General Info

File name

FinCERT_BAPB_MLW2019061101.zip

Full analysis
https://app.any.run/tasks/56b47676-5702-49c5-b434-844c43a17e67
Verdict
Malicious activity
Analysis date
6/12/2019, 09:05:06
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

rat

redaman

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

afd573d653f196a8d9ba5d1882afc505

SHA1

d97c08130580d675d234cd091db16f10e1b8d890

SHA256

7d11c6f39079e9c885c3656f8455fc9b69dcc9acebf5d034beae2cd31c406c9f

SSDEEP

12288:BJEv9Z23DtXE23UQ8RJec7RDVrppdUOXKi8:BozwtU2eeCVT5Ki8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • OUTLOOK.EXE (PID: 2556)
  • explorer.exe (PID: 116)
  • rundll32.exe (PID: 2908)
  • rundll32.exe (PID: 1040)
  • WinRAR.exe (PID: 2944)
  • rundll32.exe (PID: 3156)
Application was dropped or rewritten from another process
  • Документы 11 июня.exe (PID: 1380)
  • Документы 11 июня.exe (PID: 3396)
Changes the autorun value in the registry
  • Документы 11 июня.exe (PID: 1380)
  • Документы 11 июня.exe (PID: 3396)
REDAMAN was detected
  • rundll32.exe (PID: 1040)
Loads the Task Scheduler COM API
  • rundll32.exe (PID: 2908)
Changes settings of System certificates
  • rundll32.exe (PID: 1040)
Reads Internet Cache Settings
  • OUTLOOK.EXE (PID: 2556)
  • explorer.exe (PID: 116)
Creates files in the user directory
  • OUTLOOK.EXE (PID: 2556)
  • explorer.exe (PID: 116)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 3448)
  • Документы 11 июня.exe (PID: 1380)
  • rundll32.exe (PID: 2908)
Uses RUNDLL32.EXE to load library
  • Документы 11 июня.exe (PID: 1380)
  • Документы 11 июня.exe (PID: 3396)
Creates files in the program directory
  • rundll32.exe (PID: 2908)
Executed via Task Scheduler
  • rundll32.exe (PID: 1040)
Connects to server without host name
  • rundll32.exe (PID: 1040)
Adds / modifies Windows certificates
  • rundll32.exe (PID: 1040)
Dropped object may contain Bitcoin addresses
  • explorer.exe (PID: 116)
  • WinRAR.exe (PID: 3612)
Manual execution by user
  • OUTLOOK.EXE (PID: 2556)
Reads Microsoft Office registry keys
  • OUTLOOK.EXE (PID: 2556)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2019:06:11 14:56:09
ZipCRC:
0x4743c0e5
ZipCompressedSize:
231617
ZipUncompressedSize:
307455
ZipFileName:
[Content] ????뢠?騥 ???㬥??? 11.06.eml

Screenshots

Processes

Total processes
46
Monitored processes
10
Malicious processes
8
Suspicious processes
0

Behavior graph

+
start drop and start drop and start winrar.exe no specs outlook.exe winrar.exe документы 11 июня.exe rundll32.exe #REDAMAN rundll32.exe explorer.exe no specs winrar.exe no specs документы 11 июня.exe rundll32.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
116
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\msxml3.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\systemcpl.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\sppc.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\winsatapi.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\hcproviders.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\program files\common files\microsoft shared\office14\msoxev.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\mlang.dll
c:\windows\system32\msutb.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\zipfldr.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\progra~1\micros~1\office14\outlook.exe
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\outicon.exe
c:\users\admin\desktop\документы 11 июня.exe
c:\programdata\2daf8815353e\2eac8b16363d.dat
c:\windows\system32\cmpbk32.dll
c:\windows\system32\cmutil.dll

