ttf
  • C:\Windows\Fonts\vrinda.ttf
  • C:\Windows\System32\shdocvw.dll
  • C:\Windows\Microsoft.NET\Framework\
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\cdn.odc.officeapps.live.com\80B9ABAF-5777-40C6-9BCA-7FF88408BA18
  • C:\Windows\Fonts\GLSNECB.TTF
  • C:\Windows\Fonts\CENTAUR.TTF
  • C:\Windows\Fonts\Candara.ttf
  • C:\Windows\Fonts\leelawad.ttf
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\
  • C:\Windows\Fonts\seguisym.ttf
  • C:\Windows\Fonts\FREESCPT.TTF
  • C:\Windows\
  • C:\Windows\Fonts\upcdl.ttf
  • C:\Windows\Fonts\phagspa.ttf
  • C:\Windows\Fonts\MAIAN.TTF
  • C:\Windows\Fonts\cordiau.ttf
  • C:\Windows\Fonts\HARLOWSI.TTF
  • C:\Windows\Fonts\david.ttf
  • C:\Windows\Fonts\KhmerUI.ttf
  • C:\Windows\Fonts\monbaiti.ttf
  • C:\Windows\Fonts\plantc.ttf
  • C:\Windows\Fonts\BOD_PSTC.TTF
Directory-Enumerated
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\*.*
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16
  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E48DA50A37CFB4541808027C61577613
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\99E80CA9B0328e74791254777B1F42AE\InstallProperties
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\38B4816825059EF5ABEFE7AC69DC237A
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EEE14C3FC3FEFA3458AD37B6FB29E0F0
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentEcs\wxp
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AF6D649BB945143DAD2D436C434C20F
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2C6B91EE7E44A8147AFEED184561DAA8
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Registration\{90160000-000F-0000-0000-0000000FF1CE}
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\SyncProc\Resiliency\DocumentRecovery
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1D54092CA66F47143BC7720DEE6C1520
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\22ADF1C4CAEE30248811919795CE877E
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8F139CF91DE936230A1FA8ED33D0E0EC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Research\Translation
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C8BA4DF4F75C28732903C9AC2251A33D
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\SyncProc\Resiliency
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\854320E5CD315974BB230446F54F012B
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\06AC92CD1BDDEBC4B873F402329012C6
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Registration\{9AC08E99-230B-47e8-9721-4577B7F124EA}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office\ClickToRun\ProductReleaseIDs\9E1D94D2-471F-4DC3-9EBD-E31E1E099E00\culture\x-none.16
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7CA503EFF8D2D6843935591226A56DB7
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FD5CBA1C4F15D0A4495AFAF4ECA7D2F0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2921D0D2052C0124CA0823230A7CF03C
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0136EEA3C5C1DB040BBB4272DFA05234
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EE86D47743D6EFB4F8BA1313727CB711
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3416602863-1947377224-293699093-1003\Components\0BC77486A266BF84FAE259379C82967F
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Features\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C2D3C6C2DFB724740A4E4B0B2A54D044
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\05FF053B717129E4C97F9560D8E3C885
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\InstallProperties
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Common\LanguageResources\EnabledLanguages
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\Features
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\GOM
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\379E92CC2CB71D119A12000A9CE1A22A
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A31077A24A584C4984DC332F0E08910
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3054A48C6DA69514F8A11C66A1FE4D43
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6C9A6F846E2818A47A408CAF13381C71
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7D0AC866B878B5145B6EC164ED85151B
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\wxp
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Features\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\99E80CA9B0328e74791254777B1F42AE
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\LanguageResources\InstalledUICultures
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E8DF4AEBDD158AE438C8F2F6D20AD7AC
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\CVH\VirtualProductInfo
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C80E91F77D2396F49A9B971548BEFEC8
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\Common\ExperimentDogfood
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Security
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7E52BAFB9807F7F32B60B598A4DBB7A7
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1CC1F61F05EDA1948816E2A04270A20C
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9878932B862896C45B61278195E274B1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\677C6A4AF7669584890696422D933362
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BF427A2B66EB00A3182637A36261AA34
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Office
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\99E80CA9B0328e74791254777B1F42AE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F4531591FCEEEA847980AFCF85694A10
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\Common\Experiment
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\99E80CA9B0328e74791254777B1F42AE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\97FC00201A9B4EB359A592AFD9B4A1C5
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\413A5FB960BAC1A40A0B8DE39F0CB75E
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AEDAB3D6E7F6C2C4684D92A5E897BC1C
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F87D976C4168904EA01C6B79C7D3357
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\11ABDF44143022045A74807F2199D297
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AEB456C6427B5ED478C08584CF81B108
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E2C67F53B44B8E44CA78D31E45C0AEC9
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3D9924FDD5EA83546A505DA15FA902E8
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\LanguageResources
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\IdentityCRL
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B26B9AF8BAD890F4D8AF1B5EFAB27E4F
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EAEB6DE731F9CE948A644F1360AC5BB3
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4DD2033E784F9BE46B16A770B3DE0173
