General Info

File name

docus_39386.doc

Full analysis
https://app.any.run/tasks/1846edad-f6eb-4a29-b83a-8393dbf65075
Verdict
Malicious activity
Analysis date
10/9/2019, 20:27:56
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:

macros

macros-on-open

generated-doc

evasion

trojan

hancitor

pony

fareit

cobaltstrike

gozi

ursnif

terdot

zloader

maldoc-42

Indicators:

MIME:
application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:
Microsoft Word 2007+
MD5

34d0636684f0577cb9c2c3f701c0e8f8

SHA1

b584590c206cd4f67c5ca054c1b3ec02e6699867

SHA256

36448de9a48210f85e5fd61329bbce4d86173ba705fca75d0dfecdf2002d1684

SSDEEP

3072:5vvvvvvvvvvvvvvvvvvvvvv/ZRynrChbtCY8QOjnX3Npkv4wTh6ivbiFuzRmDPrE:5vvvvvvvvvvvvvvvvvvvvvv/KnrChbs8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
720 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
  • Mozilla Maintenance Service (67.0.4)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
PONY was detected
  • svchost.exe (PID: 2564)
URSNIF was detected
  • IEXPLORE.EXE (PID: 2256)
  • IEXPLORE.EXE (PID: 1616)
Connects to CnC server
  • svchost.exe (PID: 2564)
  • IEXPLORE.EXE (PID: 1616)
  • IEXPLORE.EXE (PID: 2256)
  • svchost.exe (PID: 2072)
Detected Pony/Fareit Trojan
  • svchost.exe (PID: 2072)
Actions looks like stealing of personal data
  • svchost.exe (PID: 2072)
  • svchost.exe (PID: 2564)
Application was dropped or rewritten from another process
  • BNF883.tmp (PID: 1980)
  • BNFA78.tmp (PID: 280)
Uses SVCHOST.EXE for hidden code execution
  • svchost.exe (PID: 2072)
  • regsvr32.exe (PID: 1172)
COBALTSTRIKE was detected
  • BNF883.tmp (PID: 1980)
HANCITOR was detected
  • svchost.exe (PID: 2072)
Loads dropped or rewritten executable
  • regsvr32.exe (PID: 1172)
Writes file to Word startup folder
  • WINWORD.EXE (PID: 2428)
Executable content was dropped or overwritten
  • WINWORD.EXE (PID: 2428)
Starts application with an unusual extension
  • svchost.exe (PID: 2072)
Application launched itself
  • svchost.exe (PID: 2072)
Executable content was dropped or overwritten
  • svchost.exe (PID: 2072)
Starts CMD.EXE for commands execution
  • svchost.exe (PID: 2072)
Checks for external IP
  • svchost.exe (PID: 2072)
Executed via WMI
  • regsvr32.exe (PID: 2224)
Executed via COM
  • iexplore.exe (PID: 1260)
Reads the hosts file
  • BNFA78.tmp (PID: 280)
Reads internet explorer settings
  • IEXPLORE.EXE (PID: 1616)
  • IEXPLORE.EXE (PID: 1952)
  • IEXPLORE.EXE (PID: 2256)
Creates files in the user directory
  • iexplore.exe (PID: 1260)
  • WINWORD.EXE (PID: 2428)
Changes internet zones settings
  • iexplore.exe (PID: 1260)
Reads Internet Cache Settings
  • iexplore.exe (PID: 1260)
Reads the machine GUID from the registry
  • WINWORD.EXE (PID: 2428)
  • iexplore.exe (PID: 1260)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2428)
Reads settings of System Certificates
  • iexplore.exe (PID: 1260)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.docm
|   Word Microsoft Office Open XML Format document (with Macro) (53.6%)
.docx
|   Word Microsoft Office Open XML Format document (24.2%)
.zip
|   Open Packaging Conventions container (18%)
.zip
|   ZIP compressed archive (4.1%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0006
ZipCompression:
Deflated
ZipModifyDate:
1980:01:01 00:00:00
ZipCRC:
0x0eab7932
ZipCompressedSize:
440
ZipUncompressedSize:
1769
ZipFileName:
[Content_Types].xml
XMP
Title:
null
Subject:
null
Creator:
python-docx
Description:
generated by python-docx
XML
Keywords:
null
LastModifiedBy:
onx
RevisionNumber:
2
CreateDate:
2019:10:09 14:41:00Z
ModifyDate:
2019:10:09 14:41:00Z
Category:
null
Template:
Normal.dotm
TotalEditTime:
null
Pages:
1
Words:
null
Characters:
1
Application:
Microsoft Office Word
DocSecurity:
None
Lines:
1
Paragraphs:
1
ScaleCrop:
No
HeadingPairs
null
null
TitlesOfParts:
null
Manager:
null
Company:
null
LinksUpToDate:
No
CharactersWithSpaces:
1
SharedDoc:
No
HyperlinkBase:
null
HyperlinksChanged:
No
AppVersion:
16

Video and screenshots

Processes

Total processes
52
Monitored processes
14
Malicious processes
10
Suspicious processes
0

Behavior graph

+
start drop and start drop and start winword.exe iexplore.exe iexplore.exe regsvr32.exe no specs regsvr32.exe no specs #HANCITOR svchost.exe cmd.exe no specs #PONY svchost.exe #COBALTSTRIKE bnf883.tmp bnfa78.tmp #URSNIF iexplore.exe iexplore.exe no specs iexplore.exe no specs #URSNIF iexplore.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2428
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\docus_39386.doc.docm"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.5123.5000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\fm20.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\fm20enu.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\winmm.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
1260
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\propsys.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sxs.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\macromed\flash\flash64_27_0_0_187.ocx
c:\windows\system32\mlang.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\tquery.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\wpc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll

PID
1952
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:267521 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\d2d1.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll

PID
2224
CMD
regsvr32.exe -s C:\Users\admin\AppData\Roaming\Microsoft\Word\Startup\55F.wll
Path
C:\Windows\system32\regsvr32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\apppatch64\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
1172
CMD
-s C:\Users\admin\AppData\Roaming\Microsoft\Word\Startup\55F.wll
Path
C:\Windows\SysWOW64\regsvr32.exe
Indicators
No indicators
Parent process
regsvr32.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\samcli.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msacm32.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\sfc.dll
c:\windows\syswow64\sfc_os.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\mpr.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\imm32.dll
c:\users\admin\appdata\roaming\microsoft\word\startup\55f.wll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\svchost.exe

PID
2072
CMD
C:\Windows\System32\svchost.exe
Path
C:\Windows\SysWOW64\svchost.exe
Indicators
Parent process
regsvr32.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\wsock32.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\samcli.dll
c:\windows\syswow64\vaultcli.dll
c:\windows\syswow64\msi.dll
c:\windows\syswow64\pstorec.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\napinsp.dll
c:\windows\syswow64\pnrpnsp.dll
c:\windows\syswow64\winrnr.dll
c:\windows\syswow64\samlib.dll
c:\users\admin\appdata\local\temp\bnf883.tmp
c:\users\admin\appdata\local\temp\bnfa78.tmp

PID
1956
CMD
cmd /K
Path
C:\Windows\SysWOW64\cmd.exe
Indicators
No indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\syswow64\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\winbrand.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll

PID
2564
CMD
C:\Windows\System32\svchost.exe
Path
C:\Windows\SysWOW64\svchost.exe
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\samcli.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\pstorec.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\vaultcli.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\napinsp.dll
c:\windows\syswow64\pnrpnsp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\winrnr.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\samlib.dll
c:\windows\syswow64\mpr.dll

PID
1980
CMD
C:\Users\admin\AppData\Local\Temp\BNF883.tmp
Path
C:\Users\admin\AppData\Local\Temp\BNF883.tmp
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
THQ Canada Inc.
Description
Version
1, 4, 0, 0
Modules
Image
c:\users\admin\appdata\local\temp\bnf883.tmp
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\napinsp.dll
c:\windows\syswow64\pnrpnsp.dll
c:\windows\syswow64\winrnr.dll

PID
280
CMD
C:\Users\admin\AppData\Local\Temp\BNFA78.tmp
Path
C:\Users\admin\AppData\Local\Temp\BNFA78.tmp
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\bnfa78.tmp
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcr100.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\wbem\wbemprox.dll
c:\windows\syswow64\wbemcomn.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\wbem\wbemsvc.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\ntdsapi.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\sxs.dll

PID
1616
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:1709325 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\d2d1.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll

PID
2880
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:4068622 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
1704
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:2692362 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll

PID
2256
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:3937545 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\d2d1.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll

Registry activity

Total events
4064
Read events
3469
Write events
591
Delete events
4

Modification events

PID
Process
Operation
Key
Name
Value
2428
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2428
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\15876A
2428
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
2428
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
0%8
302538007C090000010000000000000000000000
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
WORDFiles
1330184234
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1330184318
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1330184319
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
7C090000E6FADF50CF7ED50100000000
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
:(8
3A2838007C09000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2*8
322A38007C09000006000000010000007E000000020000006E0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0064006F006300750073005F00330039003300380036002E0064006F0063002E0064006F0063006D00000000000000
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
VBAFiles
1330184196
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{455D7303-21DE-4D4A-8D95-3AAD3D159412}
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D348F017909300][O00000000]*C:\Users\admin\Desktop\processemail.rtf
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 2
[F00000000][T01D3728CC6EE9400][O00000000]*C:\Users\admin\Desktop\workssomething.rtf
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 3
[F00000000][T01D39C29764FD300][O00000000]*C:\Users\admin\Desktop\collectiondefined.rtf
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 4
[F00000000][T01D4E30AEB944480][O00000000]*C:\Users\admin\Desktop\middletook.rtf
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 5
[F00000000][T01D28CC8E5429300][O00000000]*C:\Users\admin\Desktop\calllower.rtf
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 6
[F00000000][T01D3D3AA5A980D00][O00000000]*C:\Users\admin\Desktop\cheapfaculty.rtf
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 7
[F00000000][T01D2E0024400E100][O00000000]*C:\Users\admin\Desktop\hisfather.rtf
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 8
[F00000000][T01D37B40CBA1AF00][O00000000]*C:\Users\admin\Documents\componentsratings.rtf
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 9
[F00000000][T01D3A4DD7B159C80][O00000000]*C:\Users\admin\Documents\againstresponse.rtf
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 10
[F00000000][T01D2B1356430C480][O00000000]*C:\Users\admin\Documents\criticalfor.rtf
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\15876A
15876A
040000007C0900003600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0064006F006300750073005F00330039003300380036002E0064006F0063002E0064006F0063006D001400000064006F006300750073005F00330039003300380036002E0064006F0063002E0064006F0063006D00000000000100000000000000D8D3D850CF7ED5016A8715006A87150000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{9F829F44-8DEF-4B8E-96D7-E7EA45D313CD}\2.0
Microsoft Forms 2.0 Object Library
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{9F829F44-8DEF-4B8E-96D7-E7EA45D313CD}\2.0\FLAGS
6
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{9F829F44-8DEF-4B8E-96D7-E7EA45D313CD}\2.0\0\win32
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{9F829F44-8DEF-4B8E-96D7-E7EA45D313CD}\2.0\HELPDIR
C:\Users\admin\AppData\Local\Temp\VBE
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
2428
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184241
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184242
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184241
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184242
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184266
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184267
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184243
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184244
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184243
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184244
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184268
2428
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184269
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
C0AC079DA84B4CBD8DBAF1BB44146899
01000000270000007B39303134303030302D303033442D303030302D313030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents
LastPurgeTime
26177429
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00054033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25024A1100A00633090060009000A002D005800000058000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D000100000000000000020050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D000000000000000000000000D4944600D49446010000002F91010000080A000600000003333296040000000A050C0C0302040600000300000101010606060000000000000000000000000000000000000063631900000001000000000000000000000000000000030000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002100190000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000B01300004B0000004B000000640000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000009002000002000001010101010101000101010101010001010100010001000101010101010101000100020003010301030103000301020003010301030103010000230101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101020101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010301010101010101010101010101FFFFCFFFFFFF00008602FFFF00008602FFFF00001000FFFF00000100FFFF00000100FFFF0000010061000000610064006D0069006E000000000000000000000087FFFF0300003E00020200000600090034000000000090009000000000000F000000FFFFFF000000000000001400140000000000000002637800C80000000000140000000000900090008000FFFF00001000FFFF00001000FFFF0B00040001002000018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E00650077000180140001002000018014000B0043006F007500720069006500720020004E00650077000180140009004D005300200047006F0074006800690063000180150007004D0069006E0067004C0069005500018018000600530069006D00530075006E0001801500050044006F00740075006D00018014000100200001801C0000000000
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
BackgroundOpen
0
2428
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.0\Common
PropertiesWindow
4 23 180 640 1
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPDaysSinceLastAutoMigration
3
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchLowDateTime
1412792288
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchHighDateTime
30768847
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
1713106038
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30768847
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007D000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{91D16027-EAC2-11E9-9008-5254004AAD21}
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
78809254CF7ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
D2E29454CF7ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
4
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A000300090012001C0016007B00
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
4
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
00000000A60700008EE994D7199A1BC47C740DD7B2DC566BB3661103A7B24FCAFE7ADDE4E11EB0B2163F696781B9A54740B6565A777CE7BCCAF65F6BBA2283B773CB67FAC04DC3E8FC51413787A15205269D2115C4E74149ED534CC91C2B5BDE2550C0E7B0DD1A9B08413DD232F386ADD048F5F45304B842CA9D189D556D7577A72AA9CB426F2610972DBC85944DE100AFD931D0CD718BEEE6F45DC07F880506F17956F61FA194C77037217F64517F67546F1A8B95D01B36E2782FAA071CC37F175EF0752A1480D6B57D12BF8D9D8F25292AEB8D47C00F4CE649EC8B1CC9A7FD61F7F1F37B684D508E217DD8E3D25717A228FA869BE05F5C9E874C363F2F66099B65B6E1D73DA9C2E0415981309137FFDF8EEE80F8D29A4F9F5228D49CED9D6E91C83FF4E133E3BF25FFBFF2B978B465F178AF4526356BA083CAF471AEA5D2A52141ACF085EA8376B679861A4C29DA052507EB1596A803376F103456CFF606C5E9EEE9C9220335620AD10C9BFF42C9CD655B1CA8F4CD6B647742682BC880850DACF0E40A2E1CBBFE9A25899BC4641B6CB193A7840143C1DC7381D6F5DAE3F0FC7868059507D6B09750978D680E30B26FC8D1B6A28AA95ED072ED36DE48BFDDF30D7409AEADD185209145C7E58144C2F30134B661E3A1A2095FA60ACA2EB44270CF35DB58D6AD3121E85126CB54427CE057DC66CC47CA3B2351CC09C3206287D087CBB202840ADCAD67DAA7BAF7C8A9B79DE8FD2BBCC359C6467F55310B694AAC73572A834289A072DFFFA71B527870F7F07AADEEA52E530159DF9DE0406978B7B5F7A66537C8A3CF1EE253CE69F0DC01FCB16ADC5BAAB0A76D0C14DD8A010A3CBBCC03853D680E01C8A1A1ACFFD1D7A13FAD5B98FCD608C52F265D1997D318217CF795FBF6093E5C555E49D75CBC64166A8EDC781354BA21374D4FE6A07E9D7D2196565CDC4BAB95D537FFD9E84F8BB0CD7391A94CC34DD108A1CE3DC6A278C2C8CA2041F1CEA121714EB799442CC405E17E4DA29FC2FBD752427AD9BBDF656D8FB31C27AA32159AF7C18E1771F1A4A970CEDCE773F3BDDB1E50DC1BF5D5FD531B723A9A5018AF3A39B253FEBB3F9D7E5683AD2335F52AE91DEBD9C842249B76192503B23D1E0A6BBE3FDA0430B7D0957BBDBE88A66790420833488E3D6CEB69A1EDDFE01AE5E35A238AEA1DDAF7E99AAB9B2B8522EBDE45AF484F5C584DFB487EEBF10AF70D43A889B1E67837A17BD3DF3F3BC85E20405AC34A288D76671B3F643D2DF7E1367F1F0DD6E7512C5390AE69C80D98BBA5BFF99259F7E00D5AC99FE804210B9F000F81D917BB9396AEDEE357566E74011CCFBCF495803EDBC599878B60C756380CE3601B9690453B53A61D8008EE0A7A24F480D91E0C57B84AD3195E72EAEF57F8350A6372DCCFDCE0053DCD00A27DC05CAB99C9146E058C88ED3F5958839F0265F181FCCAFA0671F79225175DD9F57D663814FD97BE88E01FFF04F53314E1C1F3708945C04410A7365A1B233F988856E186088BC7989095AF737A0424F22AB742A5BEEA72E811993EA7B127C6906CDC6CEEFCB5C416111FD86C2F22496A8AF1F239C549025BB17EB0FB4BB511347D21A93156A2AE1EEE143AB034EFC3439562A4227FDC8E6166D12A5B28FD420F0F963654DFAFA51A723E7580B6BFB263A266F665591B38E698444EF6011278E716CBB5F055B5C94E981329E8226B37FF561A890DA4F71E5094C7BA1F3C7CD338986DC50410813A2C2348F679DB5D7016827FFDC60046622F44F10FF3A48472107283056BB0C5188E86647CEF81DD7E664CC5F279D9A0223ACD77EED4BDD777346DB4177EE3818362A0815AF4CA9D81F6B0BF0869EB6980C6DFB4F57DA0F2011FA27E9AA135899B3C3EB43204E6279AAB4AA3DFC4E3AC9ACEF45AC685676E30372F8A2DB1F76981B57AC9A3C274F7E7B0737E18DB080192B948F0FFB2337524473BB572512C6B53E1E1D24DEE0EB0896BAE2F51DDF3958698AD9C41C9B2B5FCDC4A4308C98D7B32496AF9D0495961A1EB611D2BB25C01980D2B042DBE43C7DAB9E4978E9E9F613EB03F10CC5DAF164DF2E9E04641F49BE6E66EAE61A4A21CDD6887ADA69FD147975D5A29E19C56C3AE56EFF742834CEF920C0B597F15280D2525EA5AEF19B2105DA1E520AF8F4680E4D41788BFF7D846BB628DF0258E9790D14697A6081A3074B0127C7FD63D7E011076004A5E23F0C280545652F5DF7DB00333CABE9320ED7FB04C2D25F62AEB9250428ABBBD4EF05D031851358DBB1EFBDA40A9592F2AA21E7D425799AEAADFA5C52F78037D0E61D662D271958E04F5247639C68F7B368F2537774E84A01B1A5890445AF03E793463BF8E035A99B3C077F74CF61419370026FE34D6846B015B28CF84C9DDA0C70BD33891CD814CEC23987C18734FA8D7DD28F26B6CC7AF3B8BF7A3DFF7A5432C9757EFC2FF6C49F4D2F4271253DCC77050B033475BF50C6972982C7087C5C7F7FDE902DEF31E2E24521D17D8491018EF7305E155A9EA22B6FC408B5EBA44CD05572393F6BFBF9CD345546C04BF753A2E175D1C28CC2191AC1412DED6F006F33D38EBC0729571343E4E38469634F5CCF292160434343BF9A205B1466F7110DA764C63AB2CF1C594DF77A6C405F61E70FAA7E5B914A440FABB747FE41887FE2206FE8372CA9D6A5E0439F30891227FC52973E65BB7595334FBE538D6E9F1E16B313701374B820D30C802393130FECF6ABD72E90A5305624775D3E83DA99A8E55B52482180942E1AB010000000E0000007A67784775642F5046646B2533640200000000000000
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD3000000000200000000001066000000010000200000008F59CAC21AC3E84E6C38C235F7FEEAF2F0A3640D91BDBA954E86045E05198285000000000E8000000002000020000000C6DDF847B8361E4695A563A88F4F5A810763A83959768E69B046C685A1D12EEB50000000DAFB1CA84FAC5D0B1DEE32745BC95984B4207844CDD0197D7D437982A9DCBA8F300CA75510406200BA3B96DD3505B5E6EC03C880DE46186EBD5FD89096C4573C371E3E008D148F0E7A0854AD41986B6F40000000B88FC542CFAD80E35474CFAD230B18137146C0622FE5ABFE8E84CB79B9E207A59DA320208F72A78A0295D0CDD9B9D2F6713774138B87EBEAD437058C700A757E
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
ChangeNotice
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000910190BA75D9A9AA8294C08DF8F298344ABF00DE4760150826B2FAB415F20E3B000000000E8000000002000020000000E57EA27309686B76F05C25091A206C758621A7ED546E045E04E3374F288F80991000000041A55AD8A1D0703B7DFB8E37B13BD1BA4000000057E2B9666CF63BA741886811BB6D361EA33C61DE626A27988541EB12105291205A3E65FFFC107384C7D9FD8C3EAD6E23AE632D4AE59564EB755D43E721A3806F
1260
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListXMLVersionLow
395188360
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListXMLVersionHigh
268435456
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListLastUpdateTime
3670866
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VendorId
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
DeviceId
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
SubSysId
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Revision
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VersionHigh
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VersionLow
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
DXFeatureLevel
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VendorId
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-DeviceId
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-SubSysId
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-Revision
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VersionHigh
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VersionLow
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-DXFeatureLevel
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateLowDateTime
1722481038
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateHighDateTime
30768847
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
HashFileVersionLowPart
2
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
HashFileVersionHighPart
0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
2972397488
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30768897
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
IECompatVersionHigh
268435456
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
IECompatVersionLow
395188360
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
StaleCompatCache
1
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD3000000000200000000001066000000010000200000008180C7935EE518F6103B7AF7794CE1BFFB9D72F7DAE2B6ED7EE0348851D9A77A000000000E8000000002000020000000BB64F2273111E0FB005617F965F798E4B3D8963F299E979A64669677B948D40630000000B12066FDA569910F6ACEB13093372752E5759B2B6915630F333AFFE119852A08E861E02CB816793DF8F10D67067C54F940000000A8127C1313D92F8C7FF8A3999C160ADBF1C4D4552E661D5FC15F5C0FE84FC5BF4846160B3C9F2F7D3B53D4850B18F3E4B22182D7706605F583DC9EF3E4F42487
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
C0638568CF7ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3600000036000000560300008E020000
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
5
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A000300090012001C003B007700
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
5
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000BB6B821F10F526FDA8B30BFD8F1069167FB0360689F97B019ABB0C4DD38573D0000000000E8000000002000020000000286406943FFC5BE8563AB876F7D4057D1BE2965B44B2CDB6C206803BD24D395430000000345A4023D585D6AAE069CC07CEE3D3A33BE89764314C940BD827C773AAD76EF3FE998783178EF358E96B3F7E7E8755814000000082524FABB22B7C6CF87CDC07996A0FBBE57BDA17BDBE9E75CCA20BA333F7B310664CBCB465C7507CD85B249219DFCDF79E420833F737FDB76FD56DB076E2D6B5
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
20EF6E6BCF7ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE
TabBandWidth
500
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
6
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A000300090012001D001500A600
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
6
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000E499FF10EA6915656F04D5CD61AFB264739BA25C8C3FF4D9F6215D9C95DCA6B0000000000E80000000020000200000007FCF125E86D0F1ECF3E5B79CFB36887F1D694E93156C476842BE51983A90870E3000000044AA775FD365FD5F07F81ABF4E4AB881638A2A2104B2E073530C0034D82D77ED819030AD90FC84792071400E87F71B4A40000000F9D3A995042FDCD6E0A6A6F15DBAB5FB54C11CA500A30519A1FE324A0B1B6B8293A7E81069A8D9CB99FB7209063B0EFFE51BE5E9871271FFC208308643180B65
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
001D3678CF7ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames
en-US
en-US.2
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion
NextUpdateDate
277410676
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPGoldbarText
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPGoldbarOKText
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPGoldbarCancelText
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPMSNintervalInDays
20
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPRestoreBarLimit
1
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPOnlinePortalVer
3
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NextNTPConfigUpdateDate
277459279
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF4C0000004C0000006C030000A4020000
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF62000000000000008203000058020000
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
00000000A6070000AA288FB6C54C445D700C0DF38EB4AAC38F1EDCCC13FB596D3A517F90358A8831B22B2CAAAD631C74BC67FA58FB5745116694BBEEAEBA165C37B3F1707485C18FD8DBDC7EFB73F7652AD88488D826B182B1C699658842B51261BA3E6EC490E1C8EC588F7A1E1C22C94C7D4F75DF56321526D61ACB6134631DE385CCE6164D66BCF3C20C1448FEC6FBA37768D43188AA459AE2F1C78B2E7425B536C5F1CB5AA4ED9439B66708B917B2E8E6E05E195AD5590E0CA03513D2258E53EC7683DE596816D1DDA58131EDB02325EBB45B5B6DE9BCBA727A1288BE6BA725C71AE44FE934C62ACE60770F3A9EBD3EA5127D1761AB6932369B3CCB938E66DFE6017383A94218C42CC34E6C40816AD332470CC4D61164A3768C0728F247B9D56B9EBBB53B75748117E0B6959E976A8DB55F67AA6C83442F549B98BA79EF61E5758AD8313E796192AF7E90B0F620B6294E4ECB8AC322D2B3EE6B1A5BCA79662D24682AD65136686E15A346D3E71DF8F91B1A73787CCFAB1B665ABAFC83770F6898FF58FA1645077E6713F898114A13BD3D57047D3515058FDAC17DAE458375BCF09CAA532C90B134C6BD6EE214FD3674D5C147068F40711E6C62DD5CB16FA3C94E4CAAD9321FE675527BE73D907B870D01EE3AFF2A62B9833ADF37BA65853C0BD19D15E2CA2F4E4C2B9AAA3825E254CBE2E068CBA6F8CAFD6634145403E6C543999B2850931FF14371F9782B73B8DF9198AB9880A333B17A0F2F2FBF291C6BB7C5BD2D962CE8787B4467BC7E1A20B20C447ACA29C251A0F554475D5479B463F17749638337C6803AC4B29715BAD383F004D48047A13F0D3157A23B1E918BDDFFCE253149531EFB2C113EB9D3F215B0A3F92E6070E16BDBC336B7AEA312797E38EA75ABA21F4EA3314BC9098064B4406644411BEF2245954B13C635549DDF6D65EBA868083D467E3192721E84AF4E7F710349ADC004B8B7E40C7F08D2D02FF98CF017A5054CD06E15065485F873EF1DED57CFE88327E90C0E433D082F4DFFBFCB1B37B99EEB1DD753C72EDC9D50F6EEEC601452FF2BE414B2D65A8201B2C26E5F8BDAD904BCE84D1DF580BAE7E6EE295A3F3E5009B1E38121E74ABEF6A07A155D602F32695E115B1AB020691CD5C640071258A22A5763C2A4945E5F29B82CFC65BA0244AE704F520718886926BD784BA7FA72313EBE5B9B73FF9594CC98A11BBAB80F9F03940F2DED4D93D01B3EC7F64318B02BD2863AD3AF46EA1A42E2CD13A07CB4E335692984E96F016E70F8EA11658A5F71C74F81EB6E8B55097934F1BD2C25C216CB8ECD8DBD9E75C47A8B9CA0EB71544F8DB9D1EC98EC4B79CF2F104A4FD34A494CA55032FFFAB3D187966F858CEDC78D6665253F058B8FEC2C74D9F09AA5D889634DE92CC7A3F4A9B0BB9CB1511FF3CB4CF100966587A298F8A1722B9DBDD62AD6256940D8B949DBAD99B7F41B25152B41FE6BECC1FF366E5458BE87313A0B5515CF7F77E15C9AAB8BD0F24BDF202E4FDA2C96892715000081376604403CB1F003EADB78CEAC481EE500BAC92B31A2A5C01BE723E9E7D92F8BDFF70066E319D1851573E9ADC9D5CB52C9AA0F2976F406AD6BD5024E9778B020F1DAB8AB4E084536F272DDB8D3228C0DCB5453F110289F6ABD4840D3439854CA0B8256FB9FA3E1B21F325CFFEA63EF28A608F1AE1F9E2E47AF7B0F590DF73207CFDB8F2FF5E6A9EE3E68F4932EF6837BFA589A70C4469371E21D17DD133C91DCDBDED119700E844BEEB859E2BF1BF01D678F02181D5FA40FF683DF6977C0A990D0A803992FC1FE91CE8D1B84BD2EE02B8D1A2FDB4B5362888BD248BD57243A354F29D4D9545C63EB803967CD482DB2980B2D478E6E3971F241AF1625D5F4E2A0F66F95E3FEF21A17A30AD78880930AA68326FC62A7FAE596B8EB8DB50F05575D67EAAD334DEE638AD6905965867428DC94A781E914E360399108190727A761E6405B9774611D55FBBBDF207178630AC0DE3D12B9D6407D3F6A1A0A873B2AB08D22996AA559AE3549F19DA465777A6DE801AF057B0E8D8B1BE4B75E0D6DE97604AE2002D257241B941723B87FA38F90129D7B7A10DA60A0B19F889C9BDB3FDEBD8210A3077ABCE4C3CF0FA94B1CCFD135527987915B8DEBD63BC4BFBCA72D4854407F4244E2187B5CB81B74620229102CC034069CB1786D9A58072E48F05B5CCB86984BC5AE78689E71BD06667548EB7E87ADE94CFD91E8329710C8D3D593E831F6BB07D6004EB80F9CAF91799509C649478820F75DCA394596080042785E950D2EC784E1F7D83177D818EB328275A4B99F1411B8F25AEA03F61806C9F7D661B0CFD2171CB3FFD7A4C45903075CBFCD8631779C7BDD7523E85761015A74B9F6707AB26A6C54D6BE0902C56237434B4CED9C05B3243C02E6C3598359C40D24C7D3CD751BB3F94F325131D3C13357CE2FD0801382F830549DC09C0117ECE44FFF616AE5E7DCC4C727F1F01CA74DB886A8F27D8F2381D91FF39CC01A45A9175E461EEF276F04D4630410E1951C07865EF1E333B3E65858710449668C7361C8384E95FD44805649FEB052A3C5714FE171045D42BE2744CB5FD6792C413DBA15C2342F35EBF575430BFDA4D5D60A47E96026394A24B4AA53732A02B314E33920B3B3D4357126BBE13F580A190D48E7BE393E46EB4BC46F11CE93F39BA1F88A076922679FA8E3FC454CD0350EDE76E5808BFD51C54A7E35233AE9B384941B15ECA04216119C072C8E2D69DA53ACD0E64F8ADA0D78010000000E0000007A67784775642F5046646B2533640200000000000000
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD3000000000200000000001066000000010000200000003072AAE45F1AAD13B1EF29E8F342A87A365EB4BEE64A000DF3064A0DB4A8580D000000000E800000000200002000000044804E6D911305DF03D2936F191AB296FFD221FFDE64F2BA2C2236CEB5D8436150000000F6A9EC860A10D04AB6217131567DF660A274125286AD04083538C3AC3321548604115152BFC01461BB4951037BC8FEB4A0C04AF1F5A07BD129423D37131BA5F1D739E6B2144AE44888E3A171D66D939640000000B00D18207B33E52CC12ADCA23032A46DA4697F885C9EF4604829078608182CDDCD34C3201D96897C60C2393F5509F8967CAB47464CBA9D5AAFAF1A2B0BCB37A7
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD3000000000200000000001066000000010000200000006BE83F19504793EDDD54958F90072F89F4C62C3ED652453E96ABA7F86F0F372B000000000E800000000200002000000000F9A083B665CB43C4AE330873FFCE586B8C844015E76E45124E5CF1372297D710000000E9B632796C3C90FE5F21FA03C6FB1F9D4000000033AD96E8DAB69DC744803E64DC047CFB06BF35B20E0824AF68C51FF262ADEA3ED6C23BB4883E13075FB21F1343BC6789868B44425366A010D2C803BB21C31865
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
