Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
valliant.document.08.11.2022.doc
|
Zip archive data, at least v2.0 to extract
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Temp\y6712.tmp.dll
|
HTML document, ASCII text
|
modified
|
|
|
|
C:\Users\user\AppData\Local\Temp\yD159.tmp.dll
|
HTML document, ASCII text
|
modified
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\valliant.document.08.11.2022.doc.LNK
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:42
2022, mtime=Fri Aug 12 00:58:40 2022, atime=Fri Aug 12 00:58:35 2022, length=2221348, window=hide
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\y831A.tmp.dll
|
HTML document, ASCII text
|
modified
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\-f[1].htm
|
HTML document, ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\valliant.document.08.11.2022.LNK
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:52
2022, mtime=Tue Mar 8 15:45:52 2022, atime=Fri Aug 12 01:10:10 2022, length=2316502, window=hide
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
|
data
|
dropped
|
||
|
C:\Users\user\Desktop\~$lliant.document.08.11.2022.doc
|
data
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WINWORD.EXE_2bb258ba8dfc7dfa5c63c367cd77571e93c8305c_5f94c319_0841aa39\Report.wer
|
Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FDB.tmp.dmp
|
Mini DuMP crash report, 15 streams, Fri Aug 12 01:59:11 2022, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER980A.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9962.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2687EECC-4F43-442C-AA69-7E12CA414CA2
|
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\-f[1].htm
|
HTML document, ASCII text
|
downloaded
|
There are 6 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
|
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
|
|
|
|
C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
|
"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 4128
|
|
|
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 4132
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f
|
45.8.146.139
|
||
|
https://shell.suite.office.com:1443
|
unknown
|
||
|
https://autodiscover-s.outlook.com/
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorize0_
|
unknown
|
||
|
https://cdn.entity.
|
unknown
|
||
|
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeB%
|
unknown
|
||
|
https://messaging.action.office.com/setuseraction16A
|
unknown
|
||
|
https://outlook.office365.com/d0
|
unknown
|
||
|
https://rpsticket.partnerservices.getmicrosoftkey.com
|
unknown
|
||
|
https://lookup.onenote.com/lookup/geolocation/v1
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizePt
|
unknown
|
||
|
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
|
unknown
|
||
|
https://settings.outlook.comS
|
unknown
|
||
|
http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-f71USERNAME=userUSERPROFILE=C:
|
unknown
|
||
|
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
|
unknown
|
||
|
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech)
|
unknown
|
||
|
https://api.aadrm.com/
|
unknown
|
||
|
https://dataservice.o365filtering.com/Ep
|
unknown
|
||
|
https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectoryTV
|
unknown
|
||
|
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
|
unknown
|
||
|
https://api.microsoftstream.com/api/
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
|
unknown
|
||
|
https://cr.office.com
|
unknown
|
||
|
https://web.microsoftstream.com/video/#rF
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeQu
|
unknown
|
||
|
https://res.getmicrosoftkey.com/api/redemptionevents
|
unknown
|
||
|
https://tasks.office.com
|
unknown
|
||
|
https://officeci.azurewebsites.net/api/
|
unknown
|
||
|
https://my.microsoftpersonalcontent.com
|
unknown
|
||
|
http://45.8.146.139/fhfty/SKWR8YXON-RX9R4781JWMO3UUH0NGDBO/-fOOC:
|
unknown
|
||
|
https://store.office.cn/addinstemplate
|
unknown
|
||
|
https://messaging.engagement.office.com/
|
unknown
|
||
|
https://onedrive.live.com/embed?i
|
unknown
|
||
|
https://loki.delve.office.com/api/v1/configuration/officewin32/.
|
unknown
|
||
|
https://graph.ppe.windows.net/%
|
unknown
|
||
|
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://www.odwebp.svc.ms
|
unknown
|
||
|
https://api.powerbi.com/v1.0/myorg/groups
|
unknown
|
||
|
https://clients.config.office.net/ds
|
unknown
|
||
|
https://web.microsoftstream.com/video/
|
unknown
|
||
|
https://api.addins.store.officeppe.com/addinstemplate
|
unknown
|
||
|
https://substrate.office.comp
|
unknown
|
||
|
https://graph.windows.net
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeR$
|
unknown
|
||
|
https://dataservice.o365filtering.com/ym
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorize/_
|
unknown
|
||
|
https://augloop.office.com/v2(
|
unknown
|
||
|
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
|
unknown
|
||
|
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
|
unknown
|
||
|
https://dataservice.o365filtering.com2p7
|
unknown
|
||
|
https://ncus.contentsync.
|
unknown
|
||
|
https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord8
|
unknown
|
||
|
https://substrate.office.comN
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorize&zJ
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeA$
|
unknown
|
||
|
https://outlook.office365.com/autodiscover/autodiscover.jsonV
|
unknown
|
||
|
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
|
unknown
|
||
|
http://weather.service.msn.com/data.aspx
|
unknown
|
||
|
https://substrate.office.comP
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeOt
|
unknown
|
||
|
https://substrate.office.comV
|
unknown
|
||
|
https://dataservice.o365filtering.com)n0
|
unknown
|
||
|
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
|
unknown
|
||
|
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
|
unknown
|
||
|
https://substrate.office.comW
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeb
|
unknown
|
||
|
https://wus2.contentsync.
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorized
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorize~t
|
unknown
|
||
|
https://globaldisco.crm.dynamics.comom
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/ios
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizep$
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeX
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeY
|
unknown
|
||
|
https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-androidv.
|
unknown
|
||
|
https://o365auditrealtimeingestion.manage.office.com
|
unknown
|
||
|
https://outlook.office.com&
|
unknown
|
||
|
https://outlook.office365.com/api/v1.0/me/Activities
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/android/policies
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeR
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeS
|
unknown
|
||
|
https://analysis.windows.net/powerbi/apiU
|
unknown
|
||
|
https://entitlement.diagnostics.office.com
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeW
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeH
|
unknown
|
||
|
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
|
unknown
|
||
|
https://outlook.office.com/
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/mack
|
unknown
|
||
|
https://storage.live.com/clientlogs/uploadlocation
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeN
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeB
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorize;u%
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeC
|
unknown
|
||
|
https://substrate.office.com/search/api/v1/SearchHistory
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeF
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorizeq%
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorize;
|
unknown
|
There are 90 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
45.8.146.139
|
unknown
|
Russian Federation
|
||
|
192.168.2.1
|
unknown
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
va0
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
|
MTTT
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
>c0
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
`e0
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP5FilesIntl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP6FilesIntl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover
|
Path
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover
|
Extensions
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos
|
Path
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos
|
Extensions
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x
|
Path
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x
|
Extensions
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\6589B
|
6589B
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
WORDFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP5FilesIntl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP6FilesIntl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP5FilesIntl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP6FilesIntl_1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems
|
7|)
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems
|
8|)
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
|
LastBootTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems
|
b )
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
|
RemoteClearDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3
|
Last
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
FilePath
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
StartDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
EndDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
Properties
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
Url
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
|
LastClean
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableWinHttpCertAuth
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableIsOwnerRegex
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableSessionAwareHttpClose
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableADALForExtendedApps
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableADALSetSilentAuth
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
msoridDisableGuestCredProvider
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
msoridDisableOstringReplace
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems
|
:&)
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Path
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Extensions
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage
|
TCWP5FilesIntl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage
|
TCWP6FilesIntl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\1C446
|
1C446
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Word8.0
|
MSForms
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Word8.0
|
MSComctlLib
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
WORDFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
|
LastBootTime
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Path
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Extensions
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Path
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Extensions
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage
|
TCWP5FilesIntl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage
|
TCWP6FilesIntl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
|
AmiHivePermissionsCorrect
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
|
AmiHiveOwnerCorrect
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
ProgramId
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
FileId
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
LongPathHash
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
Name
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
Publisher
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
Version
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
BinFileVersion
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
BinaryType
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
ProductName
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
ProductVersion
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
LinkDate
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
BinProductVersion
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
Size
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
Language
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
IsPeFile
|
||
|
\REGISTRY\A\{9f411095-9d39-752b-f6d7-827ebc15715b}\Root\InventoryApplicationFile\winword.exe|597535ad
|
IsOsComponent
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
|
ExceptionRecord
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
|
0018800453F4626F
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
=--
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
!/-
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
o1-
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\671B6
|
671B6
|
There are 94 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2A0000
|
heap
|
page read and write
|
||
|
1A0000
|
heap
|
page read and write
|
||
|
49A000
|
stack
|
page read and write
|
||
|
2F7000
|
heap
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
2F0000
|
heap
|
page read and write
|
||
|
57E000
|
stack
|
page read and write
|
||
|
2A4000
|
heap
|
page read and write
|
||
|
12D000
|
stack
|
page read and write
|
||
|
7EFE0000
|
unkown
|
page readonly
|
||
|
1D6000
|
heap
|
page read and write
|
||
|
69F000
|
stack
|
page read and write
|
||
|
1510000
|
heap
|
page read and write
|
||
|
336000
|
heap
|
page read and write
|
||
|
32D000
|
heap
|
page read and write
|
||
|
B4F000
|
stack
|
page read and write
|
There are 6 hidden memdumps, click here to show them.