Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1600
Target ID:	0
Parent PID:	576
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Size:	1423704
MD5:	9EE74859D22DAE61F1750B3A1BACB6F5
Time:	18:05:18
Date:	11/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fac0000
Modulesize:	1437696
Wow64:	false

C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	5352
Target ID:	0
Parent PID:	756
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Size:	1937688
MD5:	0B9AB9B9C4DE429473D6450D4297A123
Time:	17:57:55
Date:	11/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa00000
Modulesize:	1933312
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe

"C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe" "C:\Users\user\AppData\Local\Temp\y133.tmp.dll",#1

Details

Is windows:	false
Is dropped:	true
PID:	1992
Target ID:	3
Parent PID:	5352
Name:	r3F3.tmp.exe
Path:	C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\r3F3.tmp.exe" "C:\Users\user\AppData\Local\Temp\y133.tmp.dll",#1
Size:	61952
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Time:	17:58:08
Date:	11/08/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (creates forbidden files)	Software Vulnerabilities	Exploitation for Client Execution
Document exploit detected (drops PE files)	Software Vulnerabilities	Exploitation for Client Execution
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Office process drops PE file	System Summary
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm

45.8.146.139

https://api.diagnosticssdf.office.com

unknown

https://login.microsoftonline.com/

unknown

https://shell.suite.office.com:1443

unknown

https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize

unknown

https://autodiscover-s.outlook.com/

unknown

https://roaming.edog.

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr

unknown

https://cdn.entity.

unknown

https://api.addins.omex.office.net/appinfo/query

unknown

https://clients.config.office.net/user/v1.0/tenantassociationkey

unknown

https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/

unknown

https://powerlift.acompli.net

unknown

https://rpsticket.partnerservices.getmicrosoftkey.com

unknown

https://lookup.onenote.com/lookup/geolocation/v1

unknown

https://cortana.ai

unknown

https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://cloudfiles.onenote.com/upload.aspx

unknown

https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile

unknown

https://entitlement.diagnosticssdf.office.com

unknown

https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy

unknown

https://api.aadrm.com/

unknown

https://ofcrecsvcapi-int.azurewebsites.net/

unknown

https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies

unknown

https://api.microsoftstream.com/api/

unknown

https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive

unknown

https://cr.office.com

unknown

https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h

unknown

https://portal.office.com/account/?ref=ClientMeControl

unknown

https://graph.ppe.windows.net

unknown

https://res.getmicrosoftkey.com/api/redemptionevents

unknown

https://powerlift-frontdesk.acompli.net

unknown

https://tasks.office.com

unknown

https://officeci.azurewebsites.net/api/

unknown

http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rmP

unknown

https://sr.outlook.office.net/ws/speech/recognize/assistant/work

unknown

https://my.microsoftpersonalcontent.com

unknown

https://store.office.cn/addinstemplate

unknown

https://api.aadrm.com

unknown

https://outlook.office.com/autosuggest/api/v1/init?cvid=

unknown

https://globaldisco.crm.dynamics.com

unknown

https://messaging.engagement.office.com/

unknown

https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://dev0-api.acompli.net/autodetect

unknown

https://www.odwebp.svc.ms

unknown

https://api.diagnosticssdf.office.com/v2/feedback

unknown

https://api.powerbi.com/v1.0/myorg/groups

unknown

https://web.microsoftstream.com/video/

unknown

https://api.addins.store.officeppe.com/addinstemplate

unknown

https://graph.windows.net

unknown

https://dataservice.o365filtering.com/

unknown

https://officesetup.getmicrosoftkey.com

unknown

https://analysis.windows.net/powerbi/api

unknown

https://prod-global-autodetect.acompli.net/autodetect

unknown

https://outlook.office365.com/autodiscover/autodiscover.json

unknown

https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios

unknown

https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices

unknown

https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json

unknown

https://ncus.contentsync.