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\78C18AA6E7771834FB7DE38FC605A037
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BE632C1D2D584A14BB4583F6D3E91962
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\91911CC5AA25BA64ABAAA692E02F2D30
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\52EF7531F13280A4DAFF25060DBF0508
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0BC77486A266BF84FAE259379C82967F
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F30559A9485777D42AE55615AC729C5E
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8741F187B4431884F851C69EE93CCC80
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Components\1A705E72D3831594090DD020E37EFC1A
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Common\GOM
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\841B335EA38A88737A36C0C664FCC63C
  • HKEY_CURRENT_USER\Software\Policies
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\115682E35C354A747AB19A8B37511A7E
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D82BFA0262BF08949AC6E23C8EF18003
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\648465DF56EA66345BB2567B0F873BE7
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0D692E8379026B8448157BD6D7916F3E
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Common\GOM\ComplexRanges
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E1C7A107880935E48BF2271B25500A01
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common
  • HKEY_LOCAL_MACHINE\System\Setup
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5ED2E63ACCCE6D44D9F84B8D7FB73C68
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2C6FF36D67277F846A233951912B7E0C
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4608B75C85EB92E4B9C78C18C52F177B
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E2804C1692E9F684CACC9E114F49C8BB
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\42DFE5C4C26DDA643B2E1B3484F5CFCA
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\Security
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3A1C53B88CB3F7C33B57D6B5E272B8FF
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8A4601ED49F6D194998E10FA9F6C0300
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6DF6EA175C7A0240B2B10FDF2585BD1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4D97A600289B46B42AC7370CB5D1432E
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2CD56AAE28348674E9675C463C6021D2
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\39852B3E9E8B1EB48AE06D034A14262D
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Components\1A705E72D3831594090DD020E37EFC1A
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\39AE6A38F56EF6C4ABAD6D350D6CFEA1
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Graphics
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\01211C777013DA94EA165EB6354C7BB3
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7E7133CE0DB89F148818C6E45D79BFDC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\SyncProc\Resiliency\StartupItems
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50AD92533E1A17F4398E08E3C40D8611
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FA7B51453E2C43343BD5241072D09F18
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\084451265844F4A47ABA441C208BA4B1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2A8F3F35080EE3E48A4E69A1726B20C9
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\MsoSync\Resiliency\StartupItems
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\492B803F9C3D84445A98619F89E031D3
  • HKEY_LOCAL_MACHINE\Software\Microsoft\DXGI
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Logging
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\Usage
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Debug
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08C0566F2C64AB248B37D78ABA9730ED
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\18E39E9B8AC8A5A3EA358562C997478C
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86FDD2C8637365C489BEB6DC30E9FBB7
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\56CDF88E115A2914F94BA591E8FE427E
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\642F24263BBA5A94FA7EB6178A2B505B
  • HKEY_CURRENT_USER\Software\Microsoft\Security
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\02D8650385D45DC44B6E0BF69EF2846B
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\82FE3EC09B47F3A4A9C7014EBD86BC95
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\376DDCFD80ED01249AC8112B8EE543FF
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office Test\Special\Perf
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\304137362B940964CB6A957A63031F9B
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CF1288ED10B63B4328E2F1739AE9A4E2
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D\Drivers
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5A9E53D7D94D36E4EA4A12EEF94D7086
  • HKEY_CURRENT_USER\Software\Microsoft\Office
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\Flight\wxp
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCE00C92AF70C413399B4A50F82E20B5
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\SyncProc
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E40100B0F7ED50A4AABEA3DC36A2F6A6
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E584DF3B766E94F4090BF856C52425BA
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Components\1A705E72D3831594090DD020E37EFC1A
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\52FCE2A887EC8E939BD4BAB1A128F53C
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office\ClickToRun\ProductReleaseIDs
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E29400AB2B7AA47439822EDB9310C437
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7FD8D5E49CB105931B840901B2EC77A7
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2E6D33DF58B7A854083E8402A99D91B9
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D\DX6TextureEnumInclusionList
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\712CCCD0696BA1442950CA32E7C6E64D
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\46FF8D92C641ED4469A6364C3DF80F53
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F303394DBB2714E4BA8BC34DF322DBD9
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3687791E032C1A747810904287441F47
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\123A732343FF9B945BE4CB85C922D77E
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C069AA2AC3DFD6A3DBF641390311FA3B
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D0B3D76D8121493449064B942F126861
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EE4121E3A9B6A8046B31DD1157F16447
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\90ACD79B4EF140F4281AC4059348577F
