General Info

File name

454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111

Full analysis
https://app.any.run/tasks/3ed67abd-4cc2-4324-bfda-1ae691583600
Verdict
Malicious activity
Analysis date
2/10/2019, 17:20:15
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

gandcrab

trojan

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

c8b8a95bb271b661ca6a5bbda914b33a

SHA1

d2432c48a146f7ac7afaaebf58cd2050f8b5672a

SHA256

454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111

SSDEEP

12288:hdpI8dpIq7e7OWx35OYTKWbfzjUFkMouhJpKilTI9T817WgEDWjwxrZeC5r/jTIX:hd28d2B7kYTM0jFrs4/YJOlHH3qSr27X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Deletes shadow copies
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Dropped file may contain instructions of ransomware
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Connects to CnC server
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Changes the autorun value in the registry
  • reg.exe (PID: 1516)
Renames files like Ransomware
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Changes settings of System certificates
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
GandCrab keys found
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Writes file to Word startup folder
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Actions looks like stealing of personal data
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Creates files in the user directory
  • Skype.exe (PID: 3324)
  • Skype.exe (PID: 2884)
  • Skype.exe (PID: 3712)
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3412)
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Reads Internet Cache Settings
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Modifies the open verb of a shell class
  • Skype.exe (PID: 3712)
Uses REG.EXE to modify Windows registry
  • Skype.exe (PID: 3712)
Reads CPU info
  • Skype.exe (PID: 3712)
Application launched itself
  • Skype.exe (PID: 3712)
  • Skype.exe (PID: 2884)
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 2956)
Adds / modifies Windows certificates
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Creates files like Ransomware instruction
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Reads internet explorer settings
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3700)
Reads the cookies of Mozilla Firefox
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Creates files in the program directory
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)
Changes tracing settings of the file or console
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3412)
Reads settings of System Certificates
  • Skype.exe (PID: 3712)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2508)
Creates files in the user directory
  • WINWORD.EXE (PID: 2508)
Dropped object may contain TOR URL's
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3512)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.dll
|   Win32 Dynamic Link Library (generic) (43.5%)
.exe
|   Win32 Executable (generic) (29.8%)
.exe
|   Generic Win/DOS Executable (13.2%)
.exe
|   DOS Executable Generic (13.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2012:08:28 21:03:59+02:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
667648
InitializedDataSize:
49152
UninitializedDataSize:
null
EntryPoint:
0x1100
OSVersion:
4
ImageVersion:
1.5
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
1.5.0.1
ProductVersionNumber:
1.5.0.1
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
FileDescription:
cites7
ProductName:
Agriculturally
FileVersion:
1.05.0001
ProductVersion:
1.05.0001
InternalName:
DIABOLICAL
OriginalFileName:
DIABOLICAL.exe
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
28-Aug-2012 19:03:59
Detected languages
English - United States
FileDescription:
cites7
ProductName:
Agriculturally
FileVersion:
1.05.0001
ProductVersion:
1.05.0001
InternalName:
DIABOLICAL
OriginalFilename:
DIABOLICAL.exe
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000B0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
28-Aug-2012 19:03:59
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000A22E0 0x000A3000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 7.01513
.data 0x000A4000 0x00000D58 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x000A5000 0x0000A542 0x0000B000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.17273
Resources
1

30001

30002

30003

30004

30005

30006

30007

30008

30009

30010

Imports
    MSVBVM60.DLL

Exports

    No exports.

Screenshots

Processes

Total processes
58
Monitored processes
18
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe no specs winword.exe no specs 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe no specs #GANDCRAB 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe no specs wmic.exe vssvc.exe no specs notepad.exe no specs rundll32.exe no specs skype.exe skype.exe reg.exe skype.exe no specs reg.exe no specs skype.exe skype.exe no specs skype.exe no specs skype.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2956
CMD
"C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe"
Path
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
cites7
Version
1.05.0001
Modules
Image
c:\users\admin\appdata\local\temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll

PID
2508
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\inniii.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\prntvpt.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\windows\system32\sxs.dll
c:\program files\microsoft office\office14\proof\mssp7en.dll
c:\program files\microsoft office\office14\mscss7en.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\program files\microsoft office\office14\css7data0009.dll
c:\program files\microsoft office\office14\mscss7cm_en.dub
c:\program files\microsoft office\office14\mscss7wre_en.dub
c:\program files\common files\microsoft shared\office14\1033\alrtintl.dll
c:\program files\microsoft office\office14\gkword.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

PID
3412
CMD
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe"
Path
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
Indicators
No indicators
Parent process
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
cites7
Version
1.05.0001
Modules
Image
c:\users\admin\appdata\local\temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crtdll.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll

PID
3512
CMD
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe"
Path
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
Indicators
Parent process
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
cites7
Version
1.05.0001
Modules
Image
c:\users\admin\appdata\local\temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ntkrnlpa.exe
c:\windows\system32\kbdus.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
3700
CMD
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe"
Path
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
Indicators
No indicators
Parent process
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
User
admin
Integrity Level
MEDIUM
Exit code
1337
Version:
Company
Description
cites7
Version
1.05.0001
Modules
Image
c:\users\admin\appdata\local\temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wship6.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll

PID
3964
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
Parent process
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2808
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll

PID
2964
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\YARLEZHABZ-DECRYPT.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

PID
3792
CMD
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\inniii.rtf.yarlezhabz
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll

PID
3712
CMD
"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe"
Path
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Skype Technologies S.A.
Description
Skype
Version
8.29.0.50
Modules
Image
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
c:\program files\microsoft\skype for desktop\vcruntime140.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\microsoft\skype for desktop\ucrtbase.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-localization-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l2-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-synch-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-string-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-math-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-time-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-conio-l1-1-0.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mscms.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\audioses.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\program files\microsoft\skype for desktop\resources\app.asar.unpacked\node_modules\keytar\build\release\keytar.node
c:\windows\system32\gpapi.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cryptnet.dll

PID
2672
CMD
"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1
Path
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Indicators
Parent process
Skype.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Skype Technologies S.A.
Description
Skype
Version
8.29.0.50
Modules
Image
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
c:\program files\microsoft\skype for desktop\vcruntime140.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\microsoft\skype for desktop\ucrtbase.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-localization-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l2-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-synch-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-string-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-math-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-time-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-conio-l1-1-0.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll

PID
1516
CMD
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /f
Path
C:\Windows\system32\reg.exe
Indicators
Parent process
Skype.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2884
CMD
"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=37E0F359D99B332B83BE5DEF42999AB5 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=37E0F359D99B332B83BE5DEF42999AB5 --renderer-client-id=3 --mojo-platform-channel-handle=1540 /prefetch:1
Path
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Indicators
No indicators
Parent process
Skype.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Skype Technologies S.A.
Description
Skype
Version
8.29.0.50
Modules
Image
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
c:\program files\microsoft\skype for desktop\vcruntime140.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\microsoft\skype for desktop\ucrtbase.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-localization-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l2-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-synch-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-string-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-math-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-time-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-conio-l1-1-0.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\apphelp.dll
c:\program files\microsoft\skype for desktop\resources\app.asar.unpacked\node_modules\@paulcbetts\spellchecker\build\release\spellchecker.node
c:\program files\microsoft\skype for desktop\resources\app.asar.unpacked\node_modules\keyboard-layout\build\release\keyboard-layout-manager.node
c:\program files\microsoft\skype for desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\slimcore.node
c:\windows\system32\pdh.dll
c:\program files\microsoft\skype for desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dll
c:\windows\system32\avrt.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\npmproxy.dll

PID
2772
CMD
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
Skype.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2756
CMD
"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1
Path
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Indicators
Parent process
Skype.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Skype Technologies S.A.
Description
Skype
Version
8.29.0.50
Modules
Image
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
c:\program files\microsoft\skype for desktop\vcruntime140.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\microsoft\skype for desktop\ucrtbase.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-localization-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l2-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-synch-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-string-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-math-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-time-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-conio-l1-1-0.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll

PID
3324
CMD
"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=0E1CE680E7AA12D0A6FEB8B817A6C626 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=true --webview-tag=true --no-sandbox --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=0E1CE680E7AA12D0A6FEB8B817A6C626 --renderer-client-id=5 --mojo-platform-channel-handle=1796 /prefetch:1
Path
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Indicators
No indicators
Parent process
Skype.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Skype Technologies S.A.
Description
Skype
Version
8.29.0.50
Modules
Image
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
c:\program files\microsoft\skype for desktop\vcruntime140.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\microsoft\skype for desktop\ucrtbase.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-localization-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l2-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-synch-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-string-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-math-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-time-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-conio-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll

PID
2896
CMD
"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --disable-databases --service-pipe-token=533EE68F0B38868AB5A214C4F5766962 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --guest-instance-id=1 --enable-blink-features --disable-blink-features --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=533EE68F0B38868AB5A214C4F5766962 --renderer-client-id=7 --mojo-platform-channel-handle=1840 /prefetch:1
Path
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Indicators
No indicators
Parent process
Skype.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Skype Technologies S.A.
Description
Skype
Version
8.29.0.50
Modules
Image
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
c:\program files\microsoft\skype for desktop\vcruntime140.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\microsoft\skype for desktop\ucrtbase.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-localization-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l2-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-synch-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-string-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-math-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-time-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-conio-l1-1-0.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll

PID
3744
CMD
"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --disable-databases --service-pipe-token=44D9F8905A552CF1A24BFE01DA65A865 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --guest-instance-id=1 --enable-blink-features --disable-blink-features --context-id=1 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=44D9F8905A552CF1A24BFE01DA65A865 --renderer-client-id=8 --mojo-platform-channel-handle=2568 /prefetch:1
Path
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Indicators
No indicators
Parent process
Skype.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Skype Technologies S.A.
Description
Skype
Version
8.29.0.50
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
c:\program files\microsoft\skype for desktop\vcruntime140.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\microsoft\skype for desktop\ucrtbase.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-localization-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-file-l2-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-core-synch-l1-2-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-string-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-math-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-time-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\microsoft\skype for desktop\api-ms-win-crt-conio-l1-1-0.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll

Registry activity

Total events
1538
Read events
1124
Write events
410
Delete events
4

Modification events

PID
Process
Operation
Key
Name
Value
3712
Skype.exe
write
HKEY_CLASSES_ROOT\skype
URL Protocol
3712
Skype.exe
write
HKEY_CLASSES_ROOT\skype
URL:skype
3712
Skype.exe
write
HKEY_CLASSES_ROOT\skype\shell\open\command
"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" -- "%1"
3712
Skype.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
4*#
342A2300CC090000010000000000000000000000
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1313472543
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472656
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472657
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
CC09000016A76B975CC1D40100000000
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
7,#
372C2300CC09000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
j.#
6A2E2300CC09000006000000010000005400000002000000440000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C0069006E006E006900690069002E00720074006600000000000000
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{4AC667DB-AC7C-455F-AC9B-65ABD74AD8A3}
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D4C15C98A18060][O00000000]*C:\Users\admin\Desktop\
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D4C15C98A18060][O00000000]*C:\Users\admin\Desktop\inniii.rtf
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\19BC71
19BC71
04000000CC0900002100000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0069006E006E006900690069002E007200740066000A00000069006E006E006900690069002E0072007400660000000000010000000000000080CD61319309D40171BC190071BC190000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2508
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472553
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472554
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472553
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472554
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472574
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472575
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472555
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472556
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472555
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472556
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472576
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472577
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472578
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472579
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472580
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472581
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Arial Unicode MS
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Batang
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@BatangChe
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DFKai-SB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Dotum
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DotumChe
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@FangSong
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gulim
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GulimChe
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gungsuh
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GungsuhChe
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@KaiTi
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Malgun Gothic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo UI
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft JhengHei
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft YaHei
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS-ExtB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU-ExtB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Gothic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Mincho
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PGothic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PMincho
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS UI Gothic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@NSimSun
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU-ExtB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimHei
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun-ExtB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Agency FB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aharoni
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Algerian
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Andalus
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Angsana New
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
AngsanaUPC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aparajita
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arabic Typesetting
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Black
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Narrow
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Rounded MT Bold
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Unicode MS
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Baskerville Old Face
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Batang
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BatangChe
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bauhaus 93
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bell MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB Demi
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bernard MT Condensed
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Blackadder ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Black
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Condensed
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Poster Compressed
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Book Antiqua
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookman Old Style
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookshelf Symbol 7
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bradley Hand ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Britannic Bold
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Broadway
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Browallia New
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BrowalliaUPC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Brush Script MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calibri
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Californian FB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calisto MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria Math
1
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Candara
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Castellar
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Centaur
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Gothic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Schoolbook
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Chiller
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Colonna MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Comic Sans MS
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Consolas
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Constantia
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cooper Black
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Bold
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Light
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Corbel
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cordia New
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
CordiaUPC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier New
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Curlz MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DaunPenh
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
David
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DFKai-SB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DilleniaUPC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DokChampa
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Dotum
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DotumChe
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ebrima
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Edwardian Script ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Elephant