00000000A607000096729F3C011F7AFCC485F7D76AF007C93B4231AD1F40D8D4C6728BB2595711651E35964469F7A2EB889C186C5FE9747A324FAE8BD23812B0BB27FEDD2857AF4DC4D49D78BF38D11B7E78EDBEBC750D056549ACF0846A6BC57D3281C1E858676600714A535A8339C41839A1377B53D3F7525097DDFD759B1C6FB1FC1EEAFAA2E28F2A21E68C762EA1D7FE7BC71522BE1A6E84D02B87F9C38889C5E669E7DDDCA47821E5CE4CB36D209CE98857FD8143185A05BFA3AF968659DF8EF5AA82A1C3A2CD74E0F475D8DB1E711964927F120C2C6EF341E884EC46A6392DB4A923E7A76686450A1BCB865A396AAF73F47374CEE7066E6F2C579B5B2053C0396A3F4DD895F8B2EA3F285EE1A967C86A33A04617031796FDBC2443667DA968A4F859748C8B2DDDC2CCD1FECBB4B98692F00E2AE741FB8BD1594684866969467C86EDFCEE068EE42799740838ABFD0AD3C06EBFE260E76DB35D57FE0E14317891D4FA8513DE02E9ABB9171A76752D73077BDCA4FB1EEF5C1BB66051DA3FE41FD4F586AF12D2820A231FDCD56BB249E103E4597B734AFB78C2ACA21CA7EB805B38537F1B2B625869E90926DAA4678073E49D62E344E6CAE15E7FE001008B454DAE0F0567BAB869258046F9C74D40D94BAD6BDB7B865BD7B765C8B69F47CB17130AB00E345CA6E05DE5447C3ECB571F8861CC2FE58CBDC91A67B8C89613E7CFCED31AEC2254AB7F33CEEFEFDD5E9C254A52D764C08518CE2A1A1CB3863E924B9F69E0FAD18112D7C58C64BA4572BB38B13D778DAB65D9A107BD39280FB96C7DA4F6DBDFE1551D263512715117C8A0A4DC1EEA2348C739E5D1727212D1530AE3FEAB1D65F3863AC0A19EE497F15685F7ED8999D4352FCAB7A838C13F6C0487B4CDA4275EA5A8554D2BA0AE4475A88C1203293CCB141AFEBFACD2005880CFB25932B87A24987B2CDDF1B8D1C04140F5053E4E4B2484A2D1B0FDD6026EAD55C1004B6372596C6BBC0915BF21BCF6EAD3B9BD4CC7A7241F7BDABBDA7A23936495D7393871F2C1C3BDFFB5C7D75935E465B8A2204C9B966D2E86069CB59DD12695D31C755EB837C82B21F306EFA39C39EDEE0C7C786D79C4EC95FE4322FA09311221151D71856E47E1B6ED285758CD9A1F331B5A9B8E6CA36B70C4EDA8D5DAC43EE942B74E72075B411BC5C9F3E2668A2473EF13C0DA110F042776FFD4C0E4F8B3A6C460742FA09DF28199976EDF08432697A736FF76072BB65B35C4CDDEC7A3882CBCCBF449DAF4AB158BD7D63454916A91650623E3ED723A1A217A1D7523D9FA1048A987E755CF08D1B9E810BEE847091F48EA9CE96524264C5ABF4C7398979FC389B5E190B1417CE345631843664A2358705DC8420E611D5100024620C63D31869FEA638F8EB6436B4E5B0FF46CE3B585FC3E82A88787135133D093644DCBDF11ABD1156A8DAF76E4F33C20699C3EF6AF0E5C0AA572A3A17513386458CD8C39CDCB8CF4794C301E4D568F2D4F94B843EBC54E397E6E9E6473C06865FDE5E7A3CC20F98F5F6C5D61D2951852A1F5A8A17F410306A41A9C723D5AD06A87376C5E7ACBF9F0A98D14BD41D281311660CDC87DA2445809186FDD3A01CBE8BC62A71927EA8FDDCA4FE553C42BB219C97325C585071E2D4E07E94127D5803AC6069E20C79E74639E521C4013C2F3F16CD0F725DA92DC0EA386966E0DF6AFBBBBC3700DA3071DAFB23625088FB533FB3F1509B7246246D455372F15098421B1D0397E0D05467B40279C93104E26D065D9E3DED74C9766B96BB9FB8A5D9F72000C08CEBB15795E602D22E72BB833E1A56FDBB9506F51FBC1ECAB969B096735B939D02986A5C117F20769C43161FE28B3DC9BA6C8BAAF566E56AFDB6FF1FC786E5C3117A26F3FAA8DCB11A6AC94A505FF62C5D2BFB6D3CFC072645279E17EF65B51CB9B962F11FBEBA6BA9991094A444818F7C61E3DDC1A909D69137AF30D8A617A3EC84EF85891A28704E90C8D0BAE3984D2DA554DEA4B2F1B606197F3C922CD8129C5C29934053565901A59090A39DE2CF71F0B8F1C245D7FE89A76D9D29BEDB82E1D2E5EC6D56A48FC55AF6366E3DED604DB59C494228E95A0E576CF484881B1EC86D51B2CE4FF2FE9D73AE73E2592719BD39D4571D67D322ACFED884B0AE9C8038F5EC8870A9FE0F753295EB4BEE0E85ACCD528D3C5127E25C87DFCFB7637C713C9B439F8C532F2C622C2CAE69EF1BAE2FE8F78DAFF959630077787782F014DBC247F5A9D407A53F6109365F619AD0DD4DB68A3A5B73321ED5A4A96E2CA0C019ED32AFD9742FD5B28E1A7DE028D0BFDCE8E18EC560AD4A7FAE009BD59D8C62C592A7D90069C4358FAEFD67B2C6539427210150F0CC03CCCF910FEAEFDA58B7C8D5ABD500BCF65250DE41BDB926C81A95E54BC50E7D9842789684990EE0DC16FDA59683FC43EE40D01F2002F561E1394331813AC0684DBE4494294384CDDBC6DE0CE78C052F6D99D768819E196CE9236928C18D58B409CF8DB9CD79D37F37D823E3E3E88D5B572AC0C718F3B748F74A719599EEC95DFB12DDE532BD5CF713499960FC22A6EE9BDBE63F1B7E30E4D33196A7BBA7044CE4BDDF109A76E35FB9CD38715BFF93B75C5781C3AC35B86A54DFD2311C57EB89CE3E6B626596D87E224D8B1AA27A75DFCFD26D5DC758BFAB21782E594E8BB10119057CCB2457EE6EAE5FBB4AC3A70F51801492F07F0198C8E591551443DC16E37AA97D2A67A6172636D1A30AC2D10216C9DF6CAA58D8A5A4AC4C905010000000E0000007A67784775642F5046646B2533640200000000000000
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000951F0D989B6A284A05CDCB04454C98F89095873F0E9A08DB2F2A409BAC0B4284000000000E8000000002000020000000E03A0D37174365438E4211BBEDDDB1A03E58FD5C7828DB8C97D30C2DCB455B5650000000DFA441AE6DD68DC9567013411D664F894809899B877FD983D134080E2AF3C75C36A8FA9855C8EB80102B7D475390A289E3688792FD5FA8B37D96D8BC393B702E27F5C4084135D7F3CD664BA8BEA670E2400000005E2B73123A68306987A778165F186571E76D11E158FD66996704D29737C171A787F8DC1F8F8D078DCF014C47C2E047D2E6A751093A62B011C215AD7EC0700DF9
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000BE182BA31B48E9DF4B1BFB9C87FDE97D297BD91EDE79C6C0D7DD37FC7A023935000000000E8000000002000020000000CE3BDB33A2B5FA7A0B4277AB845E498ECD4124D392856351A0EB102579D0EE7E10000000B77EF9D56FB4D29BDBBD14AB6EBC27A140000000D76CAFCC7BC3605D0A894B80633FAFAC437F37EB0F88E6C0436D05BF3FF6BA19D8CCB5CE649A99C0B3456ED7D597477A45A664DDD5C732F2D2D148BAAC5783AE
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
7
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A0003000900120022002D00B000
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
7
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
8
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200220035006B01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
8
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000DA6272111714E0B0081FB5DED92AF909F211EDD664F2907317C13B995861BD58000000000E800000000200002000000095F479519898C30AEA461DF042D996A6B7AF205B81069782EE4989AB2E874F7930000000C23E5F467D80931DEDC634740BC63E1ABB2C182CEA7ECF3642405B63420373E2E824874C066F237CD55400FFA66ED0E340000000188754F952B88002C2989FFF87268F3B0104927ADC31C25EFB5E2E8B8CE290A61A041B4938DA8C89E3DE9D7E866F89DC225073810CEC534D0E5D93FA3BC75386
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
70B42940D07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
9
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200230012006B01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
9
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000396AF1B45247C20354798D9457BF35B4C636A2EB21240AA40F8BEBC2DE23DA6A000000000E80000000020000200000006393569610E41300ABFFA782DB756F6D6FA606D565A79A6C85509D44DA4746F4300000009C42CC767D766DBD84B8479148071666AA4D024A72AEE60854EEF54DE8CE07BD101AFFA99C0439C12950922B123E92D54000000079CB6D30F5A94AAE6AEA1B5574C85223B05C80E689EBF7554AC490FABE4F7AA9DA801A3E7BD38FAA81987F0A863AA96EA98B871C9CDEC239D512F6CA351DA974
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
80773F4DD07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
10
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200230028006B01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
10
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000F3EBF2C9C8AE8F62A1FCE1F7BE59ACCB47BE04D3E0D72D8B093E099D50C946FD000000000E80000000020000200000009CF0F374A360386F8D783B404DFBCFF7230A91F988347A480504D1DDACDFDD833000000061DA1D9D7D6DA41745AE8060C07EC9DC993C94892F49CF29C42784227E1302888307AA906792CBBED21EA92320D7CF98400000005CC0CA1DFC4FA38C660E2098D754D7044437561A0619F684988458898CC5A959574F0E13AC16C17723755AF6DE3274541EAF2B07DF224DEA639C65CC6FA6DE9C
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
A00E4E5AD07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
11
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200240002002D01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
11
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD30000000002000000000010660000000100002000000071C50000EF072DB4320DAFCE44C9C504AE8F0C66CE1AB5CA880C078D619C7B6C000000000E8000000002000020000000A696FA663203D91E32BC539145849F65DEFD2AABF415EBB1EC48785BA6B7DED730000000836B6BB2DFEA080A310A9EF0FFB235BE22C2063B78FB1572C0078A9414A6DAF3E8BAA4794E29BD5ADF50B568B5ED3C5A40000000CCF8C9B3C0227F9C0C00B713396E1A9EAC36E178BFE647D3FDD74B2F428A132BA9DDB22F05490BB5DB76A2A82ACD2630C366B404D703CF1EC3DE539773C4540D
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
90297267D07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
12
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200240018004C01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
12
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000BAE41B0BB09D034FB98951AA96106ACE7CDC17201BE1CD9C4BC4B1C5E74114BF000000000E80000000020000200000009F23D4C941E6C6032E647E93E5E2B922EF2BA97C87CFB188E97178A4C4D7D64230000000DE1768379886D8344E45CB4F2281EA953584550DCA2FA15FD1769D596B87C2D5CEBE802C9E137A8092F58F61ABEF4890400000007355143EDC7C3CD499505CD1938703298471221FBA5C8B263BB44210E9FB43D572CF580CFDF909079B505297816FEED833303AB250634F33062C250609CEAF32
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
80B59874D07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
13
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A0003000900120024002E007B01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
13
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD3000000000200000000001066000000010000200000009B0DF4F181F9B5D8896C5072C95A95726DDEE52069EF1E3599BEFA80F33DDA67000000000E8000000002000020000000B78621C29EF697D5EB2AF90EE5E895DCE717F6DAE458E60EE0A987578550DC0C300000002F24B9CCFBF971C1D2FD6652C3C6D9CFC813E88974F771CCC3F284BD0D82003033ABBFF6E53C3A335F2A4E70ABD7ADFB40000000B17E574AEAD5210297BC06A50B77088DB7C1D3C29E735E69FD8C4320448804EC9832D1766D60B2586AC6DEAB115F34B159EED4F0F1A62AB273547B35DBF50A5F
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
B091A281D07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
14
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200250008001D01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
14
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD30000000002000000000010660000000100002000000069A15B6BDF0AA8480BB3A7CC98F5A5C4749EAD577FCBD8631585908A78CF7CBA000000000E8000000002000020000000A51609E78F4D362883CDCA3557FE6C59092F4F74B670EEBC3F48F78DB7365CC530000000A47E5A1107E6E1A9F0FF8B38A57486142B9547726784D42E4CE549A91E8164258E58F33A86C97FA2C33AA6838EB3759B40000000A00E7A31FA23B5FF619FD0A64C75AC3DB6D4DD9701245701BBCC8035DAA85EDB5A64EC7F0DF743CB32FBC3E076F2F1890CF8430714BC04014CAC8B73894A8950
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
A03BC48ED07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
15
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A0003000900120025001E006B01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
15
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD3000000000200000000001066000000010000200000008B0547F8C9600616AAD35BF03364EA379D15DEF2C561E3F6D41BF73C052021B0000000000E800000000200002000000087447EF2575AB48235FCA732B4A449E6F4806046B280B7754A80D9CA81011C1B3000000074606A3C7C0C8140C3EF44231F820F2D5D98B56236DBA22E5A2D74490ACEE8D7A4F1FD923E4EB9F45D38F9EC6889E32940000000BA376D991916CCBED1B6D7A22DD0BE2404A2EB452E359C56A033D22899D1292EC8EF15C1B4BF65A10B46B2C76C6EB09B86DBC3B98A8DB536E0ED629F38A77687
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
70CCF19BD07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
16
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200250034007B01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
16
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000183C867A843E34611C36A81E33477C2F924C65F217E90D4712611D5411230DEE000000000E8000000002000020000000550F9690EA0BD20BFC8725E37C8609A806EE29C13033D33976698B490101B38530000000B7CB847E66BDEECA68AFB9C1C4FA306DCA08136F603F8B0D5162DDAA97ED7AB2A4730B9F024A8D7274CD0F7B61256C704000000053DCE8D636D67CC607A4CBE4E4A6554FA2DEBD790A3BCCAA0B6738043390A3E911D7900DD326A108FA9F6D7CCB66DD8A4D5C8C0F789729F3C5D9CCEEABDD34B0
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
70BB0EA9D07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
17
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A0003000900120026000E00AA01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
17
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD30000000002000000000010660000000100002000000032748D1E3A38B8C6CE47126A728081E97A42B43D66A8FB41669AEA86FDEED257000000000E8000000002000020000000163A2E5672FD294AE45BB02513B47FFFD7FBAA19405655E577F5ED2C9D8EF87C30000000C0AE9C86041530C2606D8F1379F6FD6203D00BC70492A04589191E715B0D01F257AA2000EDFD52DCCE5AB7A779617E8C400000008394FF93C4E37DE81C20FC9AB3EE01456960B6F96B307685DFC1EEBFDBC41CAD4AD5C8A1C45D221EB1A63EC87B03B79CEFBCFFCBB8248186B11B7603FBA5C5CA
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
60D632B6D07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
18
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200260024008A01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
18
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD30000000002000000000010660000000100002000000071D587A36305178AD0C451FBB3E73338D00FE04273BA284E370E5BC5F35D9730000000000E800000000200002000000009A23CA452BCD726917FFD043D1B832D7913D6155F387D6275988434EC23523030000000D9939653DC8E9F9693D7880BC8D590388F212C58BF19122D52EA3A25D0868758710E08A179D993B710A0C7A75E1CFE2F400000008C4C32E3FE4FBD9AC88F425067820D4F26C8C5FA666505F2242ACF232A5A62C5A88A670D1DA240E7CB1F416F826F7A247F4885643FDAADB5D199DB598E084ABA
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
709948C3D07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
19
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A0003000900120026003A008A01
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
19
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000D6BC5F46A1788402855632943FC533C2B9567BF4D7CB314FEEF70D93D8EA5B25000000000E8000000002000020000000F02EA13932DC7D23AAD0424BE3003DC964323ACA3524F6176EAC62C22FE7C0AB30000000EDD2B6EE6D3960A1FEF9B5E3190E66EE81D3EEC62848B2B9AF928D7DC4FC0EE7D9D356CE97870D3FDE3A7AAC9E052DD0400000000DF64AE37C3E609E142DB1A1B8EB930607DF925DB024954202A7C51C17CCBE49150BDA161FE5EE38BC868D681AC8DB538EB9C51D849BCB12AEF186C3CF10AF6D
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
60B46CD0D07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
20
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A0003000900120027001400D202
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
20
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD3000000000200000000001066000000010000200000008CF54DA5B204EFBA006091086C41E06C0806CB365C7764944AC46E4EB20EB01F000000000E8000000002000020000000F7C1AADADA472FF79EFA564939D2E7E5FCBE968A1DC8CB19ED2BA79F2B04ED44300000004E3027ADCCF58ED18DDAA6057263F14EEE9DA5C728376E5F4C7CD2BCCE692ABF0F3C298E19175FA240E0441A7B47CAB940000000F604FEAF6938BE7BB84D2421E7CDB8779797CA9E2BC3DD5B8FD1EB2CC0872EA571B4DFDA0CE030F6D0C5896F6A4E8FE1FDCEFB8B9CB02D8ACC33E2DEE979F8AF
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
E0AFBBDDD07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
21
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A0003000900120027002A00F202
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
21
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000FB7C129A830F2407B1992628FFACB1DDDA4C0B1A117D8CCC407C3A8FBF0C1E23000000000E800000000200002000000096FD6B972D12D4A8A984952D2349C82B59DED199A49023C03D62E751D5033BE03000000072BB271DA1C3A89B27927178FCD5CC5ED649AC04CF8BAA0BED67C99502AD9B80334DEC96F925DA6B3CF105C067A6CED54000000040F4300CCF72EC0B1D3AA7D72F745E29657D96633A6C7A79BEB49A91AB76623613D0701A72F34C07BF2BE2C3855790409F44D0D54DBFD9E3ACFFF2E14AE0C4AC
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
E09ED8EAD07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
22
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200280004000103
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
22
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000B55EB1DE7B6965127A0236E9C88D9E165518A605D6BB799502A4A229C76107F7000000000E8000000002000020000000C774F67E7BD3302EBA1034C1785A47ADD514D4C726803532A40847EEA5D1104D300000004F3455991F8EA43A7C2C642290182DE8A0CF87DC7383C43F6BA20B7D817ACFDAD944485B0037D957C0EAA1EF28D262E440000000B99869D5266760222371722E727AC9C1CDE409252BDFE5E57266F42DA5ED9846ACDE9B1393108826FAFACE65059FC3173E41F4AFBA53B8A20A7F720128A66846
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
D02AFFF7D07ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
23
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A0003000900120028001A002103
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
23
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000052849C99E18E4E627CD611D1C9348E398032BC4D7146C1D9AED6A59AE799BAB000000000E80000000020000200000003E1E9EB117B12783029FF7094434879449B89BA41C46AA67CCD80779C51F2EF630000000DE804C35ACC4914BC7EF7D8BD49BD53D4EF5F7EC56DCC40A7C55051A0F1D119A0CFD8FD64767CAC29774A29E59A55A1E4000000038AA3F2F11F27821ADB3E5C2BF886794C83250899DD6FD39734FEEB40A2F1919F3C21B5C1A95F999F92FB4D026A8C99FB07431E926CDEC3668380AF5DAEC9D55
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
E07C1205D17ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
24
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200280030000103
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
24
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000DD35D8ACB84D80065C44CFA7ED5C96181C083BC385C96E004C401B447DFB8032000000000E800000000200002000000012CACA6EF01C39C9D12FB15A6702A68C60ED0D410701E8C207CCD8AAD92D154330000000BFB33C2E520211987B62279767C6E38F77C32385BC0261349C26BEDE1EFA28199DD7180B15EDC1DA51DBA18149FF83404000000084313F99DE79B04D4D0AB2970FBB5362C20EBC5E9AEEF081FE8A3B305B370BEBC7256A6465D49AA6EBADE8C2CA584B9DDDE0BF4B369DFF4DE9E4119D33521B67
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
00F62512D17ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
25
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A0003000900120029000A00C302
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
25
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000E7061D1C712EE8815935F210E4B3A334B9B6BDAE24AB822A63B9E63A90CB4FC5000000000E80000000020000200000000E1EEECE92E889BD4DA34DDFBEFC8659A94C065D20066E31EA2C4E633D29CC6E30000000D278F9B39ACB8D0D324E769A973A959247B32A9939C64E8622420FDC863220468A6A26A0E75D214FC8DB3E3E9391C3CA40000000E3761F058077780F03528C5CE33C92952E1751D6DC1164AC6868EF623E8E99CAB5B4C7C07B32DC39A973F0DF663713AF41F9A604FB73839B1DD032F4E9793915
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
F02E451FD17ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
26
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A0003000900120029002000B302
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
26
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000284E6676D3B2668870A55168F096EBB202AE545A73A8282D30273CC55374C39E000000000E8000000002000020000000C1B56F166A7FA7949553B7DAAE286D452E45B027D7A8353E238C1EC06F41C3C3300000003ABC4C32EA52701A56B297EF9BB9A140146CAC62AE912A66D3960AB837BB1E1CAC80FA5CC2071D0562D210A4784E4C4B40000000645626488A243A4A692271519917577FB58EAEF3E8E62D24432C83C944D3EB4DCC7E7898749F40412DD4FC8A793514C569DBFD40D0F526B368A479A16B55C9A3
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
200B4F2CD17ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
27
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009001200290036007502
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
27
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD30000000002000000000010660000000100002000000080BE540FE0E896BC25610B5C2E49335CC3A2789366974918664EF68F18330EA0000000000E80000000020000200000008C9BEC9B0BD6D3D55AFF397D9B8A4AE86A180C7FF054929DEB13CFE7D2CBA185300000007BD07895A8D94E9280C273D57CB298848A1BA3F00177E0C85FDD5430DCC7C2F6DA368FB701DC932C9F234AB23EE3B1FA40000000D6375628608D3ED66CAE3FEE5CD2BD5D61A711297CE694B77B315FD8D618DCFDCC5D09F1EB68D0873623DE9463ACD8BECAD483E4EB00AA6BBEE6B17A4BB4A98A
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
D0F38A39D17ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
28
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A000300090012002A0010009402
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
28
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD3000000000200000000001066000000010000200000007DEA110FE2E1897946E35B0832999B7050C344A4ACE7E48DEDFB0771F9EA1BF0000000000E8000000002000020000000490C07B8B0CDB36D8E3632D5ADFA795469A733503D116034148BFA55CCCE467130000000B2B58A9EBA803C000E761E5899544EBDBBD891587C4193C0FE207C3197606ABB556DC0B987105B650AFACD9BF98F90EA4000000042D0A15C5802B5A80C36529CEDEC51A7F37B64054A4C3696F83684A7A15AF7D5844250920781425B7EF082A43E3536ACA50E4EAF02E21098A9B8559326C38118
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
00419746D17ED501
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
29
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A000300090012002A002600E202
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
29
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB0100000081D728B177D24447B5E33F9E938D7BD300000000020000000000106600000001000020000000EF93959970404301BE28612171F03CBA2529BC5401CDECE7435D649EBAADFCB5000000000E8000000002000020000000034B048F1272C258B8F9D178D31C92667D4B3D6096E2D583A72B25A8E8A991C630000000B722D3D0ED9D5A096DC9513964A2F39292A8E720DAA6230B152219E656D3194FAC3748AFF2F60EC1E4FA7149DFED6A3840000000EC8A18AEF31166638B60A2EEF7269A217E5A8BA84512B56BDB8F16DB87E36376A69C48FCF51B4A4A4AD75FE5B4F3A1F1D19986BEEBB6E1562D5EF73459A51BDC
1260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
E016C053D17ED501
1952
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
1952
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
1952
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:
2072
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2072
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007E000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2072
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2072
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2072
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2072
svchost.exe
write
HKEY_CURRENT_USER\Software\WinRAR
HWID
7B41424136303442372D413734322D343545412D383835342D3836414235424231463632417D
2072
svchost.exe
write
HKEY_CURRENT_USER\Software\WinRAR
Client Hash
8A56142D232E0FE10B2792677E71225A
2564
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2564
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2564
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1980
BNF883.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1980
BNF883.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007F000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1980
BNF883.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1980
BNF883.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1980
BNF883.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1980
BNF883.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1980
BNF883.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
1980
BNF883.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
1980
BNF883.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1616
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
1616
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
1616
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:
2256
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
2256
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
2256
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:

