Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\e5#U7248.exe

"C:\Users\user\Desktop\e5#U7248.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7116
Target ID:	1
Parent PID:	4244
Name:	e5#U7248.exe
Path:	C:\Users\user\Desktop\e5#U7248.exe
Commandline:	"C:\Users\user\Desktop\e5#U7248.exe"
Size:	4937216
MD5:	032E7E721DFE5DBC95BB91A3BC2E935C
Time:	11:18:23
Date:	24/05/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6c97a0000
Modulesize:	4976640
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Self deletion via cmd delete	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\Public\Music\e5#U7248.exe

Details

Is windows:	false
Is dropped:	true
PID:	6884
Target ID:	12
Parent PID:	7116
Name:	e5#U7248.exe
Path:	C:\Users\Public\Music\e5#U7248.exe
Commandline:	C:\Users\Public\Music\e5#U7248.exe
Size:	4937216
MD5:	032E7E721DFE5DBC95BB91A3BC2E935C
Time:	11:19:09
Date:	24/05/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff79e5b0000
Modulesize:	4976640
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Self deletion via cmd delete	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\e5#U7248.exe > nul

Details

Is windows:	true
Is dropped:	false
PID:	820
Target ID:	16
Parent PID:	7116
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\e5#U7248.exe > nul
Size:	273920
MD5:	4E2ACF4F8A396486AB4268C94A6A245F
Time:	11:19:41
Date:	24/05/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6edbd0000
Modulesize:	405504
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Self deletion via cmd delete	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE

C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\e5#U7248.pptx" /ou "

Details

Is windows:	true
Is dropped:	false
PID:	3256
Target ID:	11
Parent PID:	7116
Name:	POWERPNT.EXE
Class:	office
Path:	C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\e5#U7248.pptx" /ou "
Size:	1849008
MD5:	68F52CD14C61DDC941769B55AE3F2EE9
Time:	11:19:09
Date:	24/05/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x1040000
Modulesize:	1855488
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6852
Target ID:	19
Parent PID:	820
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	11:19:45
Date:	24/05/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6406f0000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://service-ep07djah-1306669097.bj.apigw.tencentcs.com:443/bootstrap-2.min.js

https://api.diagnosticssdf.office.com

unknown

https://login.microsoftonline.com/

unknown

https://shell.suite.office.com:1443

unknown

https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize

unknown

http://rs.qbox.me/chtype/RGJhay9jaGRiOnFpbml1LnBuZw==/type/1

unknown

https://autodiscover-s.outlook.com/

unknown

https://roaming.edog.

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr

unknown

https://cdn.entity.

unknown

https://api.addins.omex.office.net/appinfo/query

unknown

https://clients.config.office.net/user/v1.0/tenantassociationkey

unknown

https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/

unknown

https://powerlift.acompli.net

unknown

https://rpsticket.partnerservices.getmicrosoftkey.com

unknown

https://lookup.onenote.com/lookup/geolocation/v1

unknown

http://api.qiniu.com

unknown

https://cortana.ai

unknown

https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

http://rs.qbox.mehttp://rsf.qbox.mehttp://api.qiniu.comhttp://fusion.qiniuapi.comhttp://uc.qbox.meht

unknown

https://cloudfiles.onenote.com/upload.aspx

unknown

https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile

unknown

https://entitlement.diagnosticssdf.office.com

unknown

https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy

unknown

https://api.aadrm.com/

unknown

http://rs.qbox.me/chtype/RGJhay9jaGRiOnFpbml1LnBuZw==/type/1da

unknown

https://curl.se/docs/hsts.html

unknown

https://ofcrecsvcapi-int.azurewebsites.net/

unknown

https://service-ep07djah-1306669097.bj.apigw.tencentcs.com/bootstrap-2.min.js

unknown

https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies

unknown

https://api.microsoftstream.com/api/

unknown

https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive

unknown

https://cr.office.com

unknown

https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h

unknown

https://portal.office.com/account/?ref=ClientMeControl

unknown

https://graph.ppe.windows.net

unknown

https://res.getmicrosoftkey.com/api/redemptionevents

unknown

https://powerlift-frontdesk.acompli.net

unknown

https://tasks.office.com

unknown

https://officeci.azurewebsites.net/api/

unknown

https://service-ep07djah-1306669097.bj.apigw.tencentcs.com/bootstrap-2.min.jsT

unknown

https://sr.outlook.office.net/ws/speech/recognize/assistant/work

unknown

http://upload.qiniup.com

unknown

https://store.office.cn/addinstemplate

unknown

https://api.aadrm.com

unknown

https://outlook.office.com/autosuggest/api/v1/init?cvid=

unknown

https://globaldisco.crm.dynamics.com

unknown

https://messaging.engagement.office.com/

unknown

https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://dev0-api.acompli.net/autodetect