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Engravers MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Bold ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Demi ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Light ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Medium ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Estrangelo Edessa
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
EucrosiaUPC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Euphemia
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FangSong
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Felix Titling
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Fixedsys
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Footlight MT Light
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Forte
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Book
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi Cond
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Heavy
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium Cond
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FrankRuehl
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FreesiaUPC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Freestyle Script
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
French Script MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gabriola
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Garamond
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gautami
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Georgia
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gigi
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Condensed
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Ext Condensed Bold
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold Condensed
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gisha
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gloucester MT Extra Condensed
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Old Style
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Stout
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gulim
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GulimChe
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gungsuh
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GungsuhChe
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Haettenschweiler
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harlow Solid Italic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harrington
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
High Tower Text
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Impact
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Imprint MT Shadow
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Informal Roman
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
IrisUPC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Iskoola Pota
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
JasmineUPC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Jokerman
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Juice ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KaiTi
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kalinga
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kartika
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Khmer UI
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KodchiangUPC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kokila
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kristen ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kunstler Script
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lao UI
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Latha
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Leelawadee
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Levenim MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
LilyUPC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Bright
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Calligraphy
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Console
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Fax
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Handwriting
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Typewriter
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Unicode
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Magneto
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Maiandra GD
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Malgun Gothic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mangal
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Marlett
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Matura MT Script Capitals
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo UI
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Himalaya
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft JhengHei
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft New Tai Lue
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft PhagsPa
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Sans Serif
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Tai Le
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Uighur
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft YaHei
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Yi Baiti
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS-ExtB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU-ExtB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam Fixed
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mistral
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Modern No. 20
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mongolian Baiti
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Monotype Corsiva
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MoolBoran
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Gothic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Mincho
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Outlook
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PGothic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PMincho
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Sans Serif
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Specialty
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Sans Serif
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Serif
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS UI Gothic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MT Extra
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MV Boli
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Narkisim
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Engraved
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Solid
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
NSimSun
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Nyala
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
OCR A Extended
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Old English Text MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Onyx
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palace Script MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palatino Linotype
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Papyrus
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Parchment
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua Titling MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Plantagenet Cherokee
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Playbill
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU-ExtB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Poor Richard
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Pristina
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Raavi
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rage Italic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ravie
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Condensed
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Extra Bold
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rod
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sakkal Majalla
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Script MT Bold
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Print
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Script
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Light
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Semibold
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Symbol
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shonar Bangla
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Showcard Gothic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shruti
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimHei
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic Fixed
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun-ExtB
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Small Fonts
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Snap ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Stencil
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sylfaen
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Symbol
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
System
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tahoma
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tempus Sans ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Terminal
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Times New Roman
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Traditional Arabic
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Trebuchet MS
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tunga
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed Extra Bold