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B6AE1A6418D39933981921F7F7A77EA6
  • HKEY_CURRENT_USER\Software\Microsoft\Direct3D
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\GELPrefs
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7AB2F5895721D914CB4E0D8702F999A9
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8E6588906D8C60C43831FCEC4BD6F719
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\568441CE89338D64097ACA530FE9F449
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8E982B78D763473478502181932C13E0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5F07DEC661BF284EA6075DA5F525BAA
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\SignIn
  • HKEY_CURRENT_USER\Software\Microsoft\DXGI
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\01B4EDCF03C143E4793454CC8B37A96D
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3ED8D912A4A5CC74FA57E4C248AA17B4
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\common\filespaths
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5D24E6113CF0F848ABE77515177DCB5
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96C59964CACA65D499A0D2D62A316FB7
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49A2B0FF5E149204B8A8FF1E28D32963
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\Debug
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32F51D7A41D895849B5D36E5D0069CD8
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\03682DF0978FCC64E83EB5AF9AAEBA21
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\91EDD49C07CCA9B36AFAC57A43B0B9A9
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9BCF244F508B5E84D97CE5B20ED48AC1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B12F5455BBA80C849A3154420AB8F9F6
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A725889A5DF965C4E84A0253A39A5952
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B3D93E8E53F48D638B29B48233F60E14
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\740F27CC073749E4E96E7B55BE37D49A
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3422A1FF37E556F48874D71DA1A7FCBC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentEcs\wxp\Flights
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\(Default)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F0C7C77C6A9753F40A5A1D4EF678DF13
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0B76360A9B1D0AC35A81B25B36672275
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BECCD8561A9AEEF40A4B78A2B173394D
Registry Key-Read
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\ProfileUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\PreferredEditingLanguage
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4608B75C85EB92E4B9C78C18C52F177B\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office\ClickToRun\ProductReleaseIDs\9E1D94D2-471F-4DC3-9EBD-E31E1E099E00\culture\x-none.16\StreamPackageUrl
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Registration\{90160000-000F-0000-0000-0000000FF1CE}\ClickToRun
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7AB2F5895721D914CB4E0D8702F999A9\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1CC1F61F05EDA1948816E2A04270A20C\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4D97A600289B46B42AC7370CB5D1432E\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\SyncProc\Resiliency\StartupItems\3p;
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\ExeMode
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8A4601ED49F6D194998E10FA9F6C0300\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EE4121E3A9B6A8046B31DD1157F16447\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\SyncProc\Resiliency\StartupItems\2p;
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\InstallFonts
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2921D0D2052C0124CA0823230A7CF03C\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\IdP
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\78C18AA6E7771834FB7DE38FC605A037\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E2804C1692E9F684CACC9E114F49C8BB\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\642F24263BBA5A94FA7EB6178A2B505B\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0BC77486A266BF84FAE259379C82967F\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E8DF4AEBDD158AE438C8F2F6D20AD7AC\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\115682E35C354A747AB19A8B37511A7E\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\854320E5CD315974BB230446F54F012B\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2CD56AAE28348674E9675C463C6021D2\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9BCF244F508B5E84D97CE5B20ED48AC1\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\common\filespaths\mso.dll
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\Initials
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\UseOnlineContent
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Direct3D\DX6TextureEnumInclusionList\Name
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\LanguageResources\SKULanguage
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B6AE1A6418D39933981921F7F7A77EA6\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\DisableADALExtendedApps
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49A2B0FF5E149204B8A8FF1E28D32963\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\NoDomainUser
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3A1C53B88CB3F7C33B57D6B5E272B8FF\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\712CCCD0696BA1442950CA32E7C6E64D\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\MsoHeapInit
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Direct3D\Drivers\Name
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F30559A9485777D42AE55615AC729C5E\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\52EF7531F13280A4DAFF25060DBF0508\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\18E39E9B8AC8A5A3EA358562C997478C\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CF1288ED10B63B4328E2F1739AE9A4E2\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96C59964CACA65D499A0D2D62A316FB7\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32F51D7A41D895849B5D36E5D0069CD8\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\06AC92CD1BDDEBC4B873F402329012C6\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\DisableTelemetry
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EAEB6DE731F9CE948A644F1360AC5BB3\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\82FE3EC09B47F3A4A9C7014EBD86BC95\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AF6D649BB945143DAD2D436C434C20F\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3ED8D912A4A5CC74FA57E4C248AA17B4\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\123A732343FF9B945BE4CB85C922D77E\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\413A5FB960BAC1A40A0B8DE39F0CB75E\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\FederationSignInName
