IOC Report
Payout Receipts.pptx

loading gif

Files

File Path
Type
Category
Malicious
Payout Receipts.pptx
Microsoft PowerPoint 2007+
initial sample
malicious
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
dropped
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
data
dropped
C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml
XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json
JSON data
dropped
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf
TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
dropped
C:\Users\user\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStore\PowerPoint\1380790193167760279.C4
data
dropped
C:\Users\user\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStore\PowerPoint\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S
data
dropped
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0E31D59D-7275-4D07-A5C4-416FA6F7F869
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db
SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db-journal
SQLite Rollback Journal
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db-shm
data
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db-wal
SQLite Write-Ahead Log, version 3007000
dropped
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
data
dropped
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres
data
dropped
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres
data
dropped
C:\Users\user\AppData\Local\Temp\Diagnostics\POWERPNT\App1734965486125046100_D29EDC9C-05D7-4422-9E4E-DB7CF31D8F9D.log
data
dropped
C:\Users\user\AppData\Local\Temp\Diagnostics\POWERPNT\App1734965486125627200_D29EDC9C-05D7-4422-9E4E-DB7CF31D8F9D.log
data
dropped
C:\Users\user\AppData\Local\Temp\TCD1378.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD1378.tmp\ThemePictureAccent.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD1379.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD1379.tmp\VaryingWidthList.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD137A.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD137A.tmp\architecture.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD137B.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD137B.tmp\pictureorgchart.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD137C.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD137C.tmp\RadialPictureList.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD137E.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD137E.tmp\ThemePictureGrid.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD1390.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD1390.tmp\ThemePictureAlternatingAccent.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD1391.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD1391.tmp\chevronaccent.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1392.tmp\BracketList.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1392.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD1393.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD1393.tmp\TabList.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD13D8.tmp\CircleProcess.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD13D8.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD13E8.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD13E8.tmp\HexagonRadial.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD13E9.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD13E9.tmp\InterconnectedBlockProcess.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD13EA.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD13EA.tmp\rings.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD13EB.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD13EB.tmp\PictureFrame.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD13FC.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD13FC.tmp\TabbedArc.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD13FD.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD13FD.tmp\ConvergingText.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD15A5.tmp\View.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD15A5.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD15E8.tmp\Banded.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD15E8.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD15F9.tmp\Frame.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD15F9.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1609.tmp\Dividend.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1609.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD160A.tmp\Basis.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD160A.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD164B.tmp\Metropolitan.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD164B.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD16DA.tmp\Parcel.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD16DA.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1779.tmp\Facet.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1779.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD177A.tmp\Wisp.thmx
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD177A.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD17FA.tmp\Atlas.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD17FA.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD181A.tmp\Parallax.thmx
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD181A.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD184B.tmp\Wood_Type.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD184B.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD189B.tmp\Quotable.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD189B.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1A04.tmp\Berlin.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1A04.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1A75.tmp\Retrospect.thmx