PID
3612
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FinCERT_BAPB_MLW2019061101.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\progra~1\micros~1\office14\outlook.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2556
CMD
"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\[Content] 滿߫¬ ñ«¬-«ó ºá »a«F½d¬ ¼Ñßnµ.eml"
Path
C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Outlook
Version
14.0.6025.1000
Modules
Image
c:\progra~1\micros~1\office14\outlook.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\microsoft office\office14\addins\umoutlookaddin.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msimtf.dll
c:\progra~1\micros~1\office14\1033\outllibr.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\progra~1\micros~1\office14\olmapi32.dll
c:\progra~1\micros~1\office14\1033\mapir.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dwmapi.dll
c:\progra~1\micros~1\office14\contab32.dll
c:\progra~1\micros~1\office14\omsxp32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\progra~1\micros~1\office14\mspst32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\progra~1\micros~1\office14\outlmime.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\propsys.dll
c:\progra~1\micros~1\office14\exsec32.dll
c:\windows\system32\tzres.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\progra~1\micros~1\office14\wwlib.dll
c:\progra~1\micros~1\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\progra~1\micros~1\office14\oart.dll
c:\program files\microsoft office\office14\1033\omsintl.dll
c:\progra~1\micros~1\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\msxml6.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\profapi.dll
c:\progra~1\micros~1\office14\omsmain.dll
c:\windows\system32\winmm.dll
c:\program files\microsoft office\office14\addins\colleagueimport.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wkscli.dll
c:\program files\microsoft office\office14\onbttnol.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\program files\microsoft office\office14\socialconnector.dll
c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_4bf7e3e2bf9ada4c\mfc90u.dll
c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_49768ef57548175e\mfc90enu.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft office\office14\1033\umoutlookstrings.dll
c:\program files\microsoft office\office14\sharepointprovider.dll
c:\windows\system32\sxs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\progra~1\micros~1\office14\outlacct.dll
c:\windows\system32\msident.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\winspool.drv
c:\program files\common files\system\ole db\oledb32.dll
c:\windows\system32\msdart.dll
c:\windows\system32\bcrypt.dll
c:\program files\common files\system\ole db\oledb32r.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\tquery.dll
c:\windows\system32\structuredquery.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\windows\system32\msoeacct.dll
c:\windows\system32\msoert2.dll
c:\windows\system32\inetcomm.dll
c:\windows\system32\inetres.dll
c:\windows\system32\acctres.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\shdocvw.dll
c:\programdata\2daf8815353e\2eac8b16363d.dat
c:\windows\system32\cmpbk32.dll
c:\windows\system32\cmutil.dll

PID
3448
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\Документы 11 июня (2).001"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
OUTLOOK.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\users\admin\appdata\local\temp\rar$exa3448.19184\документы 11 июня.exe
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\mssprxy.dll

PID
1380
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.19184\Документы 11 июня.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.19184\Документы 11 июня.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Корпорация Майкрософт
Description
Самоизвлечение CAB-файлов Win32
Version
6.00.2900.5512 (xpsp.080413-2105)
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3448.19184\документы 11 июня.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\feclient.dll
c:\windows\system32\advpack.dll
c:\windows\system32\rundll32.exe

PID
2908
CMD
rundll32.exe core.dll,DllGetClassObject root 000000000000 Post Install program: <None>
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
Документы 11 июня.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\ixp000.tmp\core.dll
c:\windows\system32\cmpbk32.dll
c:\windows\system32\cmutil.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\atl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\winscard.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll

PID
1040
CMD
rundll32.exe "C:\ProgramData\2daf8815353e\2eac8b16363d.dat",DllGetClassObject root
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\programdata\2daf8815353e\2eac8b16363d.dat
c:\windows\system32\cmpbk32.dll
c:\windows\system32\cmutil.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\atl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\winscard.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wtsapi32.dll

PID
2944
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Документы 11 июня.001"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\programdata\2daf8815353e\2eac8b16363d.dat
c:\windows\system32\cmpbk32.dll
c:\windows\system32\cmutil.dll
c:\windows\system32\version.dll
c:\windows\system32\atl.dll

PID
3396
CMD
"C:\Users\admin\Desktop\Документы 11 июня.exe"
Path
C:\Users\admin\Desktop\Документы 11 июня.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Корпорация Майкрософт
Description
Самоизвлечение CAB-файлов Win32
Version
6.00.2900.5512 (xpsp.080413-2105)
Modules
Image
c:\users\admin\desktop\документы 11 июня.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\feclient.dll
c:\windows\system32\advpack.dll
c:\windows\system32\rundll32.exe

PID
3156
CMD
rundll32.exe core.dll,DllGetClassObject root 000000000000 Post Install program: <None>
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
Документы 11 июня.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\ixp000.tmp\core.dll
c:\windows\system32\cmpbk32.dll
c:\windows\system32\cmutil.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\atl.dll