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\376DDCFD80ED01249AC8112B8EE543FF\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\Persisted
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\FollowSystemUILanguage
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\FirstName
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B12F5455BBA80C849A3154420AB8F9F6\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\EnableWriteRulesResultToAsimov
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\FlowUrl
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C80E91F77D2396F49A9B971548BEFEC8\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Research\Translation\MaxWords
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F303394DBB2714E4BA8BC34DF322DBD9\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\FriendlyName
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\AppUserIdleTimerInterval
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\740F27CC073749E4E96E7B55BE37D49A\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E29400AB2B7AA47439822EDB9310C437\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6C9A6F846E2818A47A408CAF13381C71\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\HelpLanguageExplicit
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\677C6A4AF7669584890696422D933362\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50AD92533E1A17F4398E08E3C40D8611\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8E982B78D763473478502181932C13E0\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D0B3D76D8121493449064B942F126861\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2A8F3F35080EE3E48A4E69A1726B20C9\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7FD8D5E49CB105931B840901B2EC77A7\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C8BA4DF4F75C28732903C9AC2251A33D\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ServiceEnvironment
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0D692E8379026B8448157BD6D7916F3E\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D82BFA0262BF08949AC6E23C8EF18003\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\AllowConsecutiveSlashesInUrlPathComponent
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Research\Translation\MaxWordsJapan
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\05FF053B717129E4C97F9560D8E3C885\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F0C7C77C6A9753F40A5A1D4EF678DF13\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\02D8650385D45DC44B6E0BF69EF2846B\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\UILanguageTag
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08C0566F2C64AB248B37D78ABA9730ED\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E40100B0F7ED50A4AABEA3DC36A2F6A6\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\FederationConfigError
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\38B4816825059EF5ABEFE7AC69DC237A\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\Usage\ProductFiles
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\Features\ProductFiles
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\UI Theme
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Features\00006109F00000000000000000F01FEC\ProductFiles
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\FederationProvider
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EE86D47743D6EFB4F8BA1313727CB711\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C2D3C6C2DFB724740A4E4B0B2A54D044\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\568441CE89338D64097ACA530FE9F449\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\52FCE2A887EC8E939BD4BAB1A128F53C\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Direct3D\DLLMergeDisable
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E1C7A107880935E48BF2271B25500A01\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8E6588906D8C60C43831FCEC4BD6F719\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\EnableWriteRulesResultToFile
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCE00C92AF70C413399B4A50F82E20B5\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5ED2E63ACCCE6D44D9F84B8D7FB73C68\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\LibraryType
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BF427A2B66EB00A3182637A36261AA34\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\46FF8D92C641ED4469A6364C3DF80F53\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Office\ClickToRun\ProductReleaseIDs\ActiveConfiguration
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\LastName
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FA7B51453E2C43343BD5241072D09F18\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7E52BAFB9807F7F32B60B598A4DBB7A7\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E2C67F53B44B8E44CA78D31E45C0AEC9\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\LangTuneUp
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\msosync.exe_queried
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3422A1FF37E556F48874D71DA1A7FCBC\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security\AutomationSecurity
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\SigninName
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5F07DEC661BF284EA6075DA5F525BAA\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\RulesRetrievalTimeCap
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\39852B3E9E8B1EB48AE06D034A14262D\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BECCD8561A9AEEF40A4B78A2B173394D\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AEB456C6427B5ED478C08584CF81B108\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Direct3D\Drivers\Size
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B3D93E8E53F48D638B29B48233F60E14\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6DF6EA175C7A0240B2B10FDF2585BD1\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\01B4EDCF03C143E4793454CC8B37A96D\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3D9924FDD5EA83546A505DA15FA902E8\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F87D976C4168904EA01C6B79C7D3357\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\304137362B940964CB6A957A63031F9B\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\91911CC5AA25BA64ABAAA692E02F2D30\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\PendingUITheme