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD1A75.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1A85.tmp\Gallery.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1A85.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1B05.tmp\Savon.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1B05.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1B16.tmp\Circuit.thmx
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD1B16.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1C12.tmp\Ion_Boardroom.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1C12.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1C72.tmp\Droplet.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1C72.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1DBC.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1DBC.tmp\myTemplate_02836342.thmx
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD1F25.tmp\Slate.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1F25.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD1FA4.tmp\Damask.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD1FA4.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD20A0.tmp\Depth.thmx
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD20A0.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD21AC.tmp\Madison.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD21AC.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD23E1.tmp\Main_Event.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD23E1.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD23F2.tmp\Mesh.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD23F2.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD24CF.tmp\Integral.thmx
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD24CF.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD258C.tmp\Celestial.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD258C.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD286D.tmp\Vapor_Trail.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD286D.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD4444.tmp\Organic.thmx
Zip archive data, at least v2.0 to extract, compression method=deflate
modified
C:\Users\user\AppData\Local\Temp\TCD4444.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\cab134F.tmp
Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1350.tmp
Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1351.tmp
Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1352.tmp
Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1353.tmp
Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1364.tmp
Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1365.tmp
Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1366.tmp
Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1367.tmp
Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1368.tmp
Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab137D.tmp
Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab138F.tmp
Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab13A4.tmp
Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab13A5.tmp
Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab13B5.tmp
Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab13B6.tmp
Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab13C7.tmp
Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1584.tmp
Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab15D5.tmp
Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab15D6.tmp
Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab15E6.tmp
Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab15E7.tmp
Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab162B.tmp
Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab169A.tmp
Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1748.tmp
Microsoft Cabinet archive data, many, 471473 bytes, 2 files, at 0x44 +A "content.inf" +A "Facet.thmx", flags 0x4, ID 35621, number 1, extra bytes 20 in head, 23 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1749.tmp
Microsoft Cabinet archive data, many, 480282 bytes, 2 files, at 0x44 +A "content.inf" +A "Wisp.thmx", flags 0x4, ID 56119, number 1, extra bytes 20 in head, 25 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab17C9.tmp
Microsoft Cabinet archive data, many, 437097 bytes, 2 files, at 0x44 +A "Atlas.thmx" +A "content.inf", flags 0x4, ID 18422, number 1, extra bytes 20 in head, 27 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab17E9.tmp
Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab181B.tmp
Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab187B.tmp
Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab19E4.tmp
Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1A44.tmp
Microsoft Cabinet archive data, many, 1072808 bytes, 2 files, at 0x44 +A "content.inf" +A "Retrospect.thmx", flags 0x4, ID 59128, number 1, extra bytes 20 in head, 50 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1A55.tmp
Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1AD5.tmp
Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1AE5.tmp
Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1BD3.tmp
Microsoft Cabinet archive data, many, 1377563 bytes, 2 files, at 0x44 +A "content.inf" +A "Ion_Boardroom.thmx", flags 0x4, ID 26781, number 1, extra bytes 20 in head, 49 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1C42.tmp
Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1D8C.tmp
Microsoft Cabinet archive data, many, 1593091 bytes, 2 files, at 0x44 +A "content.inf" +A "myTemplate_02836342.thmx", flags 0x4, ID 49870, number 1, extra bytes 20 in head, 56 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1EE6.tmp
Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab1F65.tmp
Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab2061.tmp
Microsoft Cabinet archive data, many, 2042491 bytes, 2 files, at 0x44 +A "content.inf" +A "Depth.thmx", flags 0x4, ID 63414, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab214D.tmp
