Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (13).eml"

Details

Is windows:	true
Is dropped:	false
PID:	4132
Target ID:	0
Parent PID:	4004
Name:	OUTLOOK.EXE
Class:	outlook
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (13).eml"
Size:	34446744
MD5:	91A5292942864110ED734005B7E005C0
Time:	15:30:09
Date:	10/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x720000
Modulesize:	34492416
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Office Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "275573E4-4E3A-44CF-9503-868017FC0EFD" "DC9DDA95-057A-40A5-91CF-1110D1B5CBAE" "4132" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Details

Is windows:	true
Is dropped:	false
PID:	5648
Target ID:	2
Parent PID:	4132
Name:	ai.exe
Class:	office
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "275573E4-4E3A-44CF-9503-868017FC0EFD" "DC9DDA95-057A-40A5-91CF-1110D1B5CBAE" "4132" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Size:	710048
MD5:	EC652BEDD90E089D9406AFED89A8A8BD
Time:	15:30:14
Date:	10/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7a0250000
Modulesize:	737280
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe

"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca

Details

Is windows:	true
Is dropped:	false
PID:	6232
Target ID:	5
Parent PID:	752
Name:	HxOutlook.exe
Path:	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
Commandline:	"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca
Size:	2486784
MD5:	6F8EAC2C377C8F16D91CB5AC8B8DBF5F
Time:	15:30:39
Date:	10/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7f6fc0000
Modulesize:	2506752
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe

"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca

Details

Is windows:	true
Is dropped:	false
PID:	7416
Target ID:	11
Parent PID:	752
Name:	HxAccounts.exe
Path:	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe
Commandline:	"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca
Size:	274432
MD5:	6FEB00C9A2C3FF66230658B3012BAB6A
Time:	15:30:43
Date:	10/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6fc210000
Modulesize:	290816
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.diagnosticssdf.office.com

unknown

https://login.microsoftonline.com/

unknown

https://shell.suite.office.com:1443

unknown

https://designerapp.azurewebsites.net

unknown

https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize

unknown

https://autodiscover-s.outlook.com/

unknown

https://useraudit.o365auditrealtimeingestion.manage.office.com

unknown

https://outlook.office365.com/connectors

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr

unknown

https://cdn.entity.

unknown

https://api.addins.omex.office.net/appinfo/query

unknown

https://clients.config.office.net/user/v1.0/tenantassociationkey

unknown

https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/

unknown

https://powerlift.acompli.net

unknown

https://rpsticket.partnerservices.getmicrosoftkey.com

unknown

https://lookup.onenote.com/lookup/geolocation/v1

unknown

https://cortana.ai

unknown

https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://api.powerbi.com/v1.0/myorg/imports

unknown

https://cloudfiles.onenote.com/upload.aspx

unknown

https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile

unknown

https://entitlement.diagnosticssdf.office.com

unknown

https://api.aadrm.com/

unknown

https://ofcrecsvcapi-int.azurewebsites.net/

unknown

https://canary.designerapp.

unknown

https://ic3.teams.office.com

unknown

https://config.edge.skype.net/config/v1/

unknown

https://www.yammer.com

unknown

https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies

unknown

https://api.microsoftstream.com/api/

unknown

https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive

unknown

https://cr.office.com

unknown

https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h

unknown

https://messagebroker.mobile.m365.svc.cloud.microsoft

unknown

https://otelrules.svc.static.microsoft

unknown

https://portal.office.com/account/?ref=ClientMeControl

unknown

https://clients.config.office.net/c2r/v1.0/DeltaAdvisory

unknown

https://edge.skype.com/registrar/prod

unknown

https://graph.ppe.windows.net

unknown

https://res.getmicrosoftkey.com/api/redemptionevents

unknown

https://powerlift-frontdesk.acompli.net

unknown

https://tasks.office.com

unknown

https://login.windows.localR

unknown

https://officeci.azurewebsites.net/api/

unknown

http://pki-crl.symauth.com/ca_7a5c3a0c73117406add19312bc1bc23f/LatestCRL.crl07

unknown

https://sr.outlook.office.net/ws/speech/recognize/assistant/work

unknown

https://xsts.auth.xboxlive.com5

unknown

https://login.windows.localtloR

unknown

https://api.scheduler.