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\91EDD49C07CCA9B36AFAC57A43B0B9A9\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8741F187B4431884F851C69EE93CCC80\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9878932B862896C45B61278195E274B1\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7E7133CE0DB89F148818C6E45D79BFDC\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\FederationProvider
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Direct3D\DX6TextureEnumInclusionList\Size
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2E6D33DF58B7A854083E8402A99D91B9\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\Common\LanguageResources\InstalledUICultures\en-us
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Research\Translation\CurrentProvider
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5D24E6113CF0F848ABE77515177DCB5\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BE632C1D2D584A14BB4583F6D3E91962\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\AppUserIdleResetInterval
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\UIFallbackLanguages
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentEcs\wxp\Expires
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\648465DF56EA66345BB2567B0F873BE7\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4DD2033E784F9BE46B16A770B3DE0173\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\UID
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Version
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E584DF3B766E94F4090BF856C52425BA\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7D0AC866B878B5145B6EC164ED85151B\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3054A48C6DA69514F8A11C66A1FE4D43\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\97FC00201A9B4EB359A592AFD9B4A1C5\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\ErrorState
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\UISnapshotLanguages
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2C6B91EE7E44A8147AFEED184561DAA8\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\ErrorData
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\CVH\VirtualProductInfo\PackageGUID
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentEcs\wxp\UserId
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Research\Translation\UseMT
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\39AE6A38F56EF6C4ABAD6D350D6CFEA1\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C069AA2AC3DFD6A3DBF641390311FA3B\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0B76360A9B1D0AC35A81B25B36672275\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\HelpFallbackLanguages
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3687791E032C1A747810904287441F47\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\492B803F9C3D84445A98619F89E031D3\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\EnableADAL
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B26B9AF8BAD890F4D8AF1B5EFAB27E4F\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5A9E53D7D94D36E4EA4A12EEF94D7086\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\ProviderId
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\22ADF1C4CAEE30248811919795CE877E\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\11ABDF44143022045A74807F2199D297\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters\ClientCacheSize
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider\Name
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\084451265844F4A47ABA441C208BA4B1\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\841B335EA38A88737A36C0C664FCC63C\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\Picture
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\SignIn\SignInOptions
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8F139CF91DE936230A1FA8ED33D0E0EC\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Research\Translation\PreferOffline
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\56CDF88E115A2914F94BA591E8FE427E\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\379E92CC2CB71D119A12000A9CE1A22A\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A725889A5DF965C4E84A0253A39A5952\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2C6FF36D67277F846A233951912B7E0C\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AEDAB3D6E7F6C2C4684D92A5E897BC1C\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\LabMachine
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\42DFE5C4C26DDA643B2E1B3484F5CFCA\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E48DA50A37CFB4541808027C61577613\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CodeMarkerToSqmDisable
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\PreviousPreferredEditingLanguage
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Office\16.0\common\filespaths\mso.dll
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86FDD2C8637365C489BEB6DC30E9FBB7\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EEE14C3FC3FEFA3458AD37B6FB29E0F0\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7CA503EFF8D2D6843935591226A56DB7\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Research\Translation\UseOnline
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\HelpLanguageTag
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0136EEA3C5C1DB040BBB4272DFA05234\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FD5CBA1C4F15D0A4495AFAF4ECA7D2F0\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F4531591FCEEEA847980AFCF85694A10\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\InstallProperties\WindowsInstaller
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\EmailAddress
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities\673db90b609de831_LiveId\SignedOut
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1D54092CA66F47143BC7720DEE6C1520\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\01211C777013DA94EA165EB6354C7BB3\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\90ACD79B4EF140F4281AC4059348577F\00006109F00000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A31077A24A584C4984DC332F0E08910\00006109F00000000000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\03682DF0978FCC64E83EB5AF9AAEBA21\00006109F00000000000000000F01FEC
Registry Key-Written
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\SyncProc\Resiliency\StartupItems\3p;
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\SyncProc\Resiliency\StartupItems\2p;
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\Usage\ProductFiles

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE" C:\Users\HARRYD~1\AppData\Local\Temp\a7dab59d709c9f26c99f308a683f4d892021789b.docx PID: 3964, Parent PID: 2280

"C:\Program Files (x86)\Microsoft Office\Root\Office16\MsoSync.exe" PID: 748, Parent PID: 3964

Volatility

Nothing to display.