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Utsaah
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vani
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Verdana
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vijaya
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Viner Hand ITC
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vivaldi
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vladimir Script
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vrinda
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Webdings
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wide Latin
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 2
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 3
0
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\OnObjectControl
AnimAuto
9
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1313472522
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1313472523
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472658
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472659
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Cambria Math
02040503050406030204
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D4C15CB5BE8120][O00000000]*C:\Users\admin\Desktop\
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D4C15CB5C0F220][O00000000]*C:\Users\admin\Desktop\inniii.rtf
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\19BC71
19BC71
04000000CC0900002100000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0069006E006E006900690069002E007200740066000A00000069006E006E006900690069002E0072007400660000000000010000000000000012CBB9B55CC1D40171BC190071BC190000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2508
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\19BC71
2508
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
2508
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00010033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25026A1100A00633090060007000A002D001600000016000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D000100000000000000020050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D000000000000000000000000D4944600D49446010000002F91010000080A000600000003333296040000000A050C0C0302040600000300000101010606060000000000000000000000000000000000000063631900000001000000000000000000000000000000030000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002100190000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000B01300004B0000004B000000640000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000009002000002000001010101010101000101010101010001010100010001000101010101010101000100020003010301030103000301020003010301030103010000230101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101120101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010301010101010101010101010101FFFFCFFFFFFF00008602FFFF00008602FFFF00000C00FFFF00000100FFFF00000100FFFF0000010061000000610064006D0069006E000000000000000000000087FFFF0300003E00020200000600090034000000000090009000000000000F000000FFFFFF000000000000001400140000000000000002637800C80000000000140000000000900090008000FFFF00000800FFFF00000800FFFF0B00040001002000018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E00650077000180140001002000018014000B0043006F007500720069006500720020004E00650077000180140009004D005300200047006F0074006800690063000180150007004D0069006E0067004C0069005500018018000600530069006D00530075006E0001801500050044006F00740075006D00018014000100200001801C0000000000
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
BackgroundOpen
0
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472660
2508
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472661
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTF
133
2508
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTA
133
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
EnableFileTracing
0
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
EnableConsoleTracing
0
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
FileTracingMask
4294901760
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
ConsoleTracingMask
4294901760
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
MaxFileSize
1048576
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
FileDirectory
%windir%\tracing
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
EnableFileTracing
0
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
EnableConsoleTracing
0
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
FileTracingMask
4294901760
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
ConsoleTracingMask
4294901760
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
MaxFileSize
1048576
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
FileDirectory
%windir%\tracing
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3412
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data
ext
2E007900610072006C0065007A006800610062007A000000
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
public
0602000000A4000052534131000800000100010011A2AAA5558E51CD1D0C2F53FC2BD8DE59F9D0BBECEB882912B095738FECE48DBCD42617037368F46A225F947F25960E980DFD7D1E32FE301BD22C08ED47FF83596D42F66E96D1463E7AB0A6F68F6A7AF31C9595D8859A5765D09866BDFCA3D2A2E149AF30EAEF492C3F877509D68F0A9263FF08BAE78CFBB4CD6052FB70577753211DCE4BAE48082F836473BE99582FB3816863C1A2A6310F64CF414066E8B742639A24E984E7DD2C4790D5051A1F9DE22AD299DE863AE2B3F313AC1AB2A25435FEB1FF1871EF35EE2DA4100721609CE6B11E2A3190F9D60F0AF984F896E823C962FD223B2A1052BE078FB9279C54CC18719C13C4D2434690577EE2C1B56DA4
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
private
940400006D919FB8A841FA6498928493366C2832959193F8E01F58394548BF96B75F7D40AD086D36E259C3C13F87E09AC3F3A2B81C7F2BF3D480E778AFA688AD8F3A6D5CACAC560FD488D445BF581D4CEE0CA038726C6F31C5B9FF2C51E58DFEE701E7E59278C4A71AC8EF4E5A86FE2F09411134D6089EDDF22D5590D32C521ACA149D50AEEC3822FA20A6B15A5D35067830150E45D8A22FF640525B3F3C17F7E0644E13F83F12A6412C87CC4C6AAE9D94EAA5DF11DCA67C01D2B946FFD9E33F93D091CFC368BB9A597E1FF9268E690E02CD3A75844CDF0074E87E3F0462EFA1493B948CC318A72CE28AA930359184E76536105A7F372C00E7F6DE3C4601F13985DB1D664F550906B2ECFB67ED2166AC31F145DCF50DE75BDDCBE1ED9084FE277F1E652A177E505A27C8C4B0612C23941033A48A06604D1853B4970AF17FD1EEF16B65DE22FC4AFE4691819677AF9432B7BEAF14B083EFEFB8749784DCFA921F46C17B135BEDAC9F8B6F28A1BE082723E20EBE058318FA81AF48DF8A9DAB6D1C27F16C55AB67F54D7842A83D2816AFCEF9CC6EF0572EF800EAD9E2D2520E038967B8B4E44ACE29635ABA02E6BA42444CDB6C36F08B07AA5C023DD65F5AC9DF4C2ECBA026BD94C562C8C583D7E6DD9C5DA47DA04D3D6BB17F3881EB7D023C77A35AC387C1A57170671CE93E60AD89C718424BFF5AC1C7E77CE918018D80B61DA7AC3E676337006627181643D847776F80353D519B1C1C28C8306A23E48319025EB222081D052459FB224956FAE3BEF76FF2F203FE0A4FC6488B8135833C901D18264D52DC1ECDE31182FD6FA04D4CFE46EDF5A788C23FF0D4546C89FABA87E29D62BFD0F707A76FA9CC4037466C38DD315FA95316DF005D6E688A8C8EB0C47494C66ED7C80CD9C671454E7F773318DB3C6FFAC190F334F0DF6607A18965BEEF0E5B2D60100AA69389825E9EACBA145C17275602977E1D8B7681BB9818ABCA3FB4C784DCA216A8969B8B5B7E5113A8E94F2965BEEE1AD88C654D4849282535F5A64E631987A55F8897C1393E284F7F2723094698CD8EC7B3A0F2CAA834466828017F15C9673B1786C17595457168C2777B67C452E61207B29D381789294B56BE526EF2C6370DE5898C44D8AE24A040B10F5E67826E27070E2A76E4EBD372CA6A3F1D4E4A4B194B037B516405DFAB504C2767DE6D9785D537F8324117513A74B5D8C7E75276F77018775E57C713CE5F4057A69CBFA8EC4D466E15EC8698C097804963A05AF11E390D465FFA9E290DEA4D7B86B7783ACCFA60D2FCA98F84897F1ABD98DE8FB8F657A7E37964088C64750B4C11953AFDAE35DE8CAB5B4984C67697650F2A5F6D7E365B084BCBB53DEECE87BC2B77BD5DFDF97EE49D8FD02329D2B49DA24795AA3936C8BD2CF121AFF7F11427A8CE9CBF4908C94C0C843BC091E71687255AB52271FDD9214407FF0F43F4BBC537AC7FA1AC16D91E7DEBE5BED3E7776DD25831C403936EC2D21D70893B1259E42594E696D4EB4FAF28B41E74EC227FB17F691EBCB24598F2C3577613A080B976CC44A24F1B1DED29D1467A654F09EB7B4566CCF2E77948461680ED633A8B65E443460246D636C12C821DDA95E1F3CE0388E4D59714BD11206C947CD8E410DF92083186674DC2D073D5F6329CA4A886998A74AC33BA3CDBA91970C2604E5A0A1596CB541CB1395819089CA0288F89788FAD6BFDC8C2827776B2B3750569BD5E2D0CF60D415F0C63EAF4ABB3D62D52610FCFC7ACEAB09AF398A761D3DCC437F54341A04595D1A287CC8021947C727BDAB79971868BE2C05FFF6D014AE90864C3E2A4AADDDACE13F5C966DE6A159CF7D0BFC544E07B26D2445A1FD9DF3AEE1309F38E6434451CA604C09ABD3050AB7707D5C46EA94FE818D8FDF18D93614A24B84CDDFE9DC688C40AD4BE970DEE4D6C54539846A38D9A414DA3934125AC381BD64C8ED596A34B2E8D975823A8E46666901FB8C6C9E356B5A58DC33DECFC1A71662D05F7862BA7BE751ECF6EA62A38A40C41C25CBBB2676E30A889B1CDD03919AF67E5CD5E1C2CFF0D5DD8B4CC89F7A5815D40C6D89848647CEC7C45334641C5A27912C8BC671C1A5A271B50E5B8916755470717380B7059F82B6884D0A2B72FB9D246600C98DF51ADF9FFE646980E16DD5339530AE2297183A86A4B228DD518EAD2548495AA050C04D0A91A8E33FF4CEB22AC20B184B05E05E56C94F2B746819D811D63308247B89E544B23C0D97073E70B67183AE53FE8353CFF9D34452D9C7E557FC38238CF91A0CCC98DE76B37FCC93DA041155A6E6B31471164291A2A85B77219DDE95237BAC5537076D120CDF3705D0715D2CB2A97409593BB1B4C3ABD61941592D48B6FCFC060
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
4600000002000000090000000000000000000000000000000400000000000000C03226CA5CC1D401000000000000000000000000020000001700000000000000FE80000000000000A179B3FF019923140B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A864C1000000000000000000000000000000000000000000000000000000000000000000000000010000000F00000FD855000060BC3400F8BC870600000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
WpadLastNetwork
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
3700
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3700
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3700
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3700
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1516
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Skype for Desktop
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe

Files activity

Executable files
0
Suspicious files
428
Text files
353
Unknown types
18

Dropped files

PID
Process
Filename
Type
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\b7021281-500d-4ada-aaa4-859b7344664a.tmp
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css
––
MD5:  ––
SHA256:  ––
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json
text
MD5: ff422fb294ec110c8f7ae3f276b4a637
SHA256: 799a0df65a073b238f9d70349007b2e8dd31a8c3b07a7348fb6229c17193a189
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe
––
MD5:  ––
SHA256:  ––
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002
bdic
MD5: 58f403a216e2c3c0e21e74a7b98fb720
SHA256: 6f3a0cd803bc7cabf54d1842981f5f78c89fda657b31f04911532a764061df0c
3324
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic
bdic
MD5: 58f403a216e2c3c0e21e74a7b98fb720
SHA256: 6f3a0cd803bc7cabf54d1842981f5f78c89fda657b31f04911532a764061df0c
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json
text
MD5: 3c44f41c98ccd866e8de719a210644c9
SHA256: 37f1d87fb5eef8a74a7d9b49299fcffc41eee86104500844c78ad8608b05f35e
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001
compressed
MD5: 8d2f96b7c0741954d03b949e85d99568
SHA256: 8cb8b6110219f32b3e02c0878be97569324f692b7b5983e6f57aa58f0627f002
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3
––
MD5:  ––
SHA256:  ––
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2
––
MD5:  ––
SHA256:  ––
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1
––
MD5:  ––
SHA256:  ––
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0
––
MD5:  ––
SHA256:  ––
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index
––
MD5:  ––
SHA256:  ––
2884
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib
––
MD5:  ––
SHA256:  ––
2884
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml
xml
MD5: 02df8a54853ae596182a802682ba9a09
SHA256: bc307965eacfa66f3f7e15614dce8557d5203c011f135dbfff269eb5ac239b4a
2884
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.tmp
––
MD5:  ––
SHA256:  ––
2884
Skype.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf
text
MD5: a8103919ad75af0be73da317817f8731
SHA256: 326bc8b7058f25be4617680e70da4322543c4fd7767729ae3ee0092ea5064b7c
2756
Skype.exe
C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\operation_log.txt
text
MD5: ce5d8e1852e07e835e376c2b74c7d628
SHA256: b62954fbe2fb9e8ae65dec5225df8845a85c3d047bcffc5bb45253a3c99f05d9
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json
text
MD5: faec58825850024e7748840f14c7fad3
SHA256: 22d49073640b5a33083abcc9bb4b8c4ac97ebc10c5799f3d829774ed02f1b218
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000001.dbtmp
––
MD5:  ––
SHA256:  ––
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001
binary
MD5: 5af87dfd673ba2115e2fcf5cfdb727ab
SHA256: f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json
text
MD5: b824b7799d66551db274f2f3af93f459
SHA256: 9bde35937e04702bdc453194dfc5d022f3326b843ffe9fd6fe250d2b61040f67
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json
text
MD5: 4ea7f63f71d8394156e1c9fff81d7e23
SHA256: f78e145664aad86805bd51c8e0564d873e6651700e42c5fd14249acc10f7a6b1
3712
Skype.exe
C:\Users\admin\AppData\Local\Temp\f3e3c507-65ad-4d6e-892d-ac650d0fb03a.tmp.ico
image
MD5: 75a3d7765f2f4f8712775b10e1d18003
SHA256: 28854f198091126b6e3a57fe312a3b77c1074cd0b111aed6f7604a2467f52166
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms~RF1c9458.TMP
binary
MD5: 58f4ed68262278592ea8b9d6a80f7740
SHA256: dfc063dc3e10137cdbfefb1ac9052e04b4412206b28a8a97c33a817fe7255077
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms
binary
MD5: 58f4ed68262278592ea8b9d6a80f7740
SHA256: dfc063dc3e10137cdbfefb1ac9052e04b4412206b28a8a97c33a817fe7255077
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0ZMK3V8LBIAFRZPA47UO.temp
––
MD5:  ––
SHA256:  ––
3712
Skype.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json
text
MD5: 885b89529df445427047fe245c7d1ab0
SHA256: 3d0a7b4a81e3e57b2193922b4baead80f57a1e61aaf10f665a4adecb42a89432
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.yarlezhabz
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Videos\Sample Videos\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.yarlezhabz
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Recorded TV\Sample Media\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Recorded TV\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.yarlezhabz
binary
MD5: a4184af8f387fd5dd3384321a4d3026b
SHA256: 92ef08d23f89cb4b003e60b180cd75f5b154c6406e7ba10dcae44ee727e2fc0f
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.yarlezhabz
binary
MD5: f1ce3fe10490cd4ad897161a10c61632
SHA256: 7437bbd81d681270efaea8f52a4e9212ba2b2fdc5ba4561d669080b4ce05a310
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.yarlezhabz
binary
MD5: 03f5d3384fe2f3a40bbb5b9a5219bcf0
SHA256: 9d92f8b41321f26a0549093996593ae09aa4c2c5a8e5dbf59816ab493aefe0bd
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.yarlezhabz
binary
MD5: 610d55b6ba914685a4c9687c0187f09d
SHA256: f8e5cbfa34117819f2abbba94c7414a1fcdffe5478673dd040b5826d09dc10ff
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.yarlezhabz
binary
MD5: 206f01369b27820328bc0822a14200b2
SHA256: d3852a671a5174678123aaae9e9ed0bfd4fdda77a11b9e44377b57f237aa7a85
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.yarlezhabz
binary
MD5: 0c65e684509335cdc43be539252bbb24
SHA256: 57f2e35392aee058a40cc742c054ad17e120806b7e50bb801727933e3608af0e
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.yarlezhabz
binary
MD5: 8cf2008cf33c88d95e2087d840fe2110
SHA256: b9af68607efb05855827f135d44ac26bc53786200198692d63e5cea654ae67ee
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.yarlezhabz
binary
MD5: 1b0c6bd947a0473aafbf0652bfb688f4
SHA256: a38425d2671cd8aeb1c88e9dc5aa57edd8e8abec1a24be1da5d49f49780f8d8d
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.yarlezhabz
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.yarlezhabz
binary
MD5: 1f9d4f152775de9823a497668095fbc6
SHA256: 947e7fff509dc5597776b99a8d3a60172f6cf9d5c094c745ba6726ebee61407e
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3.yarlezhabz
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Libraries\RecordedTV.library-ms.yarlezhabz
binary
MD5: 09e895d865889212f8f8a958ec1b54ce
SHA256: 4fddff4366808c809c34cc7b698393c195af990b1bc092f94a6a43eb886a8d6d
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Videos\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Libraries\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Downloads\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Favorites\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Documents\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Desktop\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Saved Games\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.yarlezhabz
binary
MD5: 77c822e6ef4baed13d698c3444c37dd3
SHA256: 22d25d8dfbb2b3d5c0cadc8f01b01739bf627555979cb18a5ff666abe9a963ff
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.yarlezhabz
binary
MD5: 8b67e55115886d068a8eaeb295b28cbb
SHA256: ee6e3c0f163458eb084d11bb1084b158065af9baf9f9fc9841f6679eba0fe143
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT.LOG1.yarlezhabz
binary
MD5: 637194fcec36a2db9e9ff4a1a2357b86
SHA256: 5629ff47a59dd248289f3df1c1c410ad99cb1941746bb1064f9a6a5e2b141b36
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.yarlezhabz
binary
MD5: 144a28fe2a4afae021801b1c2cd244c8
SHA256: e57a8c05a942bef4d5d389a52bb8c386e04c40bf49b5cd576d1c3089a3a9b151
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT.LOG1
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Favorites\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Links\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Videos\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Downloads\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Pictures\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Music\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Desktop\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Documents\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Local\Temp\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Media Center Programs\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Local\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Local\Microsoft\Windows\History\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Local\Microsoft\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Searches\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Saved Games\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\ntuser.ini.yarlezhabz
binary
MD5: 93f83bfb521345cf2c4d868935725e64
SHA256: 91fd74079c7d4fb03b83ba34b79f551faeb4a71024c8e943b7ec40381f183824
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.yarlezhabz
binary
MD5: 34a3fdcce32e81dec409a2d5bf1b26f1
SHA256: 6c6549caca319911bf1c34603e6027ab3b3b556edfb42fbb442f9eaa26058a60
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\ntuser.ini
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.yarlezhabz
binary
MD5: 8fcd49baefc9c1695e5dbefde0ddec0e
SHA256: f8b1f8708d1269f1368b349a1cd77cd79013af15c0496493733bdf700cdda6f3
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.yarlezhabz
binary
MD5: cae82cacb2ae53e519e81b2d1608eece
SHA256: c1d21431ac12f582a7c81978326128de36096ee9b9db294be7bac40dcfef0dc2
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\ntuser.dat.LOG1.yarlezhabz
binary
MD5: 5946d93d1bfce6be4fa4be311785be11
SHA256: cfef3d0a92f6cf2eb191018bc9e0074f7c2eff0978cb2d43589af90e2adf4109
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\ntuser.dat.LOG1
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Links\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url.yarlezhabz
binary
MD5: dc94e1f189b66515bc8b861eb28c3392
SHA256: c7f47d0b0b3dbec7d4516c44a0a2a75589cc12fd9d3d5b4e2b6a352f960e3858
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url.yarlezhabz
binary
MD5: 19dd915347f6913811eee69d0cbef383
SHA256: daf64ba3f44523b17980e32cb4c023984111e63c43aec0c2435b70f3b89301d2
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url.yarlezhabz
binary
MD5: ae1b543085a4d5b05d47304397436c72
SHA256: f2f8d4f424d44c61ec9e5977eac89235cfde7f62a29b123778f627acc95c662d
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url.yarlezhabz
binary
MD5: f7ac7ade7dffe201917959ee46559c65
SHA256: b9fb9eda5060acbff18444e91a8f6d7baeb22422615fc19806bc517733d37fb6
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url.yarlezhabz
binary
MD5: bcacef45caa862d5e480989652a78063
SHA256: 351b7da4ef903d8562ba701dc7fd3746f3df1f4a6a8ca4183d4211a77f6926f1
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN.url.yarlezhabz
binary
MD5: 821cf9ae87568d2ee2af105be748d02b
SHA256: 1fe274cb37b76ede66f932a47ec1cf0b8616025d9b2a998da9f296648f1d7ab6
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url.yarlezhabz
binary
MD5: 63bf1b3cef50bba61a0b083d7aa72d95
SHA256: a180264964001058662370fb99e097eb1f68e1994fb610d6db082cfb080f4866
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url.yarlezhabz
binary
MD5: cabed5745228b78bc11a6cb9d33c609e
SHA256: 4dfcc1f905b997bddf08006e273f44ceac6133373f1af5c043f2c8baa37a2991
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url.yarlezhabz
binary
MD5: ec06eb4601310a104ff3e688522b13c7
SHA256: d998087355613873c4e874f8d008d1401888788b9f0a565154a413a0ecd6252e
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Entertainment.url.yarlezhabz
binary
MD5: edc719849db9e0e1576f63ae7a86a93d
SHA256: 0dffa5449d6818275c82d61d1e9d68abbab59f89318648992c648e1d43decb65
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\YARLEZHABZ-DECRYPT.txt
text
MD5: 5d0c2e89ebf3222393a207c0fc7e21b5
SHA256: 51640e356cbb5d5fbbe419648a768051092f37d488e0a52483ff234d4ecce2d5
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Work.url.yarlezhabz
binary
MD5: 144c6dee85e693b592ca88467fc1954d
SHA256: c3a5ca32e1f475403334d710c71ca6332fa7ce5ad4d0edadb144bc04117904e9
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft Store.url.yarlezhabz
binary
MD5: 7bcaed2fb072eb1e0cdfb618e572aa10
SHA256: e699d53f4099cd8b8faeb4da234f782d88a3361038191d4b8a1f46b8cf3b04b7
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Home.url.yarlezhabz
binary
MD5: d20ed0dbdcfd3a91b68578740794498f
SHA256: 4f0e591819cf09a3868508439d149a0886ad3f01e0e4933632d50ec9add60aaa
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE site on Microsoft.com.url.yarlezhabz
binary
MD5: e783378ec7a04b6419554321bce12be4
SHA256: 97025581d3a92ebc3bc4e0978ecf9505a43bbcecbd92b150962ec1644ced8051
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
3512
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe