Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
nested-a.manasova@mlsp.kg.eml
|
RFC 822 mail, ASCII text, with very long lines (400), with CRLF line terminators
|
initial sample
|
||
|
C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7C4856C6-FD49-4319-B677-3E70F8A1C4FB
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{8A306F73-3404-4219-9BCB-A31A99B4B2C8}.tmp
|
data
|
modified
|
||
|
C:\Users\user\Documents\Outlook Files\Outlook.pst
|
Microsoft Outlook email folder (>=2003)
|
dropped
|
||
|
C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp
|
data
|
dropped
|
||
|
C:\Windows\INF\Outlook\outlperf.h
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\INF\Outlook\outlperf.ini
|
Generic INItialization configuration [languages]
|
dropped
|
||
|
C:\Windows\SysWOW64\PerfStringBackup.INI
|
data
|
dropped
|
||
|
C:\Windows\SysWOW64\PerfStringBackup.TMP
|
data
|
dropped
|
||
|
C:\Windows\System32\perfc009.dat
|
data
|
dropped
|
||
|
C:\Windows\System32\perfh009.dat
|
data
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
|
C:\PROGRA~2\MICROS~1\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-a.manasova@mlsp.kg.eml
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://api.diagnosticssdf.office.com
|
unknown
|
||
|
https://login.microsoftonline.com/
|
unknown
|
||
|
https://shell.suite.office.com:1443
|
unknown
|
||
|
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
|
unknown
|
||
|
https://autodiscover-s.outlook.com/
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
|
unknown
|
||
|
https://cdn.entity.
|
unknown
|
||
|
https://api.addins.omex.office.net/appinfo/query
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/tenantassociationkey
|
unknown
|
||
|
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
|
unknown
|
||
|
https://powerlift.acompli.net
|
unknown
|
||
|
https://rpsticket.partnerservices.getmicrosoftkey.com
|
unknown
|
||
|
https://lookup.onenote.com/lookup/geolocation/v1
|
unknown
|
||
|
https://cortana.ai
|
unknown
|
||
|
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://cloudfiles.onenote.com/upload.aspx
|
unknown
|
||
|
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
|
unknown
|
||
|
https://entitlement.diagnosticssdf.office.com
|
unknown
|
||
|
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
|
unknown
|
||
|
https://api.aadrm.com/
|
unknown
|
||
|
https://ofcrecsvcapi-int.azurewebsites.net/
|
unknown
|
||
|
https://www.yammer.com
|
unknown
|
||
|
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
|
unknown
|
||
|
https://api.microsoftstream.com/api/
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
|
unknown
|
||
|
https://cr.office.com
|
unknown
|
||
|
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
|
unknown
|
||
|
https://portal.office.com/account/?ref=ClientMeControl
|
unknown
|
||
|
https://graph.ppe.windows.net
|
unknown
|
||
|
https://res.getmicrosoftkey.com/api/redemptionevents
|
unknown
|
||
|
https://powerlift-frontdesk.acompli.net
|
unknown
|
||
|
https://tasks.office.com
|
unknown
|
||
|
https://officeci.azurewebsites.net/api/
|
unknown
|
||
|
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
|
unknown
|
||
|
https://api.scheduler.
|
unknown
|
||
|
https://my.microsoftpersonalcontent.com
|
unknown
|
||
|
https://store.office.cn/addinstemplate
|
unknown
|
||
|
https://api.aadrm.com
|
unknown
|
||
|
https://outlook.office.com/autosuggest/api/v1/init?cvid=
|
unknown
|
||
|
https://globaldisco.crm.dynamics.com
|
unknown
|
||
|
https://messaging.engagement.office.com/
|
unknown
|
||
|
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://dev0-api.acompli.net/autodetect
|
unknown
|
||
|
https://www.odwebp.svc.ms
|
unknown
|
||
|
https://api.diagnosticssdf.office.com/v2/feedback
|
unknown
|
||
|
https://api.powerbi.com/v1.0/myorg/groups
|
unknown
|
||
|
https://web.microsoftstream.com/video/
|
unknown
|
||
|
https://api.addins.store.officeppe.com/addinstemplate
|
unknown
|
||
|
https://graph.windows.net
|
unknown
|
||
|
https://dataservice.o365filtering.com/
|
unknown
|
||
|
https://officesetup.getmicrosoftkey.com
|
unknown
|
||
|
https://analysis.windows.net/powerbi/api
|
unknown
|
||
|
https://prod-global-autodetect.acompli.net/autodetect
|
unknown
|
||
|
https://outlook.office365.com/autodiscover/autodiscover.json
|
unknown
|
||
|
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
|
unknown
|
||
|
https://consent.config.office.com/consentcheckin/v1.0/consents
|
unknown
|
||
|
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
|
unknown
|
||
|
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
|
unknown
|
||
|
https://d.docs.live.net
|
unknown
|
||
|
https://ncus.contentsync.
|
unknown
|
||
|
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
|
unknown
|
||
|
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
|
unknown
|
||
|
http://weather.service.msn.com/data.aspx
|
unknown
|
||
|
https://apis.live.net/v5.0/
|
unknown
|
||
|
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
|
unknown
|
||
|
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
|
unknown
|
||
|
https://messaging.lifecycle.office.com/
|
unknown
|
||
|
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
|
unknown
|
||
|
https://pushchannel.1drv.ms
|
unknown
|
||
|
https://management.azure.com
|
unknown
|
||
|
https://outlook.office365.com
|
unknown
|
||
|
https://wus2.contentsync.
|
unknown
|
||
|
https://incidents.diagnostics.office.com
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/ios
|
unknown
|
||
|
https://make.powerautomate.com
|
unknown
|
||
|
https://insertmedia.bing.office.net/odc/insertmedia
|
unknown
|
||
|
https://o365auditrealtimeingestion.manage.office.com
|
unknown
|
||
|
https://outlook.office365.com/api/v1.0/me/Activities
|
unknown
|
||
|
https://api.office.net
|
unknown
|
||
|
https://incidents.diagnosticssdf.office.com
|
unknown
|
||
|
https://asgsmsproxyapi.azurewebsites.net/
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/android/policies
|
unknown
|
||
|
https://entitlement.diagnostics.office.com
|
unknown
|
||
|
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
|
unknown
|
||
|
https://substrate.office.com/search/api/v2/init
|
unknown
|
||
|
https://outlook.office.com/
|
unknown
|
||
|
https://storage.live.com/clientlogs/uploadlocation
|
unknown
|
||
|
https://login.windows.local
|
unknown
|
||
|
https://outlook.office365.com/
|
unknown
|
||
|
https://webshell.suite.office.com
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
|
unknown
|
||
|
https://substrate.office.com/search/api/v1/SearchHistory
|
unknown
|
||
|
https://management.azure.com/
|
unknown
|
||
|
https://messaging.lifecycle.office.com/getcustommessage16
|
unknown
|
||
|
https://api.officescripts.microsoftusercontent.com/api
|
unknown
|
||
|
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorize
|
unknown
|
||
|
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
|
unknown
|
||
|
https://graph.windows.net/
|
unknown
|
There are 90 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
192.168.2.1
|
unknown
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
e:?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
f:?
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
|
PerfIniFile
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
|
Updating
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
|
Last Counter
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
|
Last Help
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
|
First Counter
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
|
First Help
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\f0\52C64B7E
|
@%SystemRoot%\system32\mlang.dll,-4612
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\f0\52C64B7E
|
@%SystemRoot%\system32\mlang.dll,-4608
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
|
RemoteClearDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3
|
Last
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
FilePath
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
StartDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
EndDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
Properties
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
Url
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
|
LastClean
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableWinHttpCertAuth
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableIsOwnerRegex
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableSessionAwareHttpClose
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableADALForExtendedApps
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableADALSetSilentAuth
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
msoridDisableGuestCredProvider
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
msoridDisableOstringReplace
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
WORDSharedFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail
|
FirstRunOnRTM
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
h$?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Display Types\Balloons
|
HWND64ForOrphanedNotIcon
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
w$?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
w$?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
w$?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
w$?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
%%?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
%%?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
%%?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
%%?
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
|
11023d05
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents
|
LastPurgeTime
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
OUTLOOKFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\SQM
|
SQMSessionNumber
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\SQM
|
SQMSessionDate
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
|
Last Counter
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
|
Last Help
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
|
00030429
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
|
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
|
LastChangeVer
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage
|
OutlookMAPI2Intl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
OutlookMAPI2
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
OUTLOOKFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
WORDFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Exchange\Forms Registry
|
CacheSyncCount
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingConfigurableSettings
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingLastSyncTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingLastWriteTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
|
ColleagueImport.ColleagueImportAddin
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\ColleagueImport.ColleagueImportAddin
|
1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\Microsoft.VbaAddinForOutlook.1
|
1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
|
OneNote.OutlookAddin
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin
|
1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
|
OscAddin.Connect
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\OscAddin.Connect
|
1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
|
UCAddin.LyncAddin.1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\UCAddin.LyncAddin.1
|
1
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage
|
OUTLOOKFilesIntl_1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
|
UmOutlookAddin.FormRegionAddin
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\UmOutlookAddin.FormRegionAddin
|
1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\UserInfo
|
CountQuickSteps
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
WORDFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
|
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
|
LastChangeVer
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
|
LastChangeVer
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1036
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
|
SpellingAndGrammarFiles_3082
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1036
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1036
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
|
SpellingAndGrammarFiles_3082
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
|
SpellingAndGrammarFiles_3082
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Search\Catalog
|
C:\Users\user\Documents\Outlook Files\Outlook.pst
|
There are 77 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
257DC691000
|
heap
|
page read and write
|
||
|
257DC689000
|
heap
|
page read and write
|
||
|
257DC5A0000
|
heap
|
page read and write
|
||
|
257DC890000
|
trusted library allocation
|
page read and write
|
||
|
257DD410000
|
trusted library allocation
|
page read and write
|
||
|
7E548FF000
|
stack
|
page read and write
|
||
|
257DC630000
|
trusted library allocation
|
page read and write
|
||
|
257DC8C9000
|
heap
|
page read and write
|
||
|
257DC6B0000
|
heap
|
page read and write
|
||
|
257DC8A0000
|
heap
|
page readonly
|
||
|
7E54879000
|
stack
|
page read and write
|
||
|
7E5467B000
|
stack
|
page read and write
|
||
|
257DC691000
|
heap
|
page read and write
|
||
|
257DC640000
|
heap
|
page read and write
|
||
|
257DC8C0000
|
heap
|
page read and write
|
||
|
257DC8C5000
|
heap
|
page read and write
|
||
|
257DC6A7000
|
heap
|
page read and write
|
||
|
257DC620000
|
trusted library allocation
|
page read and write
|
||
|
257DC8D0000
|
trusted library allocation
|
page read and write
|
||
|
257DD1B0000
|
trusted library allocation
|
page read and write
|
||
|
257DC610000
|
trusted library allocation
|
page read and write
|
||
|
257DC8B0000
|
trusted library allocation
|
page read and write
|
||
|
257DD3C0000
|
trusted library allocation
|
page read and write
|
||
|
257DC450000
|
trusted library allocation
|
page read and write
|
||
|
7E54979000
|
stack
|
page read and write
|
||
|
257DC648000
|
heap
|
page read and write
|
||
|
7E547FD000
|
stack
|
page read and write
|
||
|
7E5477E000
|
stack
|
page read and write
|
||
|
257DC440000
|
heap
|
page read and write
|
||
|
257DC580000
|
heap
|
page read and write
|
||
|
257DC691000
|
heap
|
page read and write
|
||
|
7E546FE000
|
stack
|
page read and write
|
There are 22 hidden memdumps, click here to show them.