unknown

https://www.odwebp.svc.ms

unknown

https://api.diagnosticssdf.office.com/v2/feedback

unknown

https://api.powerbi.com/v1.0/myorg/groups

unknown

https://web.microsoftstream.com/video/

unknown

https://api.addins.store.officeppe.com/addinstemplate

unknown

https://curl.se/docs/alt-svc.html

unknown

https://graph.windows.net

unknown

https://dataservice.o365filtering.com/

unknown

https://officesetup.getmicrosoftkey.com

unknown

https://analysis.windows.net/powerbi/api

unknown

https://prod-global-autodetect.acompli.net/autodetect

unknown

https://outlook.office365.com/autodiscover/autodiscover.json

unknown

https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios

unknown

https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json

unknown

https://ncus.contentsync.

unknown

https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false

unknown

https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/

unknown

http://weather.service.msn.com/data.aspx

unknown

https://apis.live.net/v5.0/

unknown

https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks

unknown

https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios

unknown

https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml

unknown

https://management.azure.com

unknown

https://outlook.office365.com

unknown

https://wus2.contentsync.

unknown

https://incidents.diagnostics.office.com

unknown

https://clients.config.office.net/user/v1.0/ios

unknown

https://insertmedia.bing.office.net/odc/insertmedia

unknown

http://iovip.qbox.me

unknown

https://o365auditrealtimeingestion.manage.office.com

unknown

https://outlook.office365.com/api/v1.0/me/Activities

unknown

https://api.office.net

unknown

https://incidents.diagnosticssdf.office.com

unknown

http://fusion.qiniuapi.com

unknown

https://asgsmsproxyapi.azurewebsites.net/

unknown

https://clients.config.office.net/user/v1.0/android/policies

unknown

https://entitlement.diagnostics.office.com

unknown

http://rs.qbox.me/chtype/RGJhay9jaGRiOnFpbml1LnBuZw==/type/1-1000

unknown

https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json

unknown

https://substrate.office.com/search/api/v2/init

unknown

https://outlook.office.com/

unknown

https://storage.live.com/clientlogs/uploadlocation

unknown

https://outlook.office365.com/

unknown

https://webshell.suite.office.com

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive

unknown

https://substrate.office.com/search/api/v1/SearchHistory

unknown

http://rsf.qbox.me

unknown

https://management.azure.com/

unknown

https://clients.config.office.net/c2r/v1.0/InteractiveInstallation

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

service-ep07djah-1306669097.bj.apigw.tencentcs.com

unknown

Details

Name:	service-ep07djah-1306669097.bj.apigw.tencentcs.com
TargetID:	12
Current Path:	C:\Users\Public\Music\e5#U7248.exe

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

1-1.bj.apigwtencent.com

49.233.94.119

kodo-elb-z0.qbox.me

115.231.97.60

rs.qbox.me

unknown

Details

Name:	rs.qbox.me
TargetID:	12
Current Path:	C:\Users\Public\Music\e5#U7248.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

115.231.97.60

kodo-elb-z0.qbox.me

China

49.233.94.119

1-1.bj.apigwtencent.com

China

180.101.136.19

unknown

China

127.0.0.1

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

PPTFiles

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\f0\52C64B7E

@C:\Program Files\Common Files\Microsoft Shared\Office16\oregres.dll,-204

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE.ApplicationCompany

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\options

DesktopBootGuid

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Resiliency\DocumentRecovery\35100

35100

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\options

AppMaximized

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\options

Top

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\options

Left

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\options

Bottom

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\options

Right

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache

RemoteClearDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3

Last

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Resiliency\StartupItems

~21

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV

LastBootTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

FilePath

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

StartDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

EndDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

Properties

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

Url

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache

LastClean

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableWinHttpCertAuth

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableIsOwnerRegex

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableSessionAwareHttpClose

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALForExtendedApps

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALSetSilentAuth

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

msoridDisableGuestCredProvider

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

msoridDisableOstringReplace

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Resiliency\DocumentRecovery\358D0