unknown

https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false

unknown

https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/

unknown

http://weather.service.msn.com/data.aspx

unknown

https://apis.live.net/v5.0/

unknown

https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks

unknown

https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios

unknown

https://messaging.lifecycle.office.com/

unknown

https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml

unknown

https://management.azure.com

unknown

https://outlook.office365.com

unknown

https://wus2.contentsync.

unknown

https://incidents.diagnostics.office.com

unknown

https://clients.config.office.net/user/v1.0/ios

unknown

https://insertmedia.bing.office.net/odc/insertmedia

unknown

https://o365auditrealtimeingestion.manage.office.com

unknown

https://outlook.office365.com/api/v1.0/me/Activities

unknown

https://api.office.net

unknown

https://incidents.diagnosticssdf.office.com

unknown

https://asgsmsproxyapi.azurewebsites.net/

unknown

https://clients.config.office.net/user/v1.0/android/policies

unknown

https://entitlement.diagnostics.office.com

unknown

https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json

unknown

https://substrate.office.com/search/api/v2/init

unknown

https://outlook.office.com/

unknown

https://storage.live.com/clientlogs/uploadlocation

unknown

https://outlook.office365.com/

unknown

https://webshell.suite.office.com

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive

unknown

https://substrate.office.com/search/api/v1/SearchHistory

unknown

https://management.azure.com/

unknown

https://messaging.lifecycle.office.com/getcustommessage16

unknown

https://clients.config.office.net/c2r/v1.0/InteractiveInstallation

unknown

https://login.windows.net/common/oauth2/authorize

unknown

https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile

unknown

https://graph.windows.net/

unknown

https://api.powerbi.com/beta/myorg/imports

unknown

https://devnull.onenote.com

unknown

https://messaging.action.office.com/

unknown

https://ncus.pagecontentsync.

unknown

https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

45.8.146.139

unknown

Russian Federation

Details

IP:	45.8.146.139
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44676
ASN name:	VMAGE-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

'l)

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

0m)

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

?p)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\67426

67426

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

WORDFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV

LastBootTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems

9o6

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache

RemoteClearDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3

Last

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

FilePath

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

StartDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

EndDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

Properties

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

Url

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache

LastClean

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableWinHttpCertAuth

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableIsOwnerRegex

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableSessionAwareHttpClose

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALForExtendedApps

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALSetSilentAuth

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

msoridDisableGuestCredProvider

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

msoridDisableOstringReplace

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems

yy6

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import

Name

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import

Path

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\1ED0B

1ED0B

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Word8.0

MSForms

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Word8.0

MSComctlLib

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Cambria Math

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2A0BB

2A0BB

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations\Document 0

File Path

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations\Document 0

Datetime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations\Document 0

Position

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Chart Tools

ChartToolsSuperTooltipHidden

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options

VisiFlm

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options

AutoGrammar

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options

AutosaveInterval

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options

PreferredView

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

WORDFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV

LastBootTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import

Name

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import

Path

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import

Name

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import

Path

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\2A0BB

2A0BB

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations\Document 0

Datetime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations\Document 0

Position

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Data

Settings

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

c$/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

:&/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

|(/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\65BE6

65BE6

There are 104 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

10000

heap

page read and write

167000

heap

page read and write

B9E000

stack

page read and write

4B4000

heap

page read and write

7EFE0000

unkown

page readonly

306000

heap

page read and write

1B0000

heap

page read and write

ABF000

stack

page read and write

1A6000

heap

page read and write

6AA000

stack

page read and write

1640000

heap

page read and write

19D000

heap

page read and write

11D000

stack

page read and write

2D0000

heap

page read and write

1A8000

heap

page read and write

160000

heap

page read and write

5EF000

stack

page read and write

4B0000

heap

page read and write

There are 8 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
wpswireless-invoice-08.11.22.doc

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportwpswireless-invoice-08.11.22.doc

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
wpswireless-invoice-08.11.22.doc