Files activity

Executable files
3
Suspicious files
46
Text files
63
Unknown types
3

Dropped files

PID
Process
Filename
Type
2072
svchost.exe
C:\Users\admin\AppData\Local\Temp\BNFA78.tmp
executable
MD5: 76c600ba1dc38ca9507e829d625e6857
SHA256: 1397916117996f3f12b6a57f566d37ece3ceab4a069a08ff5b8b5e73b68ed05c
2428
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Word\Startup\55F.wll
executable
MD5: 30c28434f89abc1aee1cccb94b7ba3f6
SHA256: c559274c18ff0a53580aa98806d1aeabaff35f6bfcb9732152df9360fa644563
2072
svchost.exe
C:\Users\admin\AppData\Local\Temp\BNF883.tmp
executable
MD5: aaedef63a86ad51ee1eb38ebbfc1a683
SHA256: 59beed8f43d8d99406f88f11711a8b29d52cd5edd8409fc7b8b0cc4b3afa9c4e
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF1bf847.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{83ADB083-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: 62c65802762acb9e29b0ddaf524a0efa
SHA256: 98697f10c9ed4f84ae43debebbfc6ac84edca65b59db8c32a3b471b64561beec
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFF312AC354DAA06E3.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF220450.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FZEW8G1G1ATDGL1LSVG7.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{768BFCCF-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: 158dc2f30fd8fe3a12b66c151b2b3bbe
SHA256: 6aba08ad6e8b9f61f3c720ed7e46cc8b241ba37ea5ab0c4f6a7e25beafc47aab
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF79A45B5DE9A8A096.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{697AF991-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: 349c02223811e11c8e038cdaf10c7df0
SHA256: 4e12ccc506d89bc57354283324b5608884ae2cccdf7a2b3177ae8ed5ac37228f
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFBE25159BAAEC35F3.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF21589f.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9FKMJZORDVRY14S70PIO.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{5C5BA837-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: c4cb5830658ce8440570ff6d95adc94f
SHA256: 216d21100081f3cc92e3908f42a28af6e4178c995df58e78d5e5ae643336a1e8
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF861FF52B3A5B8272.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{4F48429F-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: 1f907995d9f9c9011b3f22728df157b9
SHA256: ce660b912771870d18c04cce6a3f040d4f6d7516a1feccf4a611ba246916b0bd
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFBE48FCE25DEFE1EC.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF20aced.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0KXRRKAUPNFYQ7DYYQOE.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{42327AAD-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: adb0c334497df7790bd2c988cf64eb37
SHA256: ae50ddeea190d0562ee8e1e5a590c43151379da7e7d1ba4399896e667c65d80b
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFF72B808F906EB3EE.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{350E649F-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: a75b806a41021a6b3b65870361f2d6e2
SHA256: 06a8ba9e79e0ab0a336260f6be982994bb84a7b0a8bb9af22ecd4e8842733e31
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF215EB20561B6F29B.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF20012d.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HPGTXF6SV4WJEDDOA6CS.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{27F1759F-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: 70f9619832d01e7ae42dffca22075e6c
SHA256: 88145047f556c7124240e799e08bab749944eb251b4ed1e094aa174e6059ffd5
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFD00B047778841F8D.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{1ACFC1EB-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: fd4dada6370e65c37160368c44d624a1
SHA256: 623c1f054f2b2ad6dac31360e21b7589336a5370a5d3080f4ac765c17d286912
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFCF44AFBA9C262351.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF1f5405.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2W46QSM5LLZ24B363AEH.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{0D7E5F2F-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: d933e8d57dc512828287893bf1cadffd
SHA256: 4be38720e7c3ab88e9502089a0053166a52c2eaf5c6f1d382bdd9852297f90d1
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF4FA165657EB84B6C.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{006634E3-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: ad241f7e0f95506e2c61b8a56f260781
SHA256: ea6b557ba07cd7ae889159062724dbff90a8da7909ca7af7b91cbd50661104b3
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF52344E0F6E999FDD.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF1ea825.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DRNSVG4BZ25HX4MMOMEK.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{F3421ED5-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: 22c62e3319f15a9cbe85a04251a66402
SHA256: 63d2343d8197c8a0212926b3703779d99b5c97181d01567448d7991047ea615a
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF9CD41DCA17B5ABCA.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{E62C56E3-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: d1145a3518f13ee3f59f9d0cc6054164
SHA256: 6e312ef98f3b03b7d9d4c859cfda09733a17eee84500788904904b3055b64faa
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF0D80986A72D27446.TMP
––
MD5:  ––
SHA256:  ––
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\http_404[2]
html
MD5: f65c729dc2d457b7a1093813f1253192
SHA256: b82bfb6fa37fd5d56ac7c00536f150c0f244c81f1fc2d4fefbbdc5e175c71b4f
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF1dfc25.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I706EWSIY22RF4YJGT82.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D90AA32F-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: 10c4eeb42e6f0e1a7e7aaab0fff743d2
SHA256: 9fd1d5d2a424e1a8769e53c760e843f182d07d1e5041b02beefe3ebbc1c54caa
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF821432CE74C98ADC.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{CBDAA15F-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: f15f61e0f7dbff0c424f9cc5935cb117
SHA256: ad292aa07f035b1a7207425c7c84ec387f1dddeee72467534ebe2904e51dcf80
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFF5DE080773516CB1.TMP
––
MD5:  ––
SHA256:  ––
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\background_gradient[2]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF1d4fc8.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OCQ4PYKEUAND36OBW936.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{BED0C52F-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: 596a640f311865e80cd4f4192154ec9e
SHA256: a316101728c335d54a95afdcea9232e6d6df694dbb49a86a3110fc0265b149d4
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFDCDF8A085EDF930E.TMP
––
MD5:  ––
SHA256:  ––
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\down[2]
image
MD5: c4f558c4c8b56858f15c09037cd6625a
SHA256: 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B1AA4CC7-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: af96637208ffea9b84ae06cb46457632
SHA256: 7e08f02db87ed8e0cc283d049250677e6757bdf29fbdff5cf7a6bd24a7e51e93
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF4E18F4FAB684DB73.TMP
––
MD5:  ––
SHA256:  ––
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\info_48[1]
image
MD5: 5565250fcc163aa3a79f0b746416ce69
SHA256: 51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\httpErrorPagesScripts[1]
text
MD5: 3f57b781cb3ef114dd0b665151571b7b
SHA256: 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\errorPageStrings[1]
text
MD5: 6b26ecfa58e37d4b5ec861fcdd3f04fa
SHA256: 7f7d1069ca8a852c1c8eb36e1d988fe6a9c17ecb8eff1f66fc5ebfeb5418723a
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\bullet[2]
image
MD5: 26f971d87ca00e23bd2d064524aef838
SHA256: 1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF1ca3f8.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3ZG6XB4OE6QNIA96X53Y.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{A483D45F-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: af905862d28df89fc154ee84fa52d919
SHA256: 460b687438cddbefb6097c731269096cc53fe5692be72bffe36755b1d92f050e
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFE4BE7960D5CBF8FE.TMP
––
MD5:  ––
SHA256:  ––
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\info_48[2]
image
MD5: 5565250fcc163aa3a79f0b746416ce69
SHA256: 51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\httpErrorPagesScripts[1]
text
MD5: 3f57b781cb3ef114dd0b665151571b7b
SHA256: 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\bullet[1]
image
MD5: 26f971d87ca00e23bd2d064524aef838
SHA256: 1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\down[1]
image
MD5: c4f558c4c8b56858f15c09037cd6625a
SHA256: 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\http_404[1]
html
MD5: f65c729dc2d457b7a1093813f1253192
SHA256: b82bfb6fa37fd5d56ac7c00536f150c0f244c81f1fc2d4fefbbdc5e175c71b4f
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\errorPageStrings[1]
text
MD5: 6b26ecfa58e37d4b5ec861fcdd3f04fa
SHA256: 7f7d1069ca8a852c1c8eb36e1d988fe6a9c17ecb8eff1f66fc5ebfeb5418723a
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{9779F82F-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: 8e373c9005d521a92dcfee91f4d50b13
SHA256: e9737e34255bb1b1e1964549a49f328625a53df36e559070379e6087125b767d
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF61484C11C4B44FD0.TMP
––
MD5:  ––
SHA256:  ––
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\bullet[1]
image
MD5: 26f971d87ca00e23bd2d064524aef838
SHA256: 1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\down[1]
image
MD5: c4f558c4c8b56858f15c09037cd6625a
SHA256: 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\info_48[1]
image
MD5: 5565250fcc163aa3a79f0b746416ce69
SHA256: 51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\errorPageStrings[1]
text
MD5: 6b26ecfa58e37d4b5ec861fcdd3f04fa
SHA256: 7f7d1069ca8a852c1c8eb36e1d988fe6a9c17ecb8eff1f66fc5ebfeb5418723a
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\httpErrorPagesScripts[2]
text
MD5: 3f57b781cb3ef114dd0b665151571b7b
SHA256: 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\http_404[1]
html
MD5: f65c729dc2d457b7a1093813f1253192
SHA256: b82bfb6fa37fd5d56ac7c00536f150c0f244c81f1fc2d4fefbbdc5e175c71b4f
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR8130.tmp.cvr
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z9S8SHWK2486PHY2QXWB.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{8A5AA6D5-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: 75efcecb885bbe55b5e02ee409499edb
SHA256: 7223473a020f6c92c3cfc653cb522de62484f74f1b27f9a59ef8ea87d39e08b8
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF2DE1AC5C6C1CFADB.TMP
––
MD5:  ––
SHA256:  ––
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\down[1]
image
MD5: c4f558c4c8b56858f15c09037cd6625a
SHA256: 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\info_48[1]
image
MD5: 5565250fcc163aa3a79f0b746416ce69
SHA256: 51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\bullet[1]
image
MD5: 26f971d87ca00e23bd2d064524aef838
SHA256: 1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\http_404[1]
html
MD5: f65c729dc2d457b7a1093813f1253192
SHA256: b82bfb6fa37fd5d56ac7c00536f150c0f244c81f1fc2d4fefbbdc5e175c71b4f
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\errorPageStrings[2]
text
MD5: 6b26ecfa58e37d4b5ec861fcdd3f04fa
SHA256: 7f7d1069ca8a852c1c8eb36e1d988fe6a9c17ecb8eff1f66fc5ebfeb5418723a
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\httpErrorPagesScripts[1]
text
MD5: 3f57b781cb3ef114dd0b665151571b7b
SHA256: 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{7B73F455-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: 57fd6d6f52c5d7a491fe1d124f4c00d8
SHA256: ed3f0b5ae7605464b6b714a1c6f58ab55abf1245bbebb824efaf933e7260d495
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF26C130396CF72DE1.TMP
––
MD5:  ––
SHA256:  ––
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\down[1]
image
MD5: c4f558c4c8b56858f15c09037cd6625a
SHA256: 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\bullet[1]
image
MD5: 26f971d87ca00e23bd2d064524aef838
SHA256: 1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\httpErrorPagesScripts[1]
text
MD5: 3f57b781cb3ef114dd0b665151571b7b
SHA256: 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\errorPageStrings[1]
text
MD5: 6b26ecfa58e37d4b5ec861fcdd3f04fa
SHA256: 7f7d1069ca8a852c1c8eb36e1d988fe6a9c17ecb8eff1f66fc5ebfeb5418723a
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\info_48[1]
image
MD5: 5565250fcc163aa3a79f0b746416ce69
SHA256: 51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\ErrorPageTemplate[2]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
2256
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\http_404[1]
html
MD5: f65c729dc2d457b7a1093813f1253192
SHA256: b82bfb6fa37fd5d56ac7c00536f150c0f244c81f1fc2d4fefbbdc5e175c71b4f
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF1b6f9e.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5UX9LOXH8SAWKJPZS0SJ.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{6BE8BF92-EAC3-11E9-9008-5254004AAD21}.dat
binary
MD5: 1b44bc6fb7bbc1c14a802a4d6c1ee400
SHA256: 2d014c84a97a485dc1ac5c4bacf77148733a791a6eb5fb5cd5408595a7b2de61
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFA17A7173487F60C2.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF1ac507.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DPS6N9IOGLI3WTHI1OIQ.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF1a766a.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8658U5ERN91MY3KYU6WX.temp
––
MD5:  ––
SHA256:  ––
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~DF3AC6677B20095881.TMP
––
MD5:  ––
SHA256:  ––
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E3A83659-9AAB-45E7-B35E-52BB708F4F6F}.tmp
document
MD5: 08155fd66df80dad8fa6fd64ea0c8ef9
SHA256: 70935acd5fc02b2cd43a8e9b45c83a66defd8bace0b59e0c1369c2d39a8a32b8
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C58563A2-C5E0-40DB-B2CD-E9504A3B7233}.tmp
smt
MD5: 5d4d94ee7e06bbb0af9584119797b23a
SHA256: 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7AA2666D-2184-4D01-B882-8DC1E7171072}.tmp
––
MD5:  ––
SHA256:  ––
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FB118CC.jpg
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\search[1].json
text
MD5: 449f61c84cd2f7342f95403c908c0603
SHA256: 19170bd75edc0b5183a2f9fcc3001d9d222deff61e5915ad1127b65ab581a2a1
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\9D00U923.txt
text
MD5: 1e2933a924015f02065f834c4f825c81
SHA256: 62ca9c02ba73118d1a7888af8d978f3b9b7ff164553bba595ddac7306e7ede24
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Y1VCAIIZ.txt
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.2
binary
MD5: 5a34cb996293fde2cb7a4ac89587393a
SHA256: c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\suggestions[1].en-US
binary
MD5: 5a34cb996293fde2cb7a4ac89587393a
SHA256: c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\T3EZ71D1.txt
text
MD5: 046df708c1824dfd8e2bfe3ec1517bc0
SHA256: e5aba183f72cadb918e8f8ada35b452e819cb2dd24ab7a95cb77c48ec4fcd83c
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\A9G3URLL.txt
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Q9OAXMOW.txt
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B57C360C-EAC2-11E9-9008-5254004AAD21}.dat
binary
MD5: 23729f2ba54b27d405869c1250251755
SHA256: b5879e74180e8503dcd8139ac491608da2e824f06178ba3a8a0a74ecf3712ab1
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF8C78938915472DBC.TMP
––
MD5:  ––
SHA256:  ––
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\info_48[1]
image
MD5: 5565250fcc163aa3a79f0b746416ce69
SHA256: 51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\down[1]
image
MD5: c4f558c4c8b56858f15c09037cd6625a
SHA256: 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\bullet[1]
image
MD5: 26f971d87ca00e23bd2d064524aef838
SHA256: 1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\errorPageStrings[1]
text
MD5: 6b26ecfa58e37d4b5ec861fcdd3f04fa
SHA256: 7f7d1069ca8a852c1c8eb36e1d988fe6a9c17ecb8eff1f66fc5ebfeb5418723a
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\httpErrorPagesScripts[1]
text
MD5: 3f57b781cb3ef114dd0b665151571b7b
SHA256: 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\http_404[2]
html
MD5: f65c729dc2d457b7a1093813f1253192
SHA256: b82bfb6fa37fd5d56ac7c00536f150c0f244c81f1fc2d4fefbbdc5e175c71b4f
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF162f71.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\85IIS8OXDYZ0CZFOBVJN.temp
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{A8450D2E-EAC2-11E9-9008-5254004AAD21}.dat
binary
MD5: 0c99f76cdc2c22adc9d213c8829f6e64
SHA256: 07a7d76c80d2b55658fa615c6fbf3e959d6fd1fdf649808a7c38960c38bde847
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF4E324E3FAFB9DDBC.TMP
––
MD5:  ––
SHA256:  ––
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\down[1]
image
MD5: c4f558c4c8b56858f15c09037cd6625a
SHA256: 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\bullet[1]
image
MD5: 26f971d87ca00e23bd2d064524aef838
SHA256: 1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\httpErrorPagesScripts[1]
text
MD5: 3f57b781cb3ef114dd0b665151571b7b
SHA256: 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\errorPageStrings[1]
text
MD5: 6b26ecfa58e37d4b5ec861fcdd3f04fa
SHA256: 7f7d1069ca8a852c1c8eb36e1d988fe6a9c17ecb8eff1f66fc5ebfeb5418723a
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\info_48[1]
image
MD5: 5565250fcc163aa3a79f0b746416ce69
SHA256: 51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
1616
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\http_404[1]
html
MD5: f65c729dc2d457b7a1093813f1253192
SHA256: b82bfb6fa37fd5d56ac7c00536f150c0f244c81f1fc2d4fefbbdc5e175c71b4f
2428
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Forms\WINWORD.box
binary
MD5: 1c528daaf42aaa1f0ccb83fd3a2ae31f
SHA256: 3892ebbaec5267a007693535d212ed4e717344d54492cd9c19c5865570e6b17a
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~DFE5D56EFC56402A75.TMP
––
MD5:  ––
SHA256:  ––
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~DF9723338A48D58E12.TMP
––
MD5:  ––
SHA256:  ––
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~DF91F09CE257B2ACD2.TMP
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
xml
MD5: 7c0e98813a48d3d9d55c1037a6d2fa68
SHA256: 5b8274093f4b5529f6f7b0977167fd202c1d6fc1a7a9d3931a1b04c3ee8b8cad
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\iecompatviewlist[1].xml
xml
MD5: 7c0e98813a48d3d9d55c1037a6d2fa68
SHA256: 5b8274093f4b5529f6f7b0977167fd202c1d6fc1a7a9d3931a1b04c3ee8b8cad
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\urlblockindex[1].bin
binary
MD5: fa518e3dfae8ca3a0e495460fd60c791
SHA256: 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF22b0bc.TMP
binary
MD5: 3fa19443ba3fab9113f41fcce375b8c4
SHA256: a032b60ceac8155d0c2e660e53bf9042f70c4d45c7f6725ff57141f1b4ec6ac2
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{90D68B45-EAC4-11E9-9008-5254004AAD21}.dat
binary
MD5: 08be17c410ab717ab5cb7c6463af5e6e
SHA256: bff1c0761371088d9e59673994ac7862cf01fc3ceb00e53c3f3a546e2b3409a3
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
1260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[2].ico
––
MD5:  ––
SHA256:  ––
1260
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFB73F106FB0E590D4.TMP
––
MD5:  ––
SHA256:  ––
1952
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\download[1].htm
html
MD5: 678454cd86f8904b232fc9c062744a46
SHA256: 5de3aac283a20e2409593b9f24ca290b0533bc7722d349689c9243a53f4384b5
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
tlb
MD5: 042f0594c397e9b447530844623b45ac
SHA256: 115e0b57524deecebde16adde7d191bf82b64543f7dfb3cdf6a6e1f370fd61b2
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\mso8670.tmp
––
MD5:  ––
SHA256:  ––
2428
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~$cus_39386.doc.docm
pgc
MD5: 7bc77d5371ab55d66bba809344850be8
SHA256: 6842fdb58a971279dfff5dddf86cf828b7a39e0362396854698446d2139df741
1260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\99E4TVB46ZWZOQAVQ5O9.temp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
53
TCP/UDP connections
104
DNS requests
58
Threats
105