358D0

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Place MRU\Change

ChangeId

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru\Change

ChangeId

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Place MRU

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 21

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

PPTFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Resiliency\DocumentRecovery\35100

35100

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Resiliency\DocumentRecovery\358D0

358D0

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog

CacheReady

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog

LastRequest

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog

CacheReady

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog

LastUpdate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog

NextUpdate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\Place MRU\Change

ChangeId

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 2

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 3

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 4

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 5

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 6

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 7

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 8

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 9

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 10

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 11

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 12

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 13

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 14

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 15

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 16

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 17

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 18

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 19

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru

Item 20

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\PowerPoint\file mru\Change

ChangeId

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV

LastBootTime

There are 65 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1C8CA0EB000

heap

page read and write

1C8CA290000

direct allocation

page execute and read and write

265BBFD3000

heap

page read and write

150D073B000

heap

page read and write

1AD76567000

heap

page read and write

14D0023B000

heap

page read and write

A81AFFD000

stack

page read and write

14D002FA000

heap

page read and write

91D3CFB000

stack

page read and write

8AF1078000

stack

page read and write

150D07DD000

heap

page read and write

1DC6C0B0000

trusted library allocation

page read and write

265BBFEF000

heap

page read and write

1AD76596000

heap

page read and write

150D0787000

heap

page read and write

56F12FE000

stack

page read and write

265BBFE2000

heap

page read and write

1F09F330000

heap

page read and write

14D7AA8D000

heap

page read and write

14D7AA57000

heap

page read and write

14D7AA6F000

heap

page read and write

1F09F44D000

heap

page read and write

F2F9F9D000

stack

page read and write

1AD75CF5000

heap

page read and write

23916655000

heap

page read and write

1AD75D08000

heap

page read and write

A81B4FE000

stack

page read and write

1AD76583000

heap

page read and write

14D0028A000

heap

page read and write

1AD765A5000

heap

page read and write

8AF0FF9000

stack

page read and write

91D447E000

stack

page read and write

1AD76A03000

heap

page read and write

7FF6C9A21000

unkown

page readonly

14D00184000

trusted library allocation

page read and write

1F34F302000

heap

page read and write

14D002F7000

heap

page read and write

14D00302000

heap

page read and write

56F13F9000

stack

page read and write

1AD765A5000

heap

page read and write

F2F9F1C000

stack

page read and write

14D00164000

trusted library allocation

page read and write

1F34F300000

heap

page read and write

1DC6BEE0000

heap

page read and write

23916670000

heap

page read and write

29F94A84000

heap

page read and write

265BBFC7000

heap

page read and write

29F94A6A000

heap

page read and write

1AD76589000

heap

page read and write

7FF79E5B1000

unkown

page execute read

14D7BA20000

trusted library section

page readonly

1AD76515000

heap

page read and write

1F09FE02000

trusted library allocation

page read and write

1AD75D16000

heap

page read and write

1AD75C49000

heap

page read and write

731407E000

stack

page read and write

265BC160000

heap

page read and write

4E164FE000

stack

page read and write

150D07A3000

heap

page read and write

29F95202000

trusted library allocation

page read and write

EBB7977000

stack

page read and write

1DC6C10F000

heap

page read and write

14D00180000

trusted library allocation

page read and write

7FF6C9A18000

unkown

page write copy

265BC0B0000

heap

page read and write

265BBFF6000

heap

page read and write

29F94A78000

heap

page read and write

1AD75CD8000

heap

page read and write

1AD76A02000

heap

page read and write

1AD76594000

heap

page read and write

1C8CA149000

heap

page read and write

1AD76594000

heap

page read and write

1AD75C3C000

heap

page read and write

150D07E4000

heap

page read and write

4E162FE000

stack

page read and write

1AD765A2000

heap

page read and write

7FF6C97A0000

unkown

page readonly

2391664B000

heap

page read and write

1F09F481000

heap

page read and write

1DC6C108000

heap

page read and write

1AD75CC9000

heap

page read and write

150D0A20000

heap

page read and write

14D7B601000

trusted library allocation

page read and write

1DC6CF80000

heap

page readonly

1F09F390000

heap

page read and write

1C8CA060000

heap

page read and write

14D7BA10000

trusted library section

page readonly

7FF79E831000

unkown

page readonly

4E169FB000

stack

page read and write

14D00302000

heap

page read and write

1AD75CE9000

heap

page read and write

1AD76960000

remote allocation

page read and write

150D0970000

heap

page read and write

14D002E7000

heap

page read and write

1AD75C13000

heap

page read and write

14D7AA79000

heap

page read and write

7FF6C9978000

unkown

page readonly

2391668A000

heap

page read and write

150D07D4000

heap

page read and write

265BBFE2000

heap

page read and write

23916657000

heap

page read and write

1AD76583000

heap

page read and write

1F34F271000

heap

page read and write

1F09F45A000

heap

page read and write

91D40FB000

stack

page read and write

265BBFD9000

heap

page read and write

1AD75C4B000

heap

page read and write

14D7FFA0000

trusted library allocation

page read and write

F2FA4FF000

stack

page read and write

14D004A0000

remote allocation

page read and write

3D0947F000

stack

page read and write

1C8CA080000

heap

page read and write

14D00460000

trusted library allocation

page read and write

A81A79B000

stack

page read and write

1AD76402000

heap

page read and write

3D08FFA000

stack

page read and write

150D0730000

heap

page read and write

1AD75CA5000

heap

page read and write

1AD75C6F000

heap

page read and write

1DC6C399000

heap

page read and write

1DC6CFA0000

trusted library allocation

page read and write

29F94A2D000

heap

page read and write

7313D0B000

stack

page read and write

F2FA5F7000

stack

page read and write

150D07E2000

heap

page read and write

23916647000

heap

page read and write

1C8CA129000

heap

page read and write

3D091FF000

stack

page read and write

1F34F23C000

heap

page read and write

1AD76585000

heap

page read and write

1F09F477000

heap

page read and write

1F34F202000

heap

page read and write

150D0766000

heap

page read and write

14D7AB13000

heap

page read and write

1AD75A60000

heap

page read and write

1F34F180000

heap

page read and write

7FF6C9978000

unkown

page readonly

1C8CBE10000

remote allocation

page read and write

14D7BB50000

trusted library allocation

page read and write

1DC6CD50000

trusted library allocation

page read and write

150D07D2000

heap

page read and write

1AD765AC000

heap

page read and write

150D0773000

heap

page read and write

1AD765A5000

heap

page read and write

EBB767F000

stack

page read and write

EBB777B000

stack

page read and write

1AD75A50000

heap

page read and write

EBB787B000

stack

page read and write

265BBFCF000

heap

page read and write

150D07C8000

heap

page read and write

A81B2F9000

stack

page read and write

1DC6C3A0000

trusted library allocation

page read and write

1AD75C99000

heap

page read and write

1AD76A02000

heap

page read and write

7FF79E82F000

unkown

page read and write

1DC6C129000

heap

page read and write

4E163FF000

stack

page read and write

14D7BFA0000

trusted library allocation

page read and write

1AD76583000

heap

page read and write

7FF79E5B1000

unkown

page execute read

14D00200000

heap

page read and write

3D090FA000

stack

page read and write

1AD76562000

heap

page read and write

7314377000

stack

page read and write

8AF10FE000

stack

page read and write

14D0014E000

trusted library allocation

page read and write

14D002F5000

heap

page read and write

1AD76583000

heap

page read and write

14D00480000

trusted library allocation

page read and write

1AD765A9000

heap

page read and write

14D7BF90000

trusted library allocation

page read and write

1AD765A5000

heap

page read and write

23916702000

heap

page read and write

23916629000

heap

page read and write

1F34F264000

heap

page read and write

34930BB000

stack

page read and write

1AD765A2000

heap

page read and write

2391664C000

heap

page read and write

23916659000

heap

page read and write

265BBFB7000

heap

page read and write

23916600000

heap

page read and write

1DC6C0C0000

heap

page read and write

1AD75C47000

heap

page read and write

1AD75C29000

heap

page read and write

14D7AAAF000

heap

page read and write

1AD76583000

heap

page read and write

56F127C000

stack

page read and write

1AD7656C000

heap

page read and write

731457F000

stack

page read and write

1DC6CF90000

trusted library allocation

page read and write

7FF79E788000

unkown

page readonly

14D7AA13000

heap

page read and write

1AD765A6000

heap

page read and write

29F94A29000

heap

page read and write

1AD76585000

heap

page read and write

91D4577000

stack

page read and write

1F09F502000

heap

page read and write

91D3D7D000

stack

page read and write

1F09F476000

heap

page read and write

1F09F3C0000

trusted library allocation

page read and write

7FF6C9A18000

unkown

page read and write

1AD76583000

heap

page read and write

1DC6CFF0000

trusted library allocation

page read and write

150D0773000

heap

page read and write

150D0781000

heap

page read and write

1AD76581000

heap

page read and write

7FF6C97A1000

unkown

page execute read

14D7B500000

heap

page read and write

1F34F170000

heap

page read and write

29F94A13000

heap

page read and write

1AD76567000

heap

page read and write

14D00214000

heap

page read and write

1DC6C0D1000

heap

page read and write

29F94A4C000

heap

page read and write

3D095FB000

stack

page read and write

4E16AFE000

stack

page read and write

14D002A0000

trusted library allocation

page read and write

14D7AAA0000

heap

page read and write

1AD765D7000

heap

page read and write

1DC6C395000

heap

page read and write

150D07DE000

heap

page read and write

14D7AA00000

heap

page read and write

265BBFB0000

heap

page read and write

EBB7B7F000

stack

page read and write

14D00161000

trusted library allocation

page read and write

1AD76A02000

heap

page read and write

7FF79E5B0000

unkown

page readonly

1AD75CB1000

heap

page read and write

14D00140000

trusted library allocation

page read and write

1AD76960000

remote allocation

page read and write

14D7A9E0000

trusted library section

page read and write

91D4377000

stack

page read and write

14D004A0000

remote allocation

page read and write

23916713000

heap

page read and write

29F94A49000

heap

page read and write

EBB7A7E000

stack

page read and write

1AD76585000

heap

page read and write

7FF6C9A21000

unkown

page readonly

14D002FD000

heap

page read and write

29F94B00000

heap

page read and write

14D7B400000

heap

page read and write

1C8CA2B0000

heap

page read and write

731447F000

stack

page read and write

14D7B415000

heap

page read and write

29F94A8E000

heap

page read and write

2391664D000

heap

page read and write

1AD75CB6000

heap

page read and write

23916613000

heap

page read and write

3D093FE000

stack

page read and write

14D7AA8F000

heap

page read and write

265BBFD0000

heap

page read and write

14D7BF71000

trusted library allocation

page read and write

1F34F258000

heap

page read and write

14D7B402000

heap

page read and write

23916677000

heap

page read and write

150D0781000

heap

page read and write

7FF6C97A0000

unkown

page readonly

1F09F43C000

heap

page read and write

1AD76587000

heap

page read and write

1AD76595000

heap

page read and write

EBB73EF000

stack

page read and write

265BC0D0000

heap

page read and write

265BBFF5000

heap

page read and write

265BBFD7000

heap

page read and write

1AD75C4C000

heap

page read and write

1AD76583000

heap

page read and write

265BBFE2000

heap

page read and write

1AD76A02000

heap

page read and write

150D07E1000

heap

page read and write

1F34F213000

heap

page read and write

1AD76A02000

heap

page read and write

29F94810000

heap

page read and write

29F94B13000

heap

page read and write

150D0768000

heap

page read and write

150D2621000

heap

page read and write

1AD7656A000

heap

page read and write

14D7FFB0000

trusted library allocation

page read and write

1DC6C360000

trusted library allocation

page read and write

4E166FE000

stack

page read and write

1AD765BB000

heap

page read and write

1F34F1E0000

heap

page read and write

23916650000

heap

page read and write

3D08A9B000

stack

page read and write

1C8CBE10000

remote allocation

page read and write

1AD7656E000

heap

page read and write

8AF0E7A000

stack

page read and write

1AD7655F000

heap

page read and write

14D002FB000

heap

page read and write

F2FA27E000

stack

page read and write

14D002D7000

heap

page read and write

14D00160000

trusted library allocation

page read and write

7FF79E828000

unkown

page write copy

29F94A00000

