Hi,
we had an incident, where a user opened a compromised excel file and activated excel-macros beforehand to do so.
Now, we've found screenshots which documented the "macro-activation-process" (timestamp matches 100%).
The screenshots where found in "/Users/Username/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/…."
-
Now the question is, who created those screenshots and why ?
Windows ? Office ?
Best regards
Your post doesn't really give enough information to answer your question but some malware actively captures screenshots of user activity (although the ones I've seen put it in a specific folder rather than the internet history files).
Have you considered creating a timeline, in order to 'see' what was 'going on' around the time that the files were created?