unknown

https://my.microsoftpersonalcontent.com

unknown

https://store.office.cn/addinstemplate

unknown

https://api.aadrm.com

unknown

https://edge.skype.com/rps

unknown

https://outlook.office.com/autosuggest/api/v1/init?cvid=

unknown

https://globaldisco.crm.dynamics.com

unknown

https://messaging.engagement.office.com/

unknown

https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://dev0-api.acompli.net/autodetect

unknown

https://www.odwebp.svc.ms

unknown

https://api.diagnosticssdf.office.com/v2/feedback

unknown

https://api.powerbi.com/v1.0/myorg/groups

unknown

https://web.microsoftstream.com/video/

unknown

https://api.addins.store.officeppe.com/addinstemplate

unknown

https://graph.windows.net

unknown

https://dataservice.o365filtering.com/

unknown

https://login.windows.localnullD

unknown

https://officesetup.getmicrosoftkey.com

unknown

https://analysis.windows.net/powerbi/api

unknown

https://prod-global-autodetect.acompli.net/autodetect

unknown

https://substrate.office.com

unknown

https://login.windows.net/

unknown

https://outlook.office365.com/autodiscover/autodiscover.json

unknown

https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios

unknown

https://consent.config.office.com/consentcheckin/v1.0/consents

unknown

https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices

unknown

https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json

unknown

https://d.docs.live.net

unknown

https://safelinks.protection.outlook.com/api/GetPolicy

unknown

https://ncus.contentsync.

unknown

https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false

unknown

https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/

unknown

http://weather.service.msn.com/data.aspx

unknown

https://apis.live.net/v5.0/

unknown

https://officepyservice.office.net/service.functionality

unknown

https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks

unknown

https://templatesmetadata.office.net/

unknown

https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios

unknown

https://messaging.lifecycle.office.com/

unknown

https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml

unknown

https://mss.office.com

unknown

https://pushchannel.1drv.ms

unknown

https://xsts.auth.xboxlive.com/

unknown

https://management.azure.com

unknown

https://outlook.office365.com

unknown

https://login.windows.net

unknown

https://wus2.contentsync.

unknown

https://incidents.diagnostics.office.com

unknown

https://clients.config.office.net/user/v1.0/ios

unknown

https://make.powerautomate.com

unknown

There are 90 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4132

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

CantBootResolution

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

ProfileBeingOpened

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

BootDiagnosticsLogFile

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics

OutlookBootFlag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

;q4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

ProfileBeingOpened

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Wizards

PageSize

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings

Template

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

WMACUpdated

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Options

DefaultKerningLigatures

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\outlook

BuildNumber

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.6

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.7

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.8

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.9

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.10

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.11

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.12

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.13

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.14

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.15

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.16

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.17

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.18

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.19

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.20

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.21

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.22

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.23

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.24

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.25

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.26

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.27

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

1.28

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

VersionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook

ETag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook

DeferredConfigs

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook

ConfigIds

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

BootDiagnosticsLogFile

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

CantBootResolution

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

; 5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\ColleagueImport.ColleagueImportAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\Microsoft.VbaAddinForOutlook.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

k 5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Display Types\Balloons

HWND64ForOrphanedNotIcon

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

z 5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OscAddin.Connect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

j 5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\UCAddin.LyncAddin.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

j 5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\UmOutlookAddin.FormRegionAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

)!5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

)!5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

)!5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

)!5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTimeOutlook

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTimeOutlook

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Search

IndexAvailableBody

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

000b046b

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\3517490d76624c419a828607e2a54604

001f6000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\UserInfo

SharingMachineID

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

000b049c

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

001f0433

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

000b0465

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

a4922304f05a0caf296a5dab7d32866b

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

a1907cf74a0e723ae4d6d10c2be13b22

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

5f7af7540aa81b0933473148ec658dad

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

76e17cf74d1871db022de719ec047c24

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

a534c6b591e8e4482771367da0dfc1a5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

6b5ad615dd992da766ae34dec0713a44

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

TickCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Volatile

MsaDevice

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet

UseRWHlinkNavigation

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet

UseRWOSHlinkNavigation

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9207f3e0a3b11019908b08002b2a56c2

11023d05

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Logging

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\Usage

OutlookMAPI2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4132

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4132

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage

OutlookMAPI2Intl_1033

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

00030429

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4132

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Exchange\Forms Registry

CacheSyncCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

FilePath

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

StartDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

EndDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4132

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\ColleagueImport.ColleagueImportAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

ColleagueImport.ColleagueImportAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4132

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\OneNote.OutlookAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

OneNote.OutlookAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4132

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\OscAddin.Connect

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

OscAddin.Connect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4132

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\UCAddin.LyncAddin.1

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

UCAddin.LyncAddin.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4132

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\UmOutlookAddin.FormRegionAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

UmOutlookAddin.FormRegionAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\4132

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\UserInfo

CountQuickSteps

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018000DDABBE6B3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Search\Catalog

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\AppHost\BootTimeList\Boot

AHAppStarted

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\hxmail

FirstSessionTriggered

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common

AppLaunchCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common

ProcessSessionId

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common

SessionInitTime

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common

InteractionSessionId

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common

InteractionSessionStartTime

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common

ProcessExeVersion

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common

IsDebugSession

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common

LifecycleState

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\Common

UID

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\hxmail

EcsRequestPending

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\hxmail

Language

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Tas\hxmail

TasRequestPending

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\ConfigSettings

UnsuccessfulBootsMail

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common

SessionId

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Audience

AudienceId

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\AppHost\BootTimeList\Boot

AHDoFirstNonThrottledIdleOnAppThread

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\Spotlight

LatestShownMailSpotlightVersion

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\FirstRun

MailFirstRunSlide

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\AppHost\BootTimeList\Boot

AHOnAllActivationDeferralsCompletedOnUIThread

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\AppHost\BootTimeList\Boot

AHOnActivationEndedOnUIThread

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\AppHost

LastSetPrelaunchValue

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache

RemoteClearDate

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=2057&syslcid=8192&uilcid=2057&build=16.0.11629&crev=3

Last

FilePath

StartDate

EndDate

Properties

Url

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Internet\WebServiceCache

LastClean

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableIsOwnerRegex

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs

CountryCode

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\hxmail

BuildNumber

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail

Expires

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.1

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.2

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.3

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.4

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.5

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.6

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.7

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.8

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.9

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.10

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.11

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.12

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.13

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.14

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.15

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.16

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.17

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.18

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.19

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

1.20

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

VersionId

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail

ETag

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail

DeferredConfigs

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment

ABData

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\hxmail

EcsRequestPending

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\hxmail

EcsRequestPending

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail\ConfigContextData

ChunkCount

\REGISTRY\A\{54eaeafa-9dc5-be44-4d3c-e462bde62fa0}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\hxmail

Expires

There are 259 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

91F61FC000

stack

page read and write

1B590CBC000

heap

page read and write

1B590D2C000

heap

page read and write

1B5897E0000

heap

page read and write

1B5899A4000

heap

page read and write

1B590C16000

heap

page read and write

1B589935000

heap

page read and write

1B58BD0B000

heap

page read and write

1B5899B1000

heap

page read and write

1B5919E8000

heap

page read and write

1B58987D000

heap

page read and write

1B5919B7000

heap

page read and write

1B590D48000

heap

page read and write

1B590D26000

heap

page read and write

1B5899EA000

heap

page read and write

1B58996D000

heap

page read and write

1B590C86000

heap

page read and write

91F5DFD000

stack

page read and write

91F5DFA000

stack

page read and write

1B5899EE000

heap

page read and write

1B589947000

heap

page read and write

1B59202F000

heap

page read and write

1B590C86000

heap

page read and write

1B5919D0000

heap

page read and write

91F71FC000

stack

page read and write

1B591F50000

heap

page read and write

91F56FC000

stack

page read and write

1B589945000

heap

page read and write

1B5899C3000

heap

page read and write

1B591C6F000

heap

page read and write

1B58BDCA000

heap

page read and write

91F5BF9000

stack

page read and write

1B592021000

heap

page read and write

1B591D24000

heap

page read and write

1B591D12000

heap

page read and write

1B5899B9000

heap

page read and write

1B590CBC000

heap

page read and write

1B589980000

heap

page read and write

1B5897C0000

heap

page read and write

1B589923000

heap

page read and write

1B58995E000

heap

page read and write

1B590C50000

heap

page read and write

1B591965000

heap

page read and write

1B58BD1C000

heap

page read and write

1B5899F1000

heap

page read and write

91F6DFD000

stack

page read and write

1B589826000

heap

page read and write

1B58BDA3000

heap

page read and write

1B58990F000

heap

page read and write

1B5917E0000

heap

page read and write

1B589913000

heap

page read and write

91F64FE000

stack

page read and write

1B5917A0000

trusted library allocation

page read and write

1B590C86000

heap

page read and write

1B591902000

heap

page read and write

1B590DBB000

heap

page read and write

1B591D0C000

heap

page read and write

1B58BD2E000

heap

page read and write

91F65F2000

stack

page read and write

1B590DB8000

heap

page read and write

91F6BFE000

stack

page read and write

1B590CBC000

heap

page read and write

1B59202F000

heap

page read and write

1B5898DF000

heap

page read and write

1B5899CB000

heap

page read and write

1B590C1D000

heap

page read and write

91F5EFF000

stack

page read and write

1B58995A000

heap

page read and write

1B589813000

heap

page read and write

91F59FE000

stack

page read and write

1B589851000

heap

page read and write

1B591965000

heap

page read and write

1B5919A9000

heap

page read and write

1B5897F0000

heap

page read and write

1B591BE0000

heap

page read and write

91F5CFC000

stack

page read and write

1B5898BB000

heap

page read and write

1B592000000

heap

page read and write

1B591900000

heap

page read and write

1B592037000

heap

page read and write

1B591C1F000

heap

page read and write

1B5898E1000

heap

page read and write

1B591BC0000

heap

page read and write

1B5899BE000

heap

page read and write

1B591D27000

heap

page read and write

1B5919C8000

heap

page read and write

1B58BD00000

heap

page read and write

91F532B000

stack

page read and write

1B591D02000

heap

page read and write

1B58BD9F000

heap

page read and write

1B592002000

heap

page read and write

1B590D7E000

heap

page read and write

1B5898CC000

heap

page read and write

1B590C3C000

heap

page read and write

1B58BD47000

heap

page read and write

1B591923000

heap

page read and write

1B591760000

heap

page read and write

1B591965000

heap

page read and write

1B58BDB5000

heap

page read and write

1B5899AD000

heap

page read and write

1B5919B5000

heap

page read and write

1B58BD34000

heap

page read and write

1B590C50000

heap

page read and write

1B591C00000

heap

page read and write

1B591965000

heap

page read and write

91F66FC000

stack

page read and write

1B5919E4000

heap

page read and write

1B5919B5000

heap

page read and write

1B591985000

heap

page read and write

1B589891000

heap

page read and write

1B590C3F000

heap

page read and write

1B591813000

heap

page read and write

1B592037000

heap

page read and write

1B591802000

heap

page read and write

1B58BDD7000

heap

page read and write

1B5899B5000

heap

page read and write

1B5898B3000

heap

page read and write

91F5AFB000

stack

page read and write

1B589961000

heap

page read and write

1B58BD7A000

heap

page read and write

1B58BD90000

heap

page read and write

1B59202B000

heap

page read and write

1B591D0A000

heap

page read and write

1B58BDE8000

heap

page read and write

1B589988000

heap

page read and write

91F68FE000

stack

page read and write

1B5898E3000

heap

page read and write

91F62FF000

stack

page read and write

1B591965000

heap

page read and write

91F67FE000

stack

page read and write

1B5898BF000

heap

page read and write

1B5899C7000

heap

page read and write

1B590D4F000

heap

page read and write

1B590C19000

heap

page read and write

1B5898B5000

heap

page read and write

1B58BC02000

heap

page read and write

1B58BD13000

heap

page read and write

91F69FF000

stack

page read and write

91F6CFE000

stack

page read and write

1B591918000

heap

page read and write

1B58BBE0000

heap

page readonly

1B58982B000

heap

page read and write

91F72FE000

stack

page read and write

91F63FF000

stack

page read and write

1B589985000

heap

page read and write

1B590CBC000

heap

page read and write

1B58BAF0000

heap

page read and write

1B5899E3000

heap

page read and write

1B58B2F0000

trusted library allocation

page read and write

1B58BD06000

heap

page read and write

1B5899D6000

heap

page read and write

1B5899F7000

heap

page read and write

1B591C2B000

heap

page read and write

1B58990A000

heap

page read and write

7DF4BF691000

trusted library allocation

page execute read

1B5899DA000

heap

page read and write

1B58FA70000

trusted library allocation

page read and write

1B5919D8000

heap

page read and write

1B592006000

heap

page read and write

1B590C50000

heap

page read and write

1B5898AC000

heap

page read and write

1B590C00000

heap

page read and write

1B591BF0000

trusted library allocation

page read and write

1B5898C3000

heap

page read and write

1B58BBD0000

trusted library allocation

page read and write

1B5919F0000

heap

page read and write

1B58BD80000

heap

page read and write

1B58B2E0000

trusted library allocation

page read and write

91F6EFD000

stack

page read and write

1B590CF4000

heap

page read and write

1B590C2E000

heap

page read and write

1B5898DC000

heap

page read and write

91F58F9000

stack

page read and write

1B5899A8000

heap

page read and write

1B5899D0000

heap

page read and write

7DF4BF681000

trusted library allocation

page execute read

91F60FD000

stack

page read and write

1B589800000

heap

page read and write

1B5898E7000

heap

page read and write

1B590DCC000

heap

page read and write

There are 170 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
phish_alert_sp2_2.0.0.0 (13).eml

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportphish_alert_sp2_2.0.0.0 (13).eml

Files

Processes

URLs

Registry

Memdumps

IOC Report
phish_alert_sp2_2.0.0.0 (13).eml