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
1952 IEXPLORE.EXE GET 200 47.74.181.177:80 http://elitefireandsafety.com/download.html US
html
malicious
1260 iexplore.exe GET 404 47.74.181.177:80 http://elitefireandsafety.com/favicon.ico US
html
malicious
2072 svchost.exe POST 200 95.169.181.133:80 http://avantusthea.com/4/forum.php DE
text
text
malicious
2072 svchost.exe GET 200 173.201.96.128:80 http://kylemarketing.com/wp-includes/widgets/1 US
binary
malicious
2072 svchost.exe POST –– 95.169.181.133:80 http://avantusthea.com/mlu/forum.php DE
mp3
––
––
malicious
2072 svchost.exe GET 200 173.201.96.128:80 http://kylemarketing.com/wp-includes/widgets/2 US
binary
malicious
2072 svchost.exe GET 200 192.254.233.200:80 http://domainnamesexpert.info/wp-content/plugins/iSEO/a US
binary
malicious
2072 svchost.exe GET 200 173.201.96.128:80 http://kylemarketing.com/wp-includes/widgets/4 US
binary
malicious
1980 BNF883.tmp GET –– 31.44.184.123:80 http://31.44.184.123/CjnA RU
––
––
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
1616 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/CQjsBiIeHTq0mAMT/FoYLLYNXVDQLARh/5kPDuGm2DifFBAmmP9/B5ULJdMHF/H_2BEIqDVp0bBPtZba0Q/_2FTDII6Xgsaza1nbSd/7qe8C6t_2F8ZAU1WfcKriw/t1GxiYhkp6co_/2BNuvM3H/vHN8l_2BzYtmucR1J65HiFQ/C8Srx0j7uq/FspwICFvLFjtTQEod/_2FErHE3YdxG/8u3nyTSF0TY/VlMoo6ij2/Xij2 US
html
malicious
1616 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/PK5rA_2F0tnucvG/JqrMxrSPNS4KMYJw3S/iMQsHH6XU/0l6EIZWEIh5_2BgsjqzD/qvvAFwsl1N7Io4iQ7LK/m1u7Wzwrrun0t_2BCrB7RE/Ga7QiyUS3GCNZ/RG4kapj4/BEKnTvr8tg_2BIlvP2nEBcC/5ASEcr2Lbc/h4hqSkH0lJSjCe4W6/Xeh8Zn9EGHTS/HXBEPj5nndc/MfrQn7rfIe0E6e/AIAQLOgiiUuplOi52WtHf/bhvrfMD2xc/j US
html
malicious
2564 svchost.exe POST –– 95.169.181.133:80 http://avantusthea.com/d2/about.php DE
mp3
––
––
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
2072 svchost.exe POST 200 95.169.181.133:80 http://avantusthea.com/4/forum.php DE
text
text
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
2072 svchost.exe POST 200 95.169.181.133:80 http://avantusthea.com/4/forum.php DE
text
text
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/V4z1iet_2FtggHw7/HnjMok2igF_2BYX/TuJkaHF2LzlgOUyra6/BpXtnpykU/5lEYwB8sMKLUdUhiwpBM/fn4wsPH8ak6kfWWaqx0/9U9WtFg1lucxJFORxfsTnE/sy13KgltdMEV4/08npCZNV/ASaVqF_2Fe7rx0_2FV5jibN/aLGYDqeaHJ/1w_2BV7vWpqxRhC4w/dyD58_2FHPhW/o5DINBViDnq/udiNm5DCti3f/9 US
html
malicious
2072 svchost.exe POST 200 95.169.181.133:80 http://avantusthea.com/4/forum.php DE
text
text
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/q61JZBE7_2BzryzB/Ji58mTSJD8qvc5u/nGi6qax8xpllDBo1FK/cQj6kFhcq/tJIDutVu7_2Buca_2Fs7/ALUVSjrqcQUxkj8MG1e/1RlfCF46PjgYbrOx4050S2/WXAjHap9aYPkr/pjYYV9_2/B1kcqKA5vgr_2FP40OvuLAc/xLDDeTXkMg/WBD84nlFq6NWaqi9J/WLKTLS5iJep0/FZcdYnM4yxK/lkeoHmSlMdqzk7/MqwHajA0p9x5GUfdN/o US
html
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/rP_2BRMr9NG7THglYWZiPMg/qZcFl28Cig/Uq4tdXYrLZ4ibPQTH/QdDAvtzs1Zfq/EaoGEt7FvM_/2BqkJpw5STscPi/c6eq_2FSOufCzbauXTwnO/pLkM67t7sMVdm8wy/UfCweCSHYKvMTIG/GHrAQPwTKcR5lj0U6W/xxoWBlGl8/1aLGKZWne1JeTyT4lg4G/BBvNjjKzBh_2FIBx1Wf/QbN1j_2BAol54ItP3B9pgj/EkGCy_2FeGlq32SDV/4xn US
html
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/wSVtb2neXsc8GvgniXV88T/Y_2FEmYylIkZm/twEc0a7B/jWH4ZqvDhOHWKr3wj1tXKb8/v2hwucNBbs/U3cPiN_2B5TFfIVEO/tKEluSW8Xm_2/BZDF0lXpkSe/VW7niEoRs9uX5d/QZWm6AF4VV_2FoSvXUP_2/FWdzGs4mm2Mm9LW2/ZjS2v06SfmqwV1t/t_2BxBkn74p7VGBrJv/K1myE3opT/sTG14gapjlX6jfRdmsg2/mZ1CQzMrO15Rm2U/ba_2B US
html
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/vlhfvBdmSx0BpaW/6z422lLLwIO7AnupVz/AIc0S9SHp/kOa5lnlsTEMHvaigA5ih/O_2BDiG5vclqHrFWx_2/FefmMFO7fd3kptZje_2F3B/GNAyaX1M1JVoI/Z8k5STIc/YoH40y7OjwVLL_2FGfDnq1H/paEF1OULiP/hqG3sq6iHiVaRHDRY/K2iGYDsd1sXQ/6b3HrNBlOJ9/EowcAgMqVt0KlF/ucTG_2BWjE/fnT US
html
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/8f0DihXa2je4/naChIjbKhdU/nCs0BSZuAKw_2F/5HlXAcU0l9WyiGb7tnJlk/KwxSaPMKH4l_2FAW/Dkf0uI_2FETJYaG/3e7KaFCCF_2BP519iE/fee5_2FkU/jxQ2YV8Vzz5GcAX65Uj1/IrjrWmKeKooKt20vKHv/rCgW_2BFCxJ_2Bv01_2FvC/llrOv0wuIChql/ImU_2Bn6/yMmOFxaCGwDr33itQSNgGSZ/b6llU76HgP/c77PRPuDoifEL3TfC919S/V US
html
malicious
2072 svchost.exe POST 200 95.169.181.133:80 http://avantusthea.com/4/forum.php DE
text
text
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/W0yibBHSBV/CWf3qik3wSbBRfuyu/S6MehfT04nox/vHsoMU_2B1H/P7X518BZyO5zdI/RRbnybLoANfKAhlP7H0Xj/x2RzI_2BaoZHnRTQ/IDd8Y8i7vg_2F8C/D5QI4rIF53D_2FlkFJ/jX8sHfRGF/ojo6hUfWCpODh4w_2Bma/wabbwKQe83QfZQNT6_2/BowjTmQtarGm4WYokGlIpv/xxbqLjuBttt4n/29zrVgNN/xtZCdiBrZAFJ55JrG6wEB_2/B US
html
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/Kz0ukkycesN3woAcidYG/TNMrnJD5Mn_2FnN_2Bc/XYy4CjiHH1vxxG56D9wD_2/FrDuQc2IRNC6g/CoaYrHyv/l31TkHhZg_2BR0F0wSKk7bv/jH0ZVwJLT1/llTkUcdTeCm4tXf1k/IFhr9RqjbBuO/PEdActoEBG0/9p3XgccyxzhHue/WuhdG9m7_2BoBp64BqX9d/_2Bdq3JLcP3W_2B6/bNSJRYojxr9WhE5/ge2CPP6JBkrjQolXMx/NOFANtLOL/1 US
html
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/ZD0p5fZsRTYin/8MrR7_2F/vL05r2_2FvFyrkU0wzs_2FY/Et_2BYmkVN/Ul5MLLJUwgMJ28fzq/atA4RfsMgs3K/HbP3wu_2Bzt/tl43iKzEO9l_2B/l0FRjrg3Cf0nEGR3fuT3v/KZ_2FmNa7QdKu_2F/h_2Fc2k_2FpV1oO/7QgyNTUyx_2B5JufEj/CDq_2FCMn/1thH9T2PIyMB8TTuiIwW/Bwlq57WR5eF_2FCjrxG/bdX6l6XCfBtrC1xUhBztLH/d5z1NLF7e/zR9S US
html
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/lJG8d4agpWDl2/qrLL6PvS/1doLP_2FvV0dKVOWqsdHjaK/efZhOCtm4Q/_2FjB5ijU7i9BUa1R/_2B6bdFZ3oBQ/dGuGrd5nzPu/v_2Fr6spMNjMqn/58YHqxPSXkk8K10BbeFnK/0NeFmn4QBfREWO49/7Hd6RyFEhQ9wX9o/CZ2S119n5KdWlVcXph/_2B3ccFKK/VG8w1H8Bp77tplnmKPP9/KId6LBFtZcExvqAlDYM/4JblfxPHIB_2FH1Ondj/OP US
html
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/RQtWPETF6du7wD57XhV2/9L1y8JotQVFJMtQs1Ff/fDnLnPywSUO_2BVefktC3x/yayBpjtRRgNQn/HZDm_2FL/vNc_2B6shv0gLqNGK33og_2/F_2FpWdruo/z8Q8uPGR88UxQdiBK/SxSznvHRUcb9/A1c6rJQg1Gn/dnDb9efxDmPtJy/_2FUBcutrfgi375Rhityx/NtsrTeZVRUK6NaE8/afGzCStGPlxVGgo/QmwKlm7XbgIK_2FOFR/zhkYvUhi6/E US
html
malicious
2072 svchost.exe POST 200 95.169.181.133:80 http://avantusthea.com/4/forum.php DE
text
text
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/o_2B9d3iBOJ1EC9XSIWvkgM/6HgmUSaS3n/81TkA8FZxueLiOLM6/St9invaHclQ2/WuMQ2DZMi_2/BR4A7aPMGegmOh/hZpzndOT7hrbHXfydZKjH/rHZ2TUBizUMUTY6M/Rn14PqDSO32lwOF/InFOp0R9jn0pMpIjCx/OaO7c8blT/uxbZN02c0fLRWV2hTwAu/lWNhUgVDIAe8YMZ1qvN/rOjRnkMo_2Bg9dR8L5v6Qc/bHEM5Y77Y/xgZYN US
html
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/aOcdsA_2Fv/N_2F1E2_2BnajdVmZ/FSlWXq1uYJo4/TI6PlKxKmJC/LTEOtruDgwmJfa/vHEdIeRLwIgZ8raUSTEEM/G79nilRV8sC3mYKN/DGj3gYrxZGyT9iP/NYLSB3c3GMLiTYNVlC/dHc2BkbnL/JE5I5mEetONXq_2FRwh6/zpvmbIG3SIri_2B_2F_/2BXwSKKkjKK4Qn_2FFLhf_/2BLQXKHBlaOgK/M8fOwcgM/VAMOlgM US
html
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/UU13qvE1n9H/LP7SHSZaCtwB_2/FCpdDaB84lT9OwmHxK_2F/EdPFoMXf9MVDk09P/_2B2wZNuk8kqyHt/JJsuEIDDN3_2FIvlq9/KINlWTDnk/OpzA4eETRJN71hRq5rij/217IEs3p4NRk7Bnj0Eg/i_2Bv7BJic_2FazaVjpWjo/8xe5wfiB1M3jV/s0NIUvTU/29LaIsqdESjnNo26rZxe02E/ap_2BKFxdj/ZYx5Tzz0tzLBDKJRA/mEV1LppcW/3n0i US
html
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/UcbHGIzW7xNR/GRYA1WCW316/HFaeA5vJOHHBNb/sdcLEOL6yW1UUIlTCbP3A/UqzRJTB92EXviGMC/2j_2Bfny8qQWv6z/5QxpGhoMTj5UX_2Bee/ez_2F0Nv6/KjDdCDL3uOq0EilXfYRM/pOuyTH8W50CXcYKPshy/Ah2BV1IT6KYHFambmytElD/U4I0_2BuT59C6/ZTYn0td7/yF3p5DGnUdBDhx9HbMEKZA0/w5Q3CPGlXu/2N_2B6ACg/PJbZH US
html
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/WRUQZMi9wnczL0g/LoJsa8CqRTIAmgFg2F/BN2oDAfFn/_2FmpjPf5PEO_2F6wCyl/o_2BAzIMgLZ3cTKX2aS/YD3kktlM_2BHi9N0h1uDHn/Z78Fh2EB2l97r/zW_2BJJw/_2BQJqcJMc8zH8G6TIP5moz/TtrXJEco3D/YKeVBAtTKQZKxAHWx/muLmkQ2zvthB/nxufk1j_2BT/IdXJ6DNePyJdRA/ME87n1LOnmGmM6RRecsIy/W4iRc6GpPsQTKy/ALK US
html
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/E_2FErQLOjs_2BuD8amS/qov2CzCt7L1KMQ_2BXb/1DZSE_2FueqR9C9MvTQAK_/2B7PmkBqJcvtW/nPQP0lUB/yNxjwQdLZ1I8YeJgMhe4X38/6mBfhueH1S/lBOatwyhPEmdsKV3V/sUBxmVEJfI1n/36eIN0xDmCd/ZzWNW7WUquqHiZ/S4vaWcwX9H_2BtLtEUk0m/DQf4mRvRv4ZGHB_2/BQv91uWGMnN/TfIgI1bh2/bL US
html
malicious
2072 svchost.exe POST 200 95.169.181.133:80 http://avantusthea.com/4/forum.php DE
text
text
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/RGM2Z9_2BF4QxFaryet/EhSCAz_2FDqpsrRvPOCp7u/ureS20oEJJ_2B/2gib_2Ba/gnbAqqf8_2Fz1Rq8bIaweGk/9cUCSG03FV/YiT6_2BQBEoI_2F19/B_2FvbHCybH4/rwuRB6bBzS6/Ups6qwiPEulot9/51JyYydMEz6tJmh95PXYP/IVyF6RXf141oJ3m_/2F484pL_2FASaZI/qIiurOO3cEXuoLaV5_/2BLci74zHzB63x/jVn US
html
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/zo2_2Batmmr/bIBBQZhkaiUITN/f1bzsliu0E4XAUN19qlfg/p5GmJ0hR8tmx8_2B/618ifuGJ24UewCu/b2wbpAbGqwjiFH0IjY/xMdQg5o6_/2FSe8GPk2iRaV7AAmMd2/mDr2naD_2F1yfZcrno_/2FDjRujVQPTc_2Bi22oGFy/tsOxyzqZt1GQo/XLLW3ORC/MYLZ9vbOcWKpWrCBKxbEvy5/XdA1aoAmFMbESG/DPS US
html
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/3k9S9GxL9riCBLH/uJ13PgIvSP5nrvtNRT/OOM7ou1LA/WJEOc5WUdWjkHR4PeTSp/nCCogLBo_2FSSnPp1_2/BYw_2BOo_2F1kUY5lEbZH1/md1PcJity18n_/2BhdbQxs/Hs6ELLgsuOEmv98uMGbsHEX/4SzkibNX7F/nHpNZ73mdWgXeT3k0/xUfNDkpLVz6X/sBmpNq2hlg_/2FPdlQwS8C65qu/G8F3qe3lUaumyrIFRMdYu/PmURCtnMj/5Fm11B US
html
malicious
2256 IEXPLORE.EXE GET 404 47.254.144.71:80 http://has.votaritar.at/webstore/deLRBPkGB57p3C87NwJ0/xPuRX6SltHKoJhsaDjK/G18WOyDrJYqJRFoMGqGVyq/931CqveWTlu1B/TiNjt2Fo/oWUtcU_2BdBSrO6V_2FnMNH/EpnvE_2BWl/wVVDw41Ymjo_2Bt2m/WuhTAcXZ4fj3/sIaQ_2FCPBr/Aw8aPz8N_2Bkl1/MRiBEFmLGCbh3SQzCSKNu/TVBSG9GtRciLhLgC/332zRgjkfCe497SZ23r/Z US
html
malicious
1980 BNF883.tmp GET 200 31.44.184.123:80 http://31.44.184.123/pixel.gif RU
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
1952 IEXPLORE.EXE 47.74.181.177:80 Alibaba (China) Technology Co., Ltd. US malicious
1260 iexplore.exe 47.74.181.177:80 Alibaba (China) Technology Co., Ltd. US malicious
1260 iexplore.exe 204.79.197.200:443 Microsoft Corporation US whitelisted
2072 svchost.exe 23.23.229.94:80 Amazon.com, Inc. US malicious
2072 svchost.exe 95.169.181.133:80 Keyweb AG DE malicious
2072 svchost.exe 173.201.96.128:80 GoDaddy.com, LLC US malicious
2072 svchost.exe 192.254.233.200:80 Unified Layer US malicious
2564 svchost.exe 95.169.181.133:80 Keyweb AG DE malicious
1980 BNF883.tmp 31.44.184.123:80 Petersburg Internet Network ltd. RU malicious
1260 iexplore.exe 152.199.19.161:443 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
280 BNFA78.tmp 8.8.8.8:53 Google Inc. US whitelisted
1616 IEXPLORE.EXE 47.254.144.71:80 Alibaba (China) Technology Co., Ltd. US malicious
1260 iexplore.exe 2.19.38.59:443 Akamai International B.V. –– whitelisted
1260 iexplore.exe 204.79.197.203:443 Microsoft Corporation US whitelisted
1260 iexplore.exe 13.92.246.37:443 Microsoft Corporation US whitelisted
2256 IEXPLORE.EXE 47.254.144.71:80 Alibaba (China) Technology Co., Ltd. US malicious
–– –– 47.254.144.71:80 Alibaba (China) Technology Co., Ltd. US malicious