Registry activity

Total events
5465
Read events
4939
Write events
515
Delete events
11

Modification events

PID
Process
Operation
Key
Name
Value
116
explorer.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
a
WinRAR.exe
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
MRUList
a
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
00000000000000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000500000006000000DC21010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
0000000000000000000000000E080000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000500000006000000EA29010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
P:\CEBTEN~1\ZVPEBF~1\Bssvpr14\BHGYBBX.RKR
00000000010000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF30C7AD4DED20D50100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000600000006000000EA29010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\OpenWithProgids
Outlook.File.eml.14
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
2
5B0043006F006E00740065006E0074005D002000E600BB00BF00DF00AB00AC002000F100AB00AC002D00AB00F3002000BA00E1002000BB006100AB004600BD006400AC002000BC00D100DF006E00B5002E0065006D006C000000FE003600000000000000000000005B0043006F006E00740065006E0074005D002000E600BB00BF00DF00AB00AC002000F100AB00AC002D00AB00F3002000BA00E1002000BB006100AB004600BD006400AC002000BC00D100DF006E00B5002E0065006D006C002E006C006E006B0000008E0008000400EFBE00000000000000002A000000000000000000000000000000000000000000000000005B0043006F006E00740065006E0074005D002000E600BB00BF00DF00AB00AC002000F100AB00AC002D00AB00F3002000BA00E1002000BB006100AB004600BD006400AC002000BC00D100DF006E00B5002E0065006D006C002E006C006E006B00000070000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.eml
0
5B0043006F006E00740065006E0074005D002000E600BB00BF00DF00AB00AC002000F100AB00AC002D00AB00F3002000BA00E1002000BB006100AB004600BD006400AC002000BC00D100DF006E00B5002E0065006D006C000000FE003600000000000000000000005B0043006F006E00740065006E0074005D002000E600BB00BF00DF00AB00AC002000F100AB00AC002D00AB00F3002000BA00E1002000BB006100AB004600BD006400AC002000BC00D100DF006E00B5002E0065006D006C002E006C006E006B0000008E0008000400EFBE00000000000000002A000000000000000000000000000000000000000000000000005B0043006F006E00740065006E0074005D002000E600BB00BF00DF00AB00AC002000F100AB00AC002D00AB00F3002000BA00E1002000BB006100AB004600BD006400AC002000BC00D100DF006E00B5002E0065006D006C002E006C006E006B00000070000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.eml
MRUListEx
00000000FFFFFFFF
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019061220190613
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061220190613
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019061220190613
CachePrefix
:2019061220190613:
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019061220190613
CacheLimit
8192
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019061220190613
CacheOptions
11
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019061220190613
CacheRepair
0
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
MRUListEx
020000000100000000000000FFFFFFFF
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
000000000000000000000000FC050000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000600000006000000E62F010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
0000000000000000000000009B1D0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000006000000060000008547010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
0000000000000000010000009B1D0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000006000000070000008547010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
000000000000000001000000F9370000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000600000007000000E361010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001\OpenWithList
a
WinRAR.exe
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001\OpenWithList
MRUList
a
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
00000000000000000000000066160000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000006000000070000003B70010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
00000000000000000100000066160000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000006000000080000003B70010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
000000000000000001000000401F0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000006000000080000001579010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
000000000000000002000000F9370000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000006000000090000001579010003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\BHGYBBX.RKR
0000000000000000020000000D1F0100000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000006000000090000002960020003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
000000000100000001000000401F0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF60B4DF80ED20D50100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000007000000090000002960020003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001\OpenWithProgids
WinRAR
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
3
14043E043A0443043C0435043D0442044B04200031003100200038044E043D044F042E003000300031000000A20036000000000000000000000014043E043A0443043C0435043D0442044B04200031003100200038044E043D044F042E003000300031002E006C006E006B000000600008000400EFBE00000000000000002A0000000000000000000000000000000000000000000000000014043E043A0443043C0435043D0442044B04200031003100200038044E043D044F042E003000300031002E006C006E006B00000042000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.001
0
14043E043A0443043C0435043D0442044B04200031003100200038044E043D044F042E003000300031000000A20036000000000000000000000014043E043A0443043C0435043D0442044B04200031003100200038044E043D044F042E003000300031002E006C006E006B000000600008000400EFBE00000000000000002A0000000000000000000000000000000000000000000000000014043E043A0443043C0435043D0442044B04200031003100200038044E043D044F042E003000300031002E006C006E006B00000042000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.001
MRUListEx
00000000FFFFFFFF
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
MRUListEx
03000000020000000100000000000000FFFFFFFF
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
000000000100000001000000086C0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF60B4DF80ED20D50100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000700000009000000F1AC020003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
P:\Hfref\nqzva\Qrfxgbc\Документы 11 июня.rkr
00000000010000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF40E73D8DED20D50100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000800000009000000F1AC020003000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D90103000000040000009FA900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000D9010B8CCA760100000000000000537ACA7694030114002000000000000001000000BCE7D90136170A7794030114100854020500000000000000FFFFFFFFD007540200000000B8E7D901E4E7D90100000000000000000000000010E8D90160015C0000000000409167760900800108E8D90135590A77940301148023490305000000F0E7D901506ACB761CC0CF7601000000EF7ACA76940301141D0000000020000008E8D90163590A7710E8D901000000000000000094030114406663760100000074E8D901A1366B76000000000000000070C25B0074E8D901B8366B76E0926E760000000000005300802349030000000070E8D9010000FFFF000100000000000000000000CF676976A822490301000000782349037CE8D901E82CF97670C25B00CF67697698EAD9017823490311000000B8455600B045560000000000FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
3612
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3612
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3612
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3612
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\FinCERT_BAPB_MLW2019061101.zip
3612
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3612
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3612
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3612
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3612
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
2556
OUTLOOK.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
yy;
79793B00FC090000010000000000000000000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook
MTTT
FC09000060259D4DED20D50100000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\SQM
SQMSessionNumber
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\SQM
SQMSessionDate
220079520
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\0a0d020000000000c000000000000046
00030429
03000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
1200000000000000
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109A10090400000000000F01FEC\Usage
OutlookMAPI2Intl_1033
1321992213
2556
OUTLOOK.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2556
OUTLOOK.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
C:\Windows\system32,@tzres.dll,-260
(UTC) Dublin, Edinburgh, Lisbon, London
2556
OUTLOOK.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
C:\Windows\system32,@tzres.dll,-262
GMT Standard Time
2556
OUTLOOK.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
C:\Windows\system32,@tzres.dll,-261
GMT Daylight Time
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