Microsoft Cabinet archive data, many, 2132545 bytes, 2 files, at 0x44 +A "content.inf" +A "Madison.thmx", flags 0x4, ID 44832, number 1, extra bytes 20 in head, 75 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab2391.tmp
Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab23A2.tmp
Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab2480.tmp
Microsoft Cabinet archive data, many, 2738786 bytes, 2 files, at 0x44 +A "content.inf" +A "Integral.thmx", flags 0x4, ID 26156, number 1, extra bytes 20 in head, 106 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab251E.tmp
Microsoft Cabinet archive data, many, 2871083 bytes, 2 files, at 0x44 +A "Celestial.thmx" +A "content.inf", flags 0x4, ID 12122, number 1, extra bytes 20 in head, 101 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab280E.tmp
Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab4378.tmp
Microsoft Cabinet archive data, many, 8162257 bytes, 2 files, at 0x44 +A "content.inf" +A "Organic.thmx", flags 0x4, ID 28519, number 1, extra bytes 20 in head, 266 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Payout Receipts.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Feb 7 13:57:17 2024, mtime=Mon Dec 23 13:51:26 2024, atime=Mon Dec 23 13:51:25 2024, length=210772, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Generic INItialization configuration [folders]
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02836342[[fn=Ion]].thmx (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02892315[[fn=Wisp]].thmx (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900688[[fn=Facet]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900720[[fn=Integral]].thmx (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900722[[fn=Ion Boardroom]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900743[[fn=Organic]].thmx (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM02900769[[fn=Retrospect]].thmx (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457452[[fn=Celestial]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033923[[fn=Depth]].thmx (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401371[[fn=Atlas]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM16401375[[fn=Madison]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AO52DDPZQRJL50D7MAHS.temp
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ER1G0SIDQHNIMV695EW5.temp
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d00655d2aa12ff6d.customDestinations-ms (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d00655d2aa12ff6d.customDestinations-ms~RF1eb07.TMP (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 13:51:33 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 13:51:33 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 13:51:33 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 13:51:33 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 13:51:33 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\Desktop\~$Payout Receipts.pptx
data
dropped
Chrome Cache Entry: 241
HTML document, ASCII text, with very long lines (3436), with CRLF line terminators
downloaded
Chrome Cache Entry: 242
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 190152
dropped
Chrome Cache Entry: 243
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3651
dropped
Chrome Cache Entry: 244
ASCII text, with very long lines (8767), with no line terminators
downloaded
Chrome Cache Entry: 245
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 142367
dropped
Chrome Cache Entry: 246
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 450755
downloaded
Chrome Cache Entry: 247
PNG image data, 280 x 60, 8-bit/color RGBA, non-interlaced
downloaded
Chrome Cache Entry: 248
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 513
dropped
Chrome Cache Entry: 249
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 142367
downloaded
Chrome Cache Entry: 250
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 26668
downloaded
Chrome Cache Entry: 251
ASCII text, with very long lines (8717), with no line terminators
dropped
Chrome Cache Entry: 252
ASCII text, with no line terminators
downloaded
Chrome Cache Entry: 253
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 450755
dropped
Chrome Cache Entry: 254
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1864
downloaded
Chrome Cache Entry: 255
PNG image data, 90 x 29, 8-bit/color RGB, non-interlaced
dropped
Chrome Cache Entry: 256
GIF image data, version 89a, 352 x 3
downloaded
Chrome Cache Entry: 257
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1592
downloaded
Chrome Cache Entry: 258
JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1916x820, components 3
downloaded
Chrome Cache Entry: 259
ASCII text, with very long lines (47691)
downloaded
Chrome Cache Entry: 260
GIF image data, version 89a, 352 x 3
downloaded
Chrome Cache Entry: 261
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1592
dropped
Chrome Cache Entry: 262
ASCII text, with very long lines (47691)
dropped
Chrome Cache Entry: 263
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 513
downloaded
Chrome Cache Entry: 264
GIF image data, version 89a, 352 x 3
dropped
Chrome Cache Entry: 265
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 113769
dropped
Chrome Cache Entry: 266
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 57510
dropped
Chrome Cache Entry: 267
GIF image data, version 89a, 352 x 3
dropped
Chrome Cache Entry: 268
JSON data
dropped
Chrome Cache Entry: 269
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3651
downloaded
Chrome Cache Entry: 270
PNG image data, 2 x 2, 8-bit/color RGB, non-interlaced
dropped
Chrome Cache Entry: 271
PNG image data, 280 x 60, 8-bit/color RGBA, non-interlaced
dropped
Chrome Cache Entry: 272
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 15755
downloaded
Chrome Cache Entry: 273
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 113769