DNS requests

Domain IP Reputation
elitefireandsafety.com 47.74.181.177
malicious
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
api.bing.com 13.107.5.80
whitelisted
api.ipify.org 23.23.229.94
54.243.198.12
23.23.243.154
23.23.73.124
23.23.83.153
50.19.218.16
54.243.147.226
107.22.193.167
shared
avantusthea.com 95.169.181.133
malicious
kylemarketing.com 173.201.96.128
malicious
domainnamesexpert.info 192.254.233.200
malicious
iecvlist.microsoft.com 152.199.19.161
whitelisted
r20swj13mr.microsoft.com 152.199.19.161
whitelisted
has.votaritar.at 47.254.144.71
malicious
ieonline.microsoft.com 204.79.197.200
whitelisted
go.microsoft.com 2.19.38.59
whitelisted
www.msn.com 204.79.197.203
whitelisted
query.prod.cms.msn.com 13.92.246.37
whitelisted
dns.msftncsi.com 131.107.255.255
whitelisted

Threats

PID Process Class Message
1952 IEXPLORE.EXE A Network Trojan was detected MALWARE [PTsecurity] Hex Encoded PE EXE or DLL Windows file download
2072 svchost.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup api.ipify.org
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Hancitor POST Data send
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus)
2072 svchost.exe A Network Trojan was detected ET TROJAN Fareit/Pony Downloader Checkin 2
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus)
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus)
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Backdoor.Cobalt
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus)
2564 svchost.exe A Network Trojan was detected ET TROJAN Fareit/Pony Downloader Checkin 2
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Zloader or Terdot.A Banker Check-in inbound
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Hancitor POST Data send
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Hancitor POST Data send
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Hancitor POST Data send
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Hancitor POST Data send
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Hancitor POST Data send
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
2072 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Hancitor POST Data send
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed
1980 BNF883.tmp A Network Trojan was detected MALWARE [PTsecurity] Cobalt Strike Beacon Observed

73 ETPRO signatures available at the full report

Debug output strings

Process Message
–– base\diagnosis\diagtrack\engine\heartbeat.cpp(199)\diagtrack.dll!000007FEFA23DA84: (caller: 000007FEFA23D257) ReturnHr[PreRelease](60) tid(50c) 80070510 The requested file operation failed because the storage policy blocks that type of file. For more information, contact your system administrator.
–– base\diagnosis\diagtrack\engine\heartbeat.cpp(199)\diagtrack.dll!000007FEFA23DA84: (caller: 000007FEFA23D257) ReturnHr[PreRelease](60) tid(50c) 80070510 The requested file operation failed because the storage policy blocks that type of file. For more information, contact your system administrator.
–– base\diagnosis\diagtrack\engine\heartbeat.cpp(199)\diagtrack.dll!000007FEFA23DA84: (caller: 000007FEFA23D257) ReturnHr[PreRelease](60) tid(50c) 80070510 The requested file operation failed because the storage policy blocks that type of file. For more information, contact your system administrator.