heap

page read and write

1AD76567000

heap

page read and write

14D7FFF0000

trusted library allocation

page read and write

7FF6C97A1000

unkown

page execute read

1F09F508000

heap

page read and write

F2FA6FF000

stack

page read and write

14D00470000

trusted library allocation

page read and write

3D098FA000

stack

page read and write

150D0660000

heap

page read and write

150D2518000

heap

page read and write

1AD75AC0000

heap

page read and write

1AD75BC0000

trusted library allocation

page read and write

1AD76594000

heap

page read and write

150D07F9000

heap

page read and write

7313D8F000

stack

page read and write

3D09AFE000

stack

page read and write

56F1579000

stack

page read and write

1F34FA80000

trusted library allocation

page read and write

1F09F476000

heap

page read and write

F2FA37C000

stack

page read and write

91D45FF000

unkown

page read and write

1AD76595000

heap

page read and write

1C8CBE10000

remote allocation

page read and write

150D06F0000

heap

page read and write

1AD75C00000

heap

page read and write

14D002EF000

heap

page read and write

1F09F400000

heap

page read and write

14D7BA30000

trusted library section

page readonly

1AD7658F000

heap

page read and write

1AD765AA000

heap

page read and write

7FF6C9A1F000

unkown

page read and write

23916708000

heap

page read and write

150D0781000

heap

page read and write

1AD76583000

heap

page read and write

29F94A4E000

heap

page read and write

3D097FE000

stack

page read and write

14D002B1000

heap

page read and write

1AD76569000

heap

page read and write

150D07C6000

heap

page read and write

A81AEFF000

stack

page read and write

1AD76594000

heap

page read and write

1AD76565000

heap

page read and write

150D0775000

heap

page read and write

29F94800000

heap

page read and write

1AD75CEC000

heap

page read and write

14D7AAFD000

heap

page read and write

EBB736B000

stack

page read and write

150D07EA000

heap

page read and write

4E168FE000

stack

page read and write

14D7AA29000

heap

page read and write

7FF79E828000

unkown

page read and write

7FF79E5B0000

unkown

page readonly

56F137F000

stack

page read and write

1DC6C350000

trusted library allocation

page read and write

150D07D7000

heap

page read and write

1DC6C10F000

heap

page read and write

29F94A3C000

heap

page read and write

1AD76500000

heap

page read and write

14D7A9A0000

heap

page read and write

1DC6C0C8000

heap

page read and write

1AD76583000

heap

page read and write

1F09F460000

heap

page read and write

F2FA47B000

stack

page read and write

14D7B518000

heap

page read and write

14D00410000

trusted library allocation

page read and write

23916658000

heap

page read and write

A81B0FE000

stack

page read and write

14D7AA9E000

heap

page read and write

1C8CA111000

heap

page read and write

23917002000

trusted library allocation

page read and write

1AD76585000

heap

page read and write

14D7AA93000

heap

page read and write

1AD76584000

heap

page read and write

1AD76567000

heap

page read and write

34936FE000

stack

page read and write

56F147A000

stack

page read and write

150D06D0000

heap

page read and write

14D7AB26000

heap

page read and write

14D0022B000

heap

page read and write

8AF0EFE000

stack

page read and write

14D7A940000

heap

page read and write

3D092FB000

stack

page read and write

23916646000

heap

page read and write

14D00248000

heap

page read and write

1DC6C040000

heap

page read and write

14D7A9D0000

trusted library allocation

page read and write

1C8CA2B5000

heap

page read and write

239165D0000

heap

page read and write

91D417E000

stack

page read and write

23916560000

heap

page read and write

14D7B559000

heap

page read and write

4E15D9B000

stack

page read and write

150D0781000

heap

page read and write

731417C000

stack

page read and write

A81ADFE000

stack

page read and write

1AD76518000

heap

page read and write

1AD7656A000

heap

page read and write

14D00170000

trusted library allocation

page read and write

91D4278000

stack

page read and write

23916E70000

trusted library allocation

page read and write

1DC6C10F000

heap

page read and write

23916626000

heap

page read and write

14D7BA50000

trusted library section

page readonly

4E167FE000

stack

page read and write

7FF79E831000

unkown

page readonly

14D7B559000

heap

page read and write

A81B3FE000

stack

page read and write

A81B1FE000

stack

page read and write

1AD765D5000

heap

page read and write

1C8C9FF0000

heap

page read and write

150D07E0000

heap

page read and write

150D07D7000

heap

page read and write

56F14FE000

stack

page read and write

1F09F320000

heap

page read and write

1AD765AC000

heap

page read and write

150D07C1000

heap

page read and write