downloaded
Chrome Cache Entry: 274
HTML document, ASCII text, with very long lines (3436), with CRLF line terminators
downloaded
Chrome Cache Entry: 275
JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1916x820, components 3
dropped
Chrome Cache Entry: 276
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 15755
dropped
Chrome Cache Entry: 277
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 113424
downloaded
Chrome Cache Entry: 278
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 26668
dropped
Chrome Cache Entry: 279
MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
downloaded
Chrome Cache Entry: 280
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1864
dropped
Chrome Cache Entry: 281
PNG image data, 90 x 29, 8-bit/color RGB, non-interlaced
downloaded
Chrome Cache Entry: 282
MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
dropped
Chrome Cache Entry: 283
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 406986
downloaded
Chrome Cache Entry: 284
PNG image data, 2 x 2, 8-bit/color RGB, non-interlaced
downloaded
Chrome Cache Entry: 285
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 406986
dropped
Chrome Cache Entry: 286
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 57510
downloaded
Chrome Cache Entry: 287
gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 190152
downloaded
There are 260 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\Payout Receipts.pptx" /ou ""
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "B03D092F-7F5E-4048-ACB1-F88BD33C4817" "ED1F2C40-EE04-44CB-AC33-81F3E7A49921" "7016" "C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE" "PowerPointCombinedFloatieLreOnline.onnx"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://google.com/amp/s/salesboost.com/jf#jennifer_wylie@iamgold.com
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1984,i,3837776693754288343,2079191398212795825,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

URLs

Name
IP
Malicious
https://login.365file.tech/
172.67.69.206
malicious
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0&sso_reload=true#jennifer_wylie@iamgold.com=
malicious
https://login.365file.tech
unknown
malicious
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0
172.67.69.206
https://login.365file.tech/cdn-cgi/challenge-platform/scripts/jsd/main.js
172.67.69.206
https://a.nel.cloudflare.com/report/v4?s=1fl16mbZGN4L%2BC0lQwIqaWE09wsbmfG0slCTbNhFwn%2FKL59MKSXOm5BohzorvipWbyXjZ9zWXZZw0%2Bl5UtAcKpAWyL3SP1gKL2jdzjEBaiAP5UiL1ZgP%2BmILzfInOQe02uGQOw%3D%3D
35.190.80.1
https://login.365file.tech/RKiKvqBc
172.67.69.206
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/i/8f692c38cb37c43b/1734965522353/HWsekBJnYLOyFP0
104.18.94.41
https://login.windows-ppe.net
unknown
https://autologon.microsoftazuread-sso.com/iamgold.com/winauth/ssoprobe?client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&_=1734965562446
20.190.147.9
https://salesboost.com/jf/
52.89.58.139
https://login.365file.tech/favicon.ico
172.67.69.206
https://ywnjb.365file.tech/Me.htm?v=3
104.26.13.241
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/cmg/1
104.18.94.41
https://login.365file.tech/common/GetCredentialType?mkt=en-US
172.67.69.206
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/pat/8f692c38cb37c43b/1734965522352/7339b7655fb87e4c59a48d975d045630c30639ee310f0ebce0dfc6e6e6ed9473/43Aan-x4BPJpSgM
104.18.94.41
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0#jennifer_wylie@iamgold.com
https://login.365file.tech/cdn-cgi/challenge-platform/h/b/scripts/jsd/787bc399e22f/main.js?
172.67.69.206
https://login.365file.tech/cdn-cgi/challenge-platform/h/b/jsd/r/8f692cfaadd6de93
172.67.69.206
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0&sso_reload=true
172.67.69.206
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/flow/ov1/59012872:1734963193:dJWEVcwbrnL1TTil6YmxbJ4SlF5pcoUWsQBeHspz6pg/8f692c38cb37c43b/vxu2uxafbM96ucUzDK4INX7dCY8HEjZkkcnYJbZchuI-1734965518-1.1.1.1-Eh2ysBkS1kMovo4eqQXf9rKEAPgIZYIJhkH0RyZFQodz6oLCEt8BZW60dk029qUW
104.18.94.41
https://www.google.com/amp/s/salesboost.com/jf
172.217.21.36
https://a.nel.cloudflare.com/report/v4?s=Gi4947HrZfi9o1Ieftj0Ps5vDl%2F%2FdY8bfUKmop6%2FnbWEJQRIbqfHOVaYP%2FRf64yMeubajum%2BQF%2BJZIAaRxd2JoschL%2FQlPUIAqnrsLHeUOXW%2FcSKRnYRdKm%2BrvHI2VNOHDxKuA%3D%3D
35.190.80.1
https://salesboost.com/jf
52.89.58.139
https://login.365file.tech/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8f692c10de854314
172.67.69.206
https://login.365file.tech/cdn-cgi/challenge-platform/h/b/flow/ov1/737265407:1734963256:v--qV6PRwMGnawi4djvFIfSHLRJhT5kPAgN_50_G6Z4/8f692c10de854314/TOGNyk6aUIk0aC21kLKjtzNEZhHS8WCD.p47H0GGFwc-1734965511-1.2.1.1-7sDAwg8cay2RCE3vybEEKXLSGgaICCttt2YuZIwFInu4e3r4yVRObJ1QXzXyeYKi
172.67.69.206
https://login.365file.tech/common/instrumentation/dssostatus
172.67.69.206
https://login.365file.tech/RKiKvqBc#jennifer_wylie@iamgold.com
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/99bnk/0x4AAAAAAADnPIDROrmt1Wwj/light/fbE/normal/auto/
104.18.94.41
https://a.nel.cloudflare.com/report/v4?s=WmgreJCzr0OhAa%2BUePNmLDzkZpGA%2B8fFMsUmNarKdgD4Fd6OzX0lNRlseI4uIuNV%2BgML3cRdbqW%2B%2F%2FK5zo8C6mhLybSzH6SwbodfQog3BE%2Bso%2FKAjb0uStxNEWkpyigyDgnR3g%3D%3D
35.190.80.1
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_api/v1?ray=8f692c38cb37c43b&lang=auto
104.18.94.41
https://www.365file.tech/login
172.67.69.206
There are 22 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
google.com
172.217.17.46
a.nel.cloudflare.com
35.190.80.1
www.365file.tech
172.67.69.206
challenges.cloudflare.com
104.18.94.41
sni1gl.wpc.omegacdn.net
152.199.21.175
www.google.com
172.217.21.36
salesboost.com
52.89.58.139
s-part-0035.t-0009.t-msedge.net
13.107.246.63
login.365file.tech
172.67.69.206
ywnjb.365file.tech
104.26.13.241
autologon.microsoftazuread-sso.com
20.190.147.9
aadcdn.msauthimages.net
unknown
aadcdn.msftauth.net
unknown
There are 3 hidden domains, click here to show them.