OUTLOOKFiles
1321992238
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992336
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1321992222
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992337
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
u;
757F3B00FC090000040000000000000096000000010000008E000000430043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C0045006D00610069006C002E0064006F0074006D00000000000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\0a0d020000000000c000000000000046
000b046b
0000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
1300000000000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
1400000000000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
f"<
66223C00FC090000020000000000000000010000010000008C0000006800000063003A005C00700072006F006700720061006D002000660069006C00650073005C006D006900630072006F0073006F006600740020006F00660066006900630065005C006F0066006600690063006500310034005C0061006400640069006E0073005C0063006F006C006C006500610067007500650069006D0070006F00720074002E0064006C006C0000006D006900630072006F0073006F006600740020007300680061007200650070006F0069006E0074002000730065007200760065007200200063006F006C006C0065006100670075006500200069006D0070006F007200740020006100640064002D0069006E000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
%"<
25223C00FC0900000200000000000000C000000001000000700000004400000063003A005C00700072006F006700720061006D002000660069006C00650073005C006D006900630072006F0073006F006600740020006F00660066006900630065005C006F0066006600690063006500310034005C006F006E006200740074006E006F006C002E0064006C006C0000006F006E0065006E006F007400650020006E006F007400650073002000610062006F007500740020006F00750074006C006F006F006B0020006900740065006D0073000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
c"<
63223C00FC0900000200000000000000D0000000010000007E0000004600000063003A005C00700072006F006700720061006D002000660069006C00650073005C006D006900630072006F0073006F006600740020006F00660066006900630065005C006F0066006600690063006500310034005C0073006F006300690061006C0063006F006E006E006500630074006F0072002E0064006C006C0000006D006900630072006F0073006F006600740020006F00750074006C006F006F006B00200073006F006300690061006C00200063006F006E006E006500630074006F0072000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
`#<
60233C00FC0900000200000000000000CA000000010000008A0000003400000063003A005C00700072006F006700720061006D002000660069006C00650073005C006D006900630072006F0073006F006600740020006F00660066006900630065005C006F0066006600690063006500310034005C0061006400640069006E0073005C0075006D006F00750074006C006F006F006B0061006400640069006E002E0064006C006C0000006D006900630072006F0073006F00660074002000650078006300680061006E006700650020006100640064002D0069006E000000
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109A10090400000000000F01FEC\Usage
OUTLOOKFilesIntl_1033
1321992215
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
}#<
7D233C00FC0900000200000000000000C000000001000000700000004400000063003A005C00700072006F006700720061006D002000660069006C00650073005C006D006900630072006F0073006F006600740020006F00660066006900630065005C006F0066006600690063006500310034005C006F006E006200740074006E006F006C002E0064006C006C0000006F006E0065006E006F007400650020006E006F007400650073002000610062006F007500740020006F00750074006C006F006F006B0020006900740065006D0073000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
}#<
7D233C00FC0900000200000000000000D0000000010000007E0000004600000063003A005C00700072006F006700720061006D002000660069006C00650073005C006D006900630072006F0073006F006600740020006F00660066006900630065005C006F0066006600690063006500310034005C0073006F006300690061006C0063006F006E006E006500630074006F0072002E0064006C006C0000006D006900630072006F0073006F006600740020006F00750074006C006F006F006B00200073006F006300690061006C00200063006F006E006E006500630074006F0072000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Resiliency\StartupItems
}#<
7D233C00FC0900000200000000000000CA000000010000008A0000003400000063003A005C00700072006F006700720061006D002000660069006C00650073005C006D006900630072006F0073006F006600740020006F00660066006900630065005C006F0066006600690063006500310034005C0061006400640069006E0073005C0075006D006F00750074006C006F006F006B0061006400640069006E002E0064006C006C0000006D006900630072006F0073006F00660074002000650078006300680061006E006700650020006100640064002D0069006E000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\UserInfo
CountQuickSteps
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\SocialConnector
CleanupFolder
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{75E70085-857A-4774-AAEB-8ED77CDEE94C}
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\SocialConnector
AlertTypes
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\SocialConnector
RestartsSinceAlerts
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\SocialConnector
AlertInsertStrings
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\SocialConnector
PeoplePaneModeInspector
3
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1321992223
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Identities
Identity Ordinal
2
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\0a0d020000000000c000000000000046
00030487
4A271E0D
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\3517490d76624c419a828607e2a54604
001f6000
4E006F004D00610069006C000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\434A98E53660D445A713D63EF5ACF013
WriterId
4744375
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\434A98E53660D445A713D63EF5ACF013
LastModification
D0BEC2805A48D401
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\434A98E53660D445A713D63EF5ACF013
MsgEID
00000000EE353A6753D116479D0919B95E8B889A88001000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\6AF88854CE245B4EB4C332CB519E568B
WriterId
4744390
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\6AF88854CE245B4EB4C332CB519E568B
LastModification
D02FC5805A48D401
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\6AF88854CE245B4EB4C332CB519E568B
MsgEID
00000000EE353A6753D116479D0919B95E8B889AA8001000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\5C7DC8C6F60C614BABFDB006BD1B0B51
WriterId
4744390
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\5C7DC8C6F60C614BABFDB006BD1B0B51
LastModification
D02FC5805A48D401
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\5C7DC8C6F60C614BABFDB006BD1B0B51
MsgEID
00000000EE353A6753D116479D0919B95E8B889AC8001000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\92B969BBD7884142A089D84EECF99592
WriterId
4744390
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\92B969BBD7884142A089D84EECF99592
LastModification
D02FC5805A48D401
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\92B969BBD7884142A089D84EECF99592
MsgEID
00000000EE353A6753D116479D0919B95E8B889AE8001000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\05C29760FD93B94B8F9E64929813777E
WriterId
4744390
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\05C29760FD93B94B8F9E64929813777E
LastModification
D02FC5805A48D401
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\05C29760FD93B94B8F9E64929813777E
MsgEID
00000000EE353A6753D116479D0919B95E8B889A08011000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\9CAFACBF643AD24BB93DE56D109B57BA
WriterId
4744390
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\9CAFACBF643AD24BB93DE56D109B57BA
LastModification
D02FC5805A48D401
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\9CAFACBF643AD24BB93DE56D109B57BA
MsgEID
00000000EE353A6753D116479D0919B95E8B889A28011000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\B20C4F250A8F5549B8B6446F946B8809
WriterId
4744390
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\B20C4F250A8F5549B8B6446F946B8809
LastModification
D02FC5805A48D401
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Perf\RoamingStreamsCache\B20C4F250A8F5549B8B6446F946B8809
MsgEID
00000000EE353A6753D116479D0919B95E8B889A48011000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Arial Unicode MS
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Batang
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@BatangChe
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DFKai-SB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Dotum
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DotumChe
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@FangSong
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gulim
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GulimChe
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gungsuh
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GungsuhChe
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@KaiTi
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Malgun Gothic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo UI
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft JhengHei
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft YaHei
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS-ExtB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU-ExtB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Gothic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Mincho
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PGothic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PMincho
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS UI Gothic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@NSimSun
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU-ExtB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimHei
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun-ExtB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Agency FB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aharoni
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Algerian
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Andalus
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Angsana New
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
AngsanaUPC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aparajita
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arabic Typesetting
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Black
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Narrow
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Rounded MT Bold
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Unicode MS
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Baskerville Old Face
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Batang
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BatangChe
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bauhaus 93
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bell MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB Demi
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bernard MT Condensed
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Blackadder ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Black
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Condensed
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Poster Compressed
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Book Antiqua
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookman Old Style
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookshelf Symbol 7
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bradley Hand ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Britannic Bold
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Broadway
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Browallia New
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BrowalliaUPC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Brush Script MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calibri
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Californian FB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calisto MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria Math
1
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Candara
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Castellar
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Centaur
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Gothic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Schoolbook
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Chiller
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Colonna MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Comic Sans MS
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Consolas
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Constantia
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cooper Black
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Bold
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Light
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Corbel
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cordia New
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
CordiaUPC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier New
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Curlz MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DaunPenh
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
David
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DFKai-SB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DilleniaUPC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DokChampa
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Dotum
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DotumChe
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ebrima
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Edwardian Script ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Elephant
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Engravers MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Bold ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Demi ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Light ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Medium ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Estrangelo Edessa
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
EucrosiaUPC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Euphemia
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FangSong
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Felix Titling
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Fixedsys
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Footlight MT Light
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Forte
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Book
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi Cond
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Heavy
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium Cond
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FrankRuehl
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FreesiaUPC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Freestyle Script
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
French Script MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gabriola
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Garamond
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gautami
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Georgia
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gigi
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Condensed
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Ext Condensed Bold
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold Condensed
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gisha
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gloucester MT Extra Condensed
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Old Style
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Stout
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gulim
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GulimChe
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gungsuh
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GungsuhChe
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Haettenschweiler
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harlow Solid Italic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harrington
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
High Tower Text
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Impact
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Imprint MT Shadow
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Informal Roman
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
IrisUPC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Iskoola Pota
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
JasmineUPC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Jokerman
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Juice ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KaiTi
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kalinga
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kartika
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Khmer UI
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KodchiangUPC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kokila
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kristen ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kunstler Script
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lao UI
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Latha
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Leelawadee
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Levenim MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
LilyUPC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Bright
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Calligraphy
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Console
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Fax
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Handwriting
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Typewriter
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Unicode
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Magneto
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Maiandra GD
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Malgun Gothic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mangal
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Marlett
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Matura MT Script Capitals
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo UI
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Himalaya
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft JhengHei
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft New Tai Lue
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft PhagsPa
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Sans Serif
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Tai Le
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Uighur
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft YaHei
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Yi Baiti
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS-ExtB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU-ExtB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam Fixed
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mistral
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Modern No. 20
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mongolian Baiti
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Monotype Corsiva
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MoolBoran
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Gothic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Mincho
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Outlook
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PGothic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PMincho
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Sans Serif
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Specialty
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Sans Serif
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Serif
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS UI Gothic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MT Extra
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MV Boli
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Narkisim
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Engraved
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Solid
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
NSimSun
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Nyala
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
OCR A Extended
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Old English Text MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Onyx
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palace Script MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palatino Linotype
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Papyrus
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Parchment
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua Titling MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Plantagenet Cherokee
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Playbill
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU-ExtB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Poor Richard
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Pristina
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Raavi
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rage Italic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ravie
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Condensed
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Extra Bold
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rod
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sakkal Majalla
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Script MT Bold
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Print
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Script
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Light
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Semibold
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Symbol
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shonar Bangla
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Showcard Gothic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shruti
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimHei
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic Fixed
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun-ExtB
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Small Fonts
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Snap ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Stencil
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sylfaen
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Symbol
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
System
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tahoma
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tempus Sans ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Terminal
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Times New Roman
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Traditional Arabic
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Trebuchet MS
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tunga
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed Extra Bold
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Utsaah
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vani
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Verdana
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vijaya
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Viner Hand ITC
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vivaldi
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vladimir Script
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vrinda
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Webdings
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wide Latin
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 2
0
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 3
0
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1321992233
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1321992234
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1321992233
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1321992234
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1321992254
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1321992255
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1321992235
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1321992236
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1321992235
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1321992236
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1321992256
2556
OUTLOOK.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1321992257
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
CFF13DD86EF249EBB265E3BFC6501C1D
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
3668071
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security
OutlookSecureTempFolder
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\IAM
Server ID
2
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\0a0d020000000000c000000000000046
000b0340
0100
2556
OUTLOOK.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents
LastPurgeTime
26005387
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3448
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\AppData\Local\Temp\FinCERT_BAPB_MLW2019061101.zip
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\Документы 11 июня (2).001
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000C00105000000000039000000B40200000000000001000000
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000001801060000000000160000002A0000000000000002000000
3448
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000440107000000000016000000640000000000000003000000
1380
Документы 11 июня.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
wextract_cleanup0
rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
2908
rundll32.exe
write
HKEY_CURRENT_USER\Software\1795b22f0f04
41ecc984c611c3e873
E01292CD
2908
rundll32.exe
write
HKEY_CURRENT_USER\Software\1795b22f0f04
41ecc984c611c3e873
E7F9C2712B8A8891F3983B6B6E2770469F4647EC6DE83015123F20B20A6D303BD4E4001536D92B1BD5414D304E6E61FF2461A133FA5DAD57E7C6B3F54626AE5AEB01F68C65D41B3422D7C3E9B8DEDDC703560C26A5C29B1872F66C001106404B5995BF9E241A56C6EE245C9574ED4081
1040
rundll32.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
1040
rundll32.exe
write
HKEY_CURRENT_USER\Software\1795b22f0f04
41ecc984c611c3e873
31F3CF43
1040
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
1040
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
1040
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
1040
rundll32.exe
write
HKEY_CURRENT_USER\Software\1795b22f0f04
82052e428d7349e9fe4582a7
6EBFDD284F271CC20C43919F152E6260C8F1B9D715A0CB19BE0363DE1DAC632C39C03462D5B565AF28515119DFAE8D929D31D5510BFD26589C46614FF9
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2944
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
2
C:\Users\admin\AppData\Local\Temp\FinCERT_BAPB_MLW2019061101.zip
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\Документы 11 июня (2).001
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\Документы 11 июня.001
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2944
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3396
Документы 11 июня.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
wextract_cleanup0
rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"

Files activity

Executable files
5
Suspicious files
3
Text files
24
Unknown types
9

Dropped files

PID
Process
Filename
Type
2908
rundll32.exe
C:\ProgramData\2daf8815353e\2eac8b16363d.dat
executable
MD5: cb1b3b3d0d8568b3dac8992d53f78942
SHA256: d332cf7493d6d292709cd23c01abbcab8d6151fe42e81ebe3346758f70fc5429
3448
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.19184\Документы 11 июня.exe
executable
MD5: 632ac75cee5a531bcea03e089531a126
SHA256: 41bc30cadea3bf7fee153335d5f1e0e2daf1f33c7316f9f8dfcb85bb3fa12834
116
explorer.exe
C:\Users\admin\Desktop\Документы 11 июня.exe
executable
MD5: 632ac75cee5a531bcea03e089531a126
SHA256: 41bc30cadea3bf7fee153335d5f1e0e2daf1f33c7316f9f8dfcb85bb3fa12834
3448
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3448.19000\Документы 11 июня.exe
executable
MD5: 632ac75cee5a531bcea03e089531a126
SHA256: 41bc30cadea3bf7fee153335d5f1e0e2daf1f33c7316f9f8dfcb85bb3fa12834
1380
Документы 11 июня.exe
C:\Users\admin\AppData\Local\Temp\IXP000.TMP\core.dll
executable
MD5: cb1b3b3d0d8568b3dac8992d53f78942
SHA256: d332cf7493d6d292709cd23c01abbcab8d6151fe42e81ebe3346758f70fc5429
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ConversationPrefs_2_9CAFACBF643AD24BB93DE56D109B57BA.dat
xml
MD5: 57f30b1bca811c2fcb81f4c13f6a927b
SHA256: 612bad93621991cb09c347ff01ec600b46617247d5c041311ff459e247d8c2d3
116
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms
automaticdestinations-ms
MD5: 8078e3bce9461d7d262007e5ae037203
SHA256: 595b6364713fee6869cc245275917c4752ef27f4c1b067ed411113e2d0192df7
3396
Документы 11 июня.exe
C:\Users\admin\AppData\Local\Temp\IXP000.TMP\core.dll
––
MD5:  ––
SHA256:  ––
116
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-ms
automaticdestinations-ms
MD5: 095062136eab6364a5274d311f53b3d0
SHA256: 68f9f7ffad4add5d7cd0643b6d0277e43ffe5d75552347e0c91395cb6b0b404e
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\Документы 11 июня (2).001
compressed
MD5: 15bee066ea635288cc38f276ad7a1e96
SHA256: 451faae35f9895d5ac76dc46d298a32100a2e4f6f19f5c909de1cf46b54f2815
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\Документы 11 июня (2).001\:Zone.Identifier:$DATA
––
MD5:  ––
SHA256:  ––
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\Документы 11 июня.001:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
116
explorer.exe
C:\Users\admin\Desktop\Документы 11 июня.001
compressed
MD5: 15bee066ea635288cc38f276ad7a1e96
SHA256: 451faae35f9895d5ac76dc46d298a32100a2e4f6f19f5c909de1cf46b54f2815
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\Документы 11 июня.001
compressed
MD5: 15bee066ea635288cc38f276ad7a1e96
SHA256: 451faae35f9895d5ac76dc46d298a32100a2e4f6f19f5c909de1cf46b54f2815
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TCPrefs_2_B20C4F250A8F5549B8B6446F946B8809.dat
xml
MD5: f194b1fa12f9b6f46a47391fae8beec2
SHA256: fcd8d7e030be6ea7588e5c6cb568e3f1bdfc263942074b693942a27df9521a74
3612
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb3612.16050\[Content] 滿߫¬ ñ«¬-«ó ºá »a«F½d¬ ¼Ñßnµ.eml
eml
MD5: b8d796daf9aab46e074d37e80a4a82b9
SHA256: fecd75e31f8ce7321d0f508050758f88a30ac90086312c82c0637d12f67f1744
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_ContactPrefs_2_05C29760FD93B94B8F9E64929813777E.dat
xml
MD5: bbcf400bd7ae536eb03054021d6a6398
SHA256: 383020065c1f31f4fb09f448599a6d5e532c390af4e5b8af0771fe17a23222ad
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_92B969BBD7884142A089D84EECF99592.dat
xml
MD5: d8b37ed0410fb241c283f72b76987f18
SHA256: 31e68049f6b7f21511e70cd7f2d95b9cf1354cf54603e8f47c1fc40f40b7a114
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_5C7DC8C6F60C614BABFDB006BD1B0B51.dat
xml
MD5: 807ef0fc900feb3da82927990083d6e7
SHA256: 4411e7dc978011222764943081500fff0e43cbf7ccd44264bd1ab6306ca68913
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_434A98E53660D445A713D63EF5ACF013.dat
xml
MD5: b21ed3bd946332ff6ebc41a87776c6bb
SHA256: b1aac4e817cd10670b785ef8e5523c4a883f44138e50486987dc73054a46f6f4
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_6AF88854CE245B4EB4C332CB519E568B.dat
xml
MD5: eeaa832c12f20de6aaaa9c7b77626e72
SHA256: c4c9a90f2c961d9ee79cf08fbee647ed7de0202288e876c7baad00f4ca29ca16
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{75E70085-857A-4774-AAEB-8ED77CDEE94C}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png
image
MD5: 7d80c0a7e3849818695eaf4989186a3c
SHA256: 72dc527d78a8e99331409803811cc2d287e812c008a1c869a6aea69d7a44b597
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm
pgc
MD5: 0eec611603f1862982a02e56c2a49550
SHA256: 647abe03fcd2440776bae798d43c274821533011107d0f86a3e5c08217a1d19b
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Temp\tmp84F8.tmp
––
MD5:  ––
SHA256:  ––
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
text
MD5: 48dd6cae43ce26b992c35799fcd76898
SHA256: 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
2556
OUTLOOK.EXE
C:\Users\admin\AppData\Local\Temp\CVR81EA.tmp.cvr
––
MD5:  ––
SHA256:  ––
116
explorer.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061220190613\index.dat
dat
MD5: 87de23d5a4b790ed5ea47e933339a04d
SHA256: 8215c6995d14b8e0d100da44c79f36276504b857f66875ecfcd56bc1b3e41f3d
116
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\[Content] 滿߫¬ ñ«¬-«ó ºá »a«F½d¬ ¼Ñßnµ.eml.lnk
lnk
MD5: 3244b8b6699039394ed9ea8e2ec4caf9
SHA256: 947c6ccb19291909c3fc67d863b464f21017aed33dc74fedd3ce939338b35c78
116
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms
automaticdestinations-ms
MD5: a5f53e63e78e89546770d6b7f11126d7
SHA256: 7324ecae69b0c167234b11ae22155018e9b47b297f90a345a8d8c9c828e0f7fc
116
explorer.exe
C:\Users\admin\Desktop\[Content] 滿߫¬ ñ«¬-«ó ºá »a«F½d¬ ¼Ñßnµ.eml
eml
MD5: b8d796daf9aab46e074d37e80a4a82b9
SHA256: fecd75e31f8ce7321d0f508050758f88a30ac90086312c82c0637d12f67f1744
116
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Документы 11 июня.001.lnk
lnk
MD5: 15be78b6bd01b1e811192226aeb2b990
SHA256: 9b1d50c7a179e3a71945d9f2006c28095e4c6c6a1df606f366d254eebbd628a0

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