150D07A9000

heap

page read and write

23916570000

heap

page read and write

1AD76583000

heap

page read and write

14D00450000

trusted library allocation

page read and write

150D07D7000

heap

page read and write

150D07A8000

heap

page read and write

14D0021D000

heap

page read and write

1F34FC02000

trusted library allocation

page read and write

8AF0F7F000

stack

page read and write

1DC6BEF0000

trusted library allocation

page read and write

1AD7659A000

heap

page read and write

1AD76A02000

heap

page read and write

1DC6C390000

heap

page read and write

1F34F200000

heap

page read and write

91D46FC000

stack

page read and write

34938FE000

stack

page read and write

1AD76583000

heap

page read and write

265BBFD2000

heap

page read and write

3D0967F000

stack

page read and write

29F94B08000

heap

page read and write

29F94970000

trusted library allocation

page read and write

14D7AA74000

heap

page read and write

150D07E7000

heap

page read and write

1AD76960000

remote allocation

page read and write

14D7B513000

heap

page read and write

150D07AD000

heap

page read and write

2391664F000

heap

page read and write

34935FB000

stack

page read and write

7FF79E788000

unkown

page readonly

14D7AB02000

heap

page read and write

150D2620000

heap

page read and write

150D0766000

heap

page read and write

265BBE80000

heap

page read and write

1AD76513000

heap

page read and write

14D00170000

trusted library allocation

page read and write

14D00290000

trusted library allocation

page read and write

1AD7656A000

heap

page read and write

1AD75C48000

heap

page read and write

14D00148000

trusted library allocation

page read and write

1F34F313000

heap

page read and write

1AD75CAC000

heap

page read and write

1DC6C020000

heap

page read and write

1AD76A20000

heap

page read and write

14D7AA77000

heap

page read and write

14D7AA3C000

heap

page read and write

1F09F413000

heap

page read and write

14D7B518000

heap

page read and write

1AD76594000

heap

page read and write

14D7BA60000

trusted library section

page readonly

23916682000

heap

page read and write

1DC6C380000

trusted library allocation

page read and write

4E165FE000

stack

page read and write

23916652000

heap

page read and write

14D7B502000

heap

page read and write

1AD76585000

heap

page read and write

1C8CA0A0000

heap

page read and write

265BC165000

heap

page read and write

14D00140000

trusted library allocation

page read and write

1AD76A00000

heap

page read and write

150D07F0000

heap

page read and write

1C8CA0A8000

heap

page read and write

1AD76570000

heap

page read and write

29F94B02000

heap

page read and write

1F09F466000

heap

page read and write

4E160FE000

stack

page read and write

14D7BF93000

trusted library allocation

page read and write

265BBFF1000

heap

page read and write

1AD7652E000

heap

page read and write

A81AAFF000

stack

page read and write

150D07CE000

heap

page read and write

1F34F228000

heap

page read and write

731427B000

stack

page read and write

29F94870000

heap

page read and write

1AD765B5000

heap

page read and write

150D0779000

heap

page read and write

29F94A53000

heap

page read and write

1AD75D13000

heap

page read and write

1AD75CEC000

heap

page read and write

14D7BA40000

trusted library section

page readonly

3D0937E000

stack

page read and write

14D00030000

trusted library allocation

page read and write

150D077D000

heap

page read and write

1AD765B4000

heap

page read and write

3D096FF000

stack

page read and write

8AF117C000

stack

page read and write

34937FB000

stack

page read and write

A81ACFF000

stack

page read and write

1F09F429000

heap

page read and write

91D3DFE000

stack

page read and write

1AD76596000

heap

page read and write

150D0A25000

heap

page read and write

23916700000

heap

page read and write

14D7A930000

heap

page read and write

265BBFC2000

heap

page read and write

1F09F513000

heap

page read and write

1AD76567000

heap

page read and write

265BBFC7000

heap

page read and write

3D094FF000

stack

page read and write

14D004A0000

remote allocation

page read and write

1AD75CE0000

heap

page read and write

150D07A4000

heap

page read and write

1F09F500000

heap

page read and write

23916654000

heap

page read and write

2391663C000

heap

page read and write

1AD75CC3000

heap

page read and write

F2FA7FF000

stack

page read and write

3D08EF7000

stack

page read and write

1AD75D02000

heap

page read and write

14D00261000

heap

page read and write

1AD7656A000

heap

page read and write

There are 508 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
e5#U7248.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporte5#U7248.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
e5#U7248.exe