IPs

IP
Domain
Country
Malicious
104.18.94.41
challenges.cloudflare.com
United States
192.168.2.16
unknown
unknown
192.168.2.4
unknown
unknown
172.67.69.206
www.365file.tech
United States
104.26.13.241
ywnjb.365file.tech
United States
172.217.21.36
www.google.com
United States
35.190.80.1
a.nel.cloudflare.com
United States
20.190.147.9
autologon.microsoftazuread-sso.com
United States
104.18.95.41
unknown
United States
52.89.58.139
salesboost.com
United States
239.255.255.250
unknown
Reserved
There are 1 hidden IPs, click here to show them.

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\POWERPNT\7016
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems
|,=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems
;,=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\powerpoint
Language
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\powerpoint
EcsRequestPending
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\powerpoint
SubscriptionCustomerLicenseInfo
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\WEF
PowerPoint_RequireForceRefreshAtBoot
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\DocumentRecovery\1C196
1C196
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Options
AppMaximized
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Options
Top
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Options
Left
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Options
Bottom
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Options
Right
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems
%-=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems
`.=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems
/.=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\DocumentRecovery\1C2EE
1C2EE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Options
ShowSuggestionDialog
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
FOLDERID_Desktop
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
FOLDERID_Documents
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Place MRU
FOLDERID_Desktop
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Place MRU
FOLDERID_Documents
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 21
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Place MRU
Item 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\TeachingCallouts
AccCheckerStatusBarTeachingCallout
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\BootTimeSkuOverride
{9E73CEA4-29D0-4D16-8FB9-5AB17387C960}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\CachedLicenseData
powerpnt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\16
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML
KnownIDs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor
Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\DefaultIcon
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\ShellEx\IconHandler
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile\DefaultIcon
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML
KnownIDs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor
Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\DefaultIcon
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\ShellEx\IconHandler
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile\DefaultIcon
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Word
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Word\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe\shell
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command
NULL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Security\FileBlock
FileTypeBlockList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Security\FileBlock
OoxmlConverterBlockList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint
PowerPointName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData
TickCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\powerpoint
BuildNumber
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint
Expires
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.4
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.5
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.7
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.8
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.9
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.10
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.11
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.12
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.13
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.14
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.15
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.16
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.17
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.18
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.19
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.20
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.21
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.22
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.23
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.24
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.25
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.26
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.27
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.28
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.29
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.30
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.31
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.32
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.33
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.34
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.35
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.36
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.37
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.38
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.39
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.40
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.41
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.42
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.43
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.44
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.45
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.46
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.47
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.48
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.49
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.50
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.51
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.52
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.53
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.54
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.55
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.56
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.57
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.58
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.59
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.60
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.61
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.62
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.63
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.64
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.65
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.66
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.67
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.68
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.69
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.70
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.71
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.72
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.73
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.74
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.75
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
1.76
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
VersionId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint
ETag
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint
DeferredConfigs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint
ConfigIds
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
RoamingLastSyncTimePowerPoint
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
RoamingLastWriteTimePowerPoint
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Volatile
MsaDevice
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328884
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM16401371
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03090430
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457444
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033917
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328893
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457452
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328905
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328908
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033919
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328916
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033921
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033923
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457464
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033925
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02900688
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457475
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM10001114
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328919
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02900720
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328925
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02836342
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02900722
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM16401375
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033927
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457485
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457491
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02900743
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457496
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM10001115
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328932
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328935
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457503
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328940
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02900769
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328998
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457510
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033929
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328972
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328951
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328975
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328983
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328986
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033937
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328990
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457515
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02892315
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03090434
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
NextUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
LastUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
NextUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
LastUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Security\Trusted Documents
LastPurgeTime
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-CH
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-GB
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-CH
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-GB
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
SessionId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\POWERPNT\7016
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\POWERPNT\7016
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\DocumentRecovery\1C196
1C196
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems
;,=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\POWERPNT\7016
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems
%-=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\DocumentRecovery\1C2EE
1C2EE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems
/.=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems
/.=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\POWERPNT\7016
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 4
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 5
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 7
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 8
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 9
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 10
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 11
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 12
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 13
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 14
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 15
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 16
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 17
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 18
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 19
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\PowerPoint\file mru
Item 20
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\POWERPNT\7016
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\POWERPNT\7016
0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\16
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\ShellEx\IconHandler
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile\DefaultIcon
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\ShellEx\IconHandler
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile\DefaultIcon
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Word\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe\shell\edit
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command
NULL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=8192&build=16.0.16827&crev=3\0
FilePath
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=8192&build=16.0.16827&crev=3\0
StartDate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=8192&build=16.0.16827&crev=3\0
EndDate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache
LastClean
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\powerpoint
Expires
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\POWERPNT\7016
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
RoamingConfigurableSettings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
RoamingConfigurableSettings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018000DDDFEBB86
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328935
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328884
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328983
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328893
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328990
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328975
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328986
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328972
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328940
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328908
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328905
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328925
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328932
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328998
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328919
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328916
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328951
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457515
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03090430
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457464
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457475
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457444
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457491
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM10001115
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02900688
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02892315
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM16401371
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457496
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03090434
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457503
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033917
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM10001114
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02900769
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457510
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033919
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02900722
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033925
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02836342
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033929
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033921
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033923
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM16401375
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033927
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457485
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02900720
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457452
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033937
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM02900743
There are 456 hidden registries, click here to show them.

DOM / HTML

URL
Malicious
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0#jennifer_wylie@iamgold.com
malicious
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0&sso_reload=true#jennifer_wylie@iamgold.com=
malicious
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0&sso_reload=true#jennifer_wylie@iamgold.com=
malicious
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0&sso_reload=true#jennifer_wylie@iamgold.com=
malicious
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0&sso_reload=true#jennifer_wylie@iamgold.com=
malicious
https://login.365file.tech/RKiKvqBc?__cf_chl_rt_tk=SEq5GNYqsowTxv8ShnxKjM6RPUYPhJRVImxgPi0yQa8-1734965511-1.0.1.1-NdBax4MXpJ7qwL2gT0Md8Vf6yl9tXWWcv8VncP5jHPo#jennifer_wylie@iamgold.com
https://login.365file.tech/RKiKvqBc#jennifer_wylie@iamgold.com
https://login.365file.tech/RKiKvqBc#jennifer_wylie@iamgold.com
https://login.365file.tech/RKiKvqBc#jennifer_wylie@iamgold.com
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0#jennifer_wylie@iamgold.com
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0&sso_reload=true#jennifer_wylie@iamgold.com=
https://login.365file.tech/realm?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638705623427189137.ZjMxMzIyN2QtMGE3OC00NmM0LWE1MTUtZjIyOTAzNTFjOTNiMGY1ZDEyMTItODRlOC00ZDFiLWE1OTgtZDM3NTVkYzdlMTBh&ui_locales=en-US&mkt=en-US&client-request-id=2268d124-c00f-4338-9556-dd594fce6a57&state=tvii8EXN8vdyOmZPlmgT2ozXVAsKp5O-DVucGpacp0IskL2Bo9JmytF2a-VC6Z39FKl9fed1eRAF_O8X76DyfIJy5OI8lywMpfjKpViMqKuqVoEfpn8yNcfA390oWj8P6ISNSshBJ3f0qT1W6s3evXnNQHjODWy4hzgRj6ngKoLWn5QmSBT_NySCp-LH9nKEsj-vPZ3i4dnyd2GcEnv_hQ3OKEM1EG-x5pK1vMcuNP-G0aw83WQEv9wk8aAaP-03Qil3P1TyVDr0dx5hbxf5kA&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0&sso_reload=true#jennifer_wylie@iamgold.com=
There are 2 hidden doms, click here to show them.