Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
_FM_BUSAN_HOCHIMINH_.xlsx
|
CDFV2 Encrypted
|
initial sample
|
 |
|
|
C:\Users\user\Desktop\~$_FM_BUSAN_HOCHIMINH_.xlsx
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
downloaded
|
|
|
|
C:\Users\Public\vbc.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7D1365BD-572E-4B01-B81C-338095DDB517
|
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\243BBE31.jpeg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames
3
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2EA1469F.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\37992E7E.png
|
PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3E7E5F3C.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5379E248.png
|
PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\659B9067.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7559DAF0.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\92B388A3.jpeg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames
3
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D338BE0D.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E0A1A796.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E487A1EB.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E4DFD4AA.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E6612DA9.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF41E48DC5999769CD.TMP
|
CDFV2 Encrypted
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF46678429D5C1163F.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFCD447DFDBA0B9D87.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFD9862BF895814717.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\364E3B76.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\53C8C381.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56B0538E.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FD2FA65.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6157F522.jpeg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames
3
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6EA96328.jpeg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames
3
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87C9FA8A.emf
|
Windows Enhanced Metafile (EMF) image data version 0x10000
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8CB27180.png
|
PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92ED0EF4.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC3008FF.png
|
PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB03F909.png
|
PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D68EB503.png
|
PNG image data, 139 x 180, 8-bit colormap, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED74FEBB.png
|
PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF0E35C54C087F7535.TMP
|
CDFV2 Encrypted
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF2D24CE383036F6FE.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF6D2E29A086E66B49.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DFE7F835AEEEC2A8C9.TMP
|
data
|
dropped
|
There are 29 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
|
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
|
|
|
|
C:\Users\Public\vbc.exe
|
"C:\Users\Public\vbc.exe"
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
|
||
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://198.46.132.195/ProgramFile/.win32.exe
|
198.46.132.195
|
|
|
|
https://api.diagnosticssdf.office.com
|
unknown
|
||
|
https://login.microsoftonline.com/
|
unknown
|
||
|
https://shell.suite.office.com:1443
|
unknown
|
||
|
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
|
unknown
|
||
|
https://autodiscover-s.outlook.com/
|
unknown
|
||
|
https://roaming.edog.
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
|
unknown
|
||
|
https://cdn.entity.
|
unknown
|
||
|
https://api.addins.omex.office.net/appinfo/query
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/tenantassociationkey
|
unknown
|
||
|
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
|
unknown
|
||
|
https://powerlift.acompli.net
|
unknown
|
||
|
https://rpsticket.partnerservices.getmicrosoftkey.com
|
unknown
|
||
|
https://lookup.onenote.com/lookup/geolocation/v1
|
unknown
|
||
|
https://cortana.ai
|
unknown
|
||
|
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://cloudfiles.onenote.com/upload.aspx
|
unknown
|
||
|
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
|
unknown
|
||
|
https://entitlement.diagnosticssdf.office.com
|
unknown
|
||
|
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
|
unknown
|
||
|
https://api.aadrm.com/
|
unknown
|
||
|
https://ofcrecsvcapi-int.azurewebsites.net/
|
unknown
|
||
|
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
|
unknown
|
||
|
https://api.microsoftstream.com/api/
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
|
unknown
|
||
|
https://cr.office.com
|
unknown
|
||
|
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
|
unknown
|
||
|
https://portal.office.com/account/?ref=ClientMeControl
|
unknown
|
||
|
https://graph.ppe.windows.net
|
unknown
|
||
|
https://res.getmicrosoftkey.com/api/redemptionevents
|
unknown
|
||
|
https://powerlift-frontdesk.acompli.net
|
unknown
|
||
|
https://tasks.office.com
|
unknown
|
||
|
https://officeci.azurewebsites.net/api/
|
unknown
|
||
|
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
|
unknown
|
||
|
https://store.office.cn/addinstemplate
|
unknown
|
||
|
https://api.aadrm.com
|
unknown
|
||
|
https://outlook.office.com/autosuggest/api/v1/init?cvid=
|
unknown
|
||
|
https://globaldisco.crm.dynamics.com
|
unknown
|
||
|
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://dev0-api.acompli.net/autodetect
|
unknown
|
||
|
https://www.odwebp.svc.ms
|
unknown
|
||
|
https://api.diagnosticssdf.office.com/v2/feedback
|
unknown
|
||
|
https://api.powerbi.com/v1.0/myorg/groups
|
unknown
|
||
|
https://web.microsoftstream.com/video/
|
unknown
|
||
|
https://api.addins.store.officeppe.com/addinstemplate
|
unknown
|
||
|
https://graph.windows.net
|
unknown
|
||
|
https://dataservice.o365filtering.com/
|
unknown
|
||
|
https://officesetup.getmicrosoftkey.com
|
unknown
|
||
|
https://analysis.windows.net/powerbi/api
|
unknown
|
||
|
https://prod-global-autodetect.acompli.net/autodetect
|
unknown
|
||
|
https://outlook.office365.com/autodiscover/autodiscover.json
|
unknown
|
||
|
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
|
unknown
|
||
|
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
|
unknown
|
||
|
https://ncus.contentsync.
|
unknown
|
||
|
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
|
unknown
|
||
|
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
|
unknown
|
||
|
http://weather.service.msn.com/data.aspx
|
unknown
|
||
|
https://apis.live.net/v5.0/
|
unknown
|
||
|
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
|
unknown
|
||
|
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
|
unknown
|
||
|
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
|
unknown
|
||
|
https://management.azure.com
|
unknown
|
||
|
https://outlook.office365.com
|
unknown
|
||
|
https://wus2.contentsync.
|
unknown
|
||
|
https://incidents.diagnostics.office.com
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/ios
|
unknown
|
||
|
https://insertmedia.bing.office.net/odc/insertmedia
|
unknown
|
||
|
https://o365auditrealtimeingestion.manage.office.com
|
unknown
|
||
|
https://outlook.office365.com/api/v1.0/me/Activities
|
unknown
|
||
|
https://api.office.net
|
unknown
|
||
|
https://incidents.diagnosticssdf.office.com
|
unknown
|
||
|
https://asgsmsproxyapi.azurewebsites.net/
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/android/policies
|
unknown
|
||
|
https://entitlement.diagnostics.office.com
|
unknown
|
||
|
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
|
unknown
|
||
|
https://substrate.office.com/search/api/v2/init
|
unknown
|
||
|
https://outlook.office.com/
|
unknown
|
||
|
https://storage.live.com/clientlogs/uploadlocation
|
unknown
|
||
|
https://outlook.office365.com/
|
unknown
|
||
|
https://webshell.suite.office.com
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
|
unknown
|
||
|
https://substrate.office.com/search/api/v1/SearchHistory
|
unknown
|
||
|
https://management.azure.com/
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorize
|
unknown
|
||
|
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
|
unknown
|
||
|
https://graph.windows.net/
|
unknown
|
||
|
https://api.powerbi.com/beta/myorg/imports
|
unknown
|
||
|
https://devnull.onenote.com
|
unknown
|
||
|
https://ncus.pagecontentsync.
|
unknown
|
||
|
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
|
unknown
|
||
|
https://messaging.office.com/
|
unknown
|
||
|
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
|
unknown
|
||
|
https://augloop.office.com/v2
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
|
unknown
|
||
|
https://skyapi.live.net/Activity/
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/mac
|
unknown
|
||
|
https://dataservice.o365filtering.com
|
unknown
|
||
|
https://api.cortana.ai
|
unknown
|
||
|
https://onedrive.live.com
|
unknown
|
||
|
http://crl.thawte.com/ThawteTimestampingCA.crl0
|
unknown
|
||
|
https://www.chiark.greenend.org.uk/~sgtatham/putty/
|
unknown
|
||
|
https://www.chiark.greenend.org.uk/~sgtatham/putty/0
|
unknown
|
||
|
http://ocsp.thawte.com0
|
unknown
|
There are 95 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
198.46.132.195
|
unknown
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
|
|u>
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
|
}u>
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
|
RemoteClearDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3
|
Last
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
FilePath
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
StartDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
EndDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
Properties
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
Url
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
|
LastClean
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableWinHttpCertAuth
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableIsOwnerRegex
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableSessionAwareHttpClose
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableADALForExtendedApps
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableADALSetSilentAuth
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
msoridDisableGuestCredProvider
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
msoridDisableOstringReplace
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
|
LastBootTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\4CEE6
|
4CEE6
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0
|
MSForms
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0
|
MSComctlLib
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
|
d&?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
|
6b?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\59217
|
59217
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\5991C
|
5991C
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 21
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\General
|
FileFormatBallotBoxAppIDBootedOnce
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingConfigurableSettings
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingLastSyncTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingLastWriteTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
|
LastBootTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\59217
|
59217
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog
|
CacheReady
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog
|
LastRequest
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog
|
CacheReady
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog
|
LastUpdate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog
|
NextUpdate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU\Change
|
ChangeId
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 10
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 11
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 12
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 13
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 14
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 15
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 16
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 17
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 18
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 19
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 20
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU\Change
|
ChangeId
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
un,
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
|
MTTT
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2FF36
|
2FF36
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
|
yw,
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\34A78
|
34A78
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\35E94
|
35E94
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Max Display
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 10
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 11
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 12
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 13
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 14
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 15
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 16
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 17
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 18
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 19
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 20
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru
|
Item 21
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\34A78
|
34A78
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
EquationEditorFilesIntl_1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
There are 97 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
266C8563000
|
unkown
|
page read and write
|
||
|
266C8598000
|
unkown
|
page read and write
|
||
|
266C8593000
|
unkown
|
page read and write
|
||
|
1775885B000
|
unkown
|
page read and write
|
||
|
266C7C4D000
|
unkown
|
page read and write
|
||
|
266C7C55000
|
unkown
|
page read and write
|
||
|
20F88B02000
|
unkown
|
page read and write
|
||
|
266C8597000
|
unkown
|
page read and write
|
||
|
1D7E7A13000
|
unkown
|
page read and write
|
||
|
266C8598000
|
unkown
|
page read and write
|
||
|
266C7C54000
|
unkown
|
page read and write
|
||
|
266C8380000
|
remote allocation
|
page read and write
|
||
|
266C7C8A000
|
unkown
|
page read and write
|
||
|
266C7C83000
|
unkown
|
page read and write
|
||
|
266C858C000
|
unkown
|
page read and write
|
||
|
266C85A7000
|
unkown
|
page read and write
|
||
|
1EA5FFE000
|
stack
|
page read and write
|
||
|
6CD3F0E000
|
stack
|
page read and write
|
||
|
29219FA6000
|
heap
|
page read and write
|
||
|
6CD42FC000
|
stack
|
page read and write
|
||
|
31654FE000
|
stack
|
page read and write
|
||
|
6CD47FF000
|
stack
|
page read and write
|
||
|
266C8A00000
|
unkown
|
page read and write
|
||
|
266C8581000
|
unkown
|
page read and write
|
||
|
266C8598000
|
unkown
|
page read and write
|
||
|
266C8565000
|
unkown
|
page read and write
|
||
|
266C7D08000
|
unkown
|
page read and write
|
||
|
1D7E7A80000
|
unkown
|
page read and write
|
||
|
20F888D0000
|
heap
|
page read and write
|
||
|
1EA58BC000
|
stack
|
page read and write
|
||
|
20F888C0000
|
heap
|
page read and write
|
||
|
1D7E7A2A000
|
unkown
|
page read and write
|
||
|
266C8580000
|
unkown
|
page read and write
|
||
|
E54EE8B000
|
stack
|
page read and write
|
||
|
266C8556000
|
unkown
|
page read and write
|
||
|
266C85CC000
|
unkown
|
page read and write
|
||
|
1D7E7810000
|
heap
|
page read and write
|
||
|
1D7E7B13000
|
unkown
|
page read and write
|
||
|
29219F9B000
|
heap
|
page read and write
|
||
|
1EA593E000
|
stack
|
page read and write
|
||
|
266C8588000
|
unkown
|
page read and write
|
||
|
6CD477B000
|
stack
|
page read and write
|
||
|
266C7CD5000
|
unkown
|
page read and write
|
||
|
266C7CA5000
|
unkown
|
page read and write
|
||
|
266C857A000
|
unkown
|
page read and write
|
||
|
266C85A5000
|
unkown
|
page read and write
|
||
|
266C85A9000
|
unkown
|
page read and write
|
||
|
1D7E7B00000
|
unkown
|
page read and write
|
||
|
266C8A02000
|
unkown
|
page read and write
|
||
|
266C7D02000
|
unkown
|
page read and write
|
||
|
266C7CBC000
|
unkown
|
page read and write
|
||
|
E54F3FB000
|
stack
|
page read and write
|
||
|
2921A160000
|
heap
|
page read and write
|
||
|
266C85A9000
|
unkown
|
page read and write
|
||
|
266C857A000
|
unkown
|
page read and write
|
||
|
266C8581000
|
unkown
|
page read and write
|
||
|
266C8556000
|
unkown
|
page read and write
|
||
|
E8C067F000
|
stack
|
page read and write
|
||
|
266C8583000
|
unkown
|
page read and write
|
||
|
266C859D000
|
unkown
|
page read and write
|
||
|
266C85AD000
|
unkown
|
page read and write
|
||
|
266C8581000
|
unkown
|
page read and write
|
||
|
29219FC0000
|
heap
|
page read and write
|
||
|
1775883C000
|
unkown
|
page read and write
|
||
|
266C8585000
|
unkown
|
page read and write
|
||
|
266C85A9000
|
unkown
|
page read and write
|
||
|
266C7C13000
|
unkown
|
page read and write
|
||
|
17758620000
|
heap
|
page read and write
|
||
|
266C8563000
|
unkown
|
page read and write
|
||
|
266C857A000
|
unkown
|
page read and write
|
||
|
266C7C68000
|
unkown
|
page read and write
|
||
|
266C8380000
|
remote allocation
|
page read and write
|
||
|
266C7C58000
|
unkown
|
page read and write
|
||
|
1D7E7A00000
|
unkown
|
page read and write
|
||
|
266C8596000
|
unkown
|
page read and write
|
||
|
1EA5CFC000
|
stack
|
page read and write
|
||
|
266C85A2000
|
unkown
|
page read and write
|
||
|
266C857A000
|
unkown
|
page read and write
|
||
|
266C85CC000
|
unkown
|
page read and write
|
||
|
266C7CA5000
|
unkown
|
page read and write
|
||
|
2921A2A5000
|
heap
|
page read and write
|
||
|
266C8582000
|
unkown
|
page read and write
|
||
|
20F88930000
|
heap
|
page read and write
|
||
|
17758861000
|
unkown
|
page read and write
|
||
|
266C8A04000
|
unkown
|
page read and write
|
||
|
266C85AC000
|
unkown
|
page read and write
|
||
|
17758908000
|
unkown
|
page read and write
|
||
|
266C7C57000
|
unkown
|
page read and write
|
||
|
1EA59BE000
|
stack
|
page read and write
|
||
|
29219FA6000
|
heap
|
page read and write
|
||
|
1EA5DFB000
|
stack
|
page read and write
|
||
|
1D7E77B0000
|
heap
|
page read and write
|
||
|
266C8581000
|
unkown
|
page read and write
|
||
|
266C7CF5000
|
unkown
|
page read and write
|
||
|
29219FB7000
|
heap
|
page read and write
|
||
|
266C858C000
|
unkown
|
page read and write
|
||
|
29219FBD000
|
heap
|
page read and write
|
||
|
266C7C3C000
|
unkown
|
page read and write
|
||
|
266C7CEC000
|
unkown
|
page read and write
|
||
|
29219FBD000
|
heap
|
page read and write
|
||
|
6CD467E000
|
stack
|
page read and write
|
||
|
17758829000
|
unkown
|
page read and write
|
||
|
266C8585000
|
unkown
|
page read and write
|
||
|
17758863000
|
unkown
|
page read and write
|
||
|
266C8585000
|
unkown
|
page read and write
|
||
|
1775885F000
|
unkown
|
page read and write
|
||
|
266C8A0A000
|
unkown
|
page read and write
|
||
|
266C8598000
|
unkown
|
page read and write
|
||
|
266C8582000
|
unkown
|
page read and write
|
||
|
266C855E000
|
unkown
|
page read and write
|
||
|
29219FC7000
|
heap
|
page read and write
|
||
|
E8C057F000
|
stack
|
page read and write
|
||
|
266C7C00000
|
unkown
|
page read and write
|
||
|
E54EF8E000
|
stack
|
page read and write
|
||
|
29219FBD000
|
heap
|
page read and write
|
||
|
1EA60FF000
|
stack
|
page read and write
|
||
|
6CD49FF000
|
stack
|
page read and write
|
||
|
266C7C5B000
|
unkown
|
page read and write
|
||
|
316577B000
|
stack
|
page read and write
|
||
|
266C7C4C000
|
unkown
|
page read and write
|
||
|
266C7CEB000
|
unkown
|
page read and write
|
||
|
266C857A000
|
unkown
|
page read and write
|
||
|
20F88A47000
|
unkown
|
page read and write
|
||
|
266C7C50000
|
unkown
|
page read and write
|
||
|
1D7E7B02000
|
unkown
|
page read and write
|
||
|
266C7C4F000
|
unkown
|
page read and write
|
||
|
17758868000
|
unkown
|
page read and write
|
||
|
E8C06FF000
|
stack
|
page read and write
|
||
|
266C8591000
|
unkown
|
page read and write
|
||
|
266C85B2000
|
unkown
|
page read and write
|
||
|
E54F47E000
|
stack
|
page read and write
|
||
|
266C857A000
|
unkown
|
page read and write
|
||
|
2921A2A0000
|
heap
|
page read and write
|
||
|
266C85D4000
|
unkown
|
page read and write
|
||
|
17758800000
|
unkown
|
page read and write
|
||
|
266C8565000
|
unkown
|
page read and write
|
||
|
29219FB6000
|
heap
|
page read and write
|
||
|
266C7B90000
|
unkown
|
page read and write
|
||
|
E54EF0E000
|
stack
|
page read and write
|
||
|
266C7C4B000
|
unkown
|
page read and write
|
||
|
266C8593000
|
unkown
|
page read and write
|
||
|
266C8596000
|
unkown
|
page read and write
|
||
|
266C8583000
|
unkown
|
page read and write
|
||
|
1EA5EF7000
|
stack
|
page read and write
|
||
|
29219F20000
|
heap
|
page read and write
|
||
|
20F88B08000
|
unkown
|
page read and write
|
||
|
20F88B00000
|
unkown
|
page read and write
|
||
|
20F88A13000
|
unkown
|
page read and write
|
||
|
31657FF000
|
stack
|
page read and write
|
||
|
266C858D000
|
unkown
|
page read and write
|
||
|
20F88A2A000
|
unkown
|
page read and write
|
||
|
266C85BF000
|
unkown
|
page read and write
|
||
|
266C7C5A000
|
unkown
|
page read and write
|
||
|
266C8563000
|
unkown
|
page read and write
|
||
|
266C8576000
|
unkown
|
page read and write
|
||
|
266C8A02000
|
unkown
|
page read and write
|
||
|
1D7E7B08000
|
unkown
|
page read and write
|
||
|
6CD4577000
|
stack
|
page read and write
|
||
|
266C858A000
|
unkown
|
page read and write
|
||
|
266C8580000
|
unkown
|
page read and write
|
||
|
20F88A4B000
|
unkown
|
page read and write
|
||
|
266C858B000
|
unkown
|
page read and write
|
||
|
266C8594000
|
unkown
|
page read and write
|
||
|
266C8593000
|
unkown
|
page read and write
|
||
|
266C7B60000
|
heap
|
page read and write
|
||
|
20F88A49000
|
unkown
|
page read and write
|
||
|
20F88A6F000
|
unkown
|
page read and write
|
||
|
266C7D13000
|
unkown
|
page read and write
|
||
|
17758790000
|
unkown
|
page read and write
|
||
|
1D7E7A4E000
|
unkown
|
page read and write
|
||
|
266C8598000
|
unkown
|
page read and write
|
||
|
6CD3F8E000
|
stack
|
page read and write
|
||
|
266C8596000
|
unkown
|
page read and write
|
||
|
266C7C4A000
|
unkown
|
page read and write
|
||
|
29219FCD000
|
heap
|
page read and write
|
||
|
266C8555000
|
unkown
|
page read and write
|
||
|
31659FF000
|
stack
|
page read and write
|
||
|
17758690000
|
heap
|
page read and write
|
||
|
266C8580000
|
unkown
|
page read and write
|
||
|
266C7AF0000
|
heap
|
page read and write
|
||
|
266C8567000
|
unkown
|
page read and write
|
||
|
17758865000
|
unkown
|
page read and write
|
||
|
266C8581000
|
unkown
|
page read and write
|
||
|
17758852000
|
unkown
|
page read and write
|
||
|
29219FC0000
|
heap
|
page read and write
|
||
|
266C8585000
|
unkown
|
page read and write
|
||
|
E8C05F9000
|
stack
|
page read and write
|
||
|
E54F2FB000
|
stack
|
page read and write
|
||
|
E8C04FF000
|
stack
|
page read and write
|
||
|
E8C047A000
|
stack
|
page read and write
|
||
|
266C85A8000
|
unkown
|
page read and write
|
||
|
1D7E7A8A000
|
unkown
|
page read and write
|
||
|
266C7C29000
|
unkown
|
page read and write
|
||
|
6CD3E8C000
|
stack
|
page read and write
|
||
|
20F88A9E000
|
unkown
|
page read and write
|
||
|
266C7C53000
|
unkown
|
page read and write
|
||
|
266C8583000
|
unkown
|
page read and write
|
||
|
29219FCC000
|
heap
|
page read and write
|
||
|
266C8A0A000
|
unkown
|
page read and write
|
||
|
266C8585000
|
unkown
|
page read and write
|
||
|
E54F67E000
|
stack
|
page read and write
|
||
|
266C8560000
|
unkown
|
page read and write
|
||
|
266C8587000
|
unkown
|
page read and write
|
||
|
266C8567000
|
unkown
|
page read and write
|
||
|
266C8576000
|
unkown
|
page read and write
|
||
|
1D7E7A53000
|
unkown
|
page read and write
|
||
|
266C8583000
|
unkown
|
page read and write
|
||
|
3165AFE000
|
stack
|
page read and write
|
||
|
266C7B00000
|
heap
|
page read and write
|
||
|
29219FC8000
|
heap
|
page read and write
|
||
|
266C8585000
|
unkown
|
page read and write
|
||
|
2921A180000
|
heap
|
page read and write
|
||
|
17758902000
|
unkown
|
page read and write
|
||
|
E54F577000
|
stack
|
page read and write
|
||
|
1D7E7A48000
|
unkown
|
page read and write
|
||
|
E54F77E000
|
stack
|
page read and write
|
||
|
266C858B000
|
unkown
|
page read and write
|
||
|
20F89202000
|
unkown
|
page read and write
|
||
|
20F88A53000
|
unkown
|
page read and write
|
||
|
266C857B000
|
unkown
|
page read and write
|
||
|
1D7E8002000
|
unkown
|
page read and write
|
||
|
20F88A9B000
|
unkown
|
page read and write
|
||
|
266C850F000
|
unkown
|
page read and write
|
||
|
266C85A2000
|
unkown
|
page read and write
|
||
|
266C7CDE000
|
unkown
|
page read and write
|
||
|
6CD447E000
|
stack
|
page read and write
|
||
|
17758900000
|
unkown
|
page read and write
|
||
|
6CD43F8000
|
stack
|
page read and write
|
||
|
1D7E7A4C000
|
unkown
|
page read and write
|
||
|
266C8A0A000
|
unkown
|
page read and write
|
||
|
266C8596000
|
unkown
|
page read and write
|
||
|
1D7E7A6F000
|
unkown
|
page read and write
|
||
|
266C8597000
|
unkown
|
page read and write
|
||
|
266C854A000
|
unkown
|
page read and write
|
||
|
266C8515000
|
unkown
|
page read and write
|
||
|
17758913000
|
unkown
|
page read and write
|
||
|
266C8402000
|
unkown
|
page read and write
|
||
|
266C85A2000
|
unkown
|
page read and write
|
||
|
266C7C70000
|
unkown
|
page read and write
|
||
|
316547B000
|
stack
|
page read and write
|
||
|
266C857A000
|
unkown
|
page read and write
|
||
|
266C855E000
|
unkown
|
page read and write
|
||
|
31658F7000
|
stack
|
page read and write
|
||
|
266C7C49000
|
unkown
|
page read and write
|
||
|
29219FC0000
|
heap
|
page read and write
|
||
|
266C7CC3000
|
unkown
|
page read and write
|
||
|
266C8500000
|
unkown
|
page read and write
|
||
|
17759002000
|
unkown
|
page read and write
|
||
|
6CD48F9000
|
stack
|
page read and write
|
||
|
1775885D000
|
unkown
|
page read and write
|
||
|
266C858B000
|
unkown
|
page read and write
|
||
|
266C8585000
|
unkown
|
page read and write
|
||
|
266C7C68000
|
unkown
|
page read and write
|
||
|
266C8566000
|
unkown
|
page read and write
|
||
|
266C859B000
|
unkown
|
page read and write
|
||
|
20F88A74000
|
unkown
|
page read and write
|
||
|
266C85BA000
|
unkown
|
page read and write
|
||
|
29219FA1000
|
heap
|
page read and write
|
||
|
1775885A000
|
unkown
|
page read and write
|
||
|
266C8A6B000
|
unkown
|
page read and write
|
||
|
266C7D16000
|
unkown
|
page read and write
|
||
|
1D7E7A3C000
|
unkown
|
page read and write
|
||
|
20F88960000
|
unkown
|
page read and write
|
||
|
266C857C000
|
unkown
|
page read and write
|
||
|
20F88A81000
|
unkown
|
page read and write
|
||
|
266C8A02000
|
unkown
|
page read and write
|
||
|
20F88B13000
|
unkown
|
page read and write
|
||
|
266C857A000
|
unkown
|
page read and write
|
||
|
20F88A3C000
|
unkown
|
page read and write
|
||
|
17758813000
|
unkown
|
page read and write
|
||
|
17758802000
|
unkown
|
page read and write
|
||
|
1D7E7A02000
|
unkown
|
page read and write
|
||
|
1D7E77A0000
|
heap
|
page read and write
|
||
|
1775888A000
|
unkown
|
page read and write
|
||
|
1775887C000
|
unkown
|
page read and write
|
||
|
1D7E79E0000
|
unkown
|
page read and write
|
||
|
20F88A00000
|
unkown
|
page read and write
|
||
|
266C8560000
|
unkown
|
page read and write
|
||
|
266C8580000
|
unkown
|
page read and write
|
||
|
266C857E000
|
unkown
|
page read and write
|
||
|
266C8380000
|
remote allocation
|
page read and write
|
||
|
20F88A4E000
|
unkown
|
page read and write
|
||
|
29219F90000
|
heap
|
page read and write
|
||
|
266C85CD000
|
unkown
|
page read and write
|
||
|
17758630000
|
heap
|
page read and write
|
||
|
266C8593000
|
unkown
|
page read and write
|
||
|
316557E000
|
stack
|
page read and write
|
||
|
266C7CAF000
|
unkown
|
page read and write
|
There are 278 hidden memdumps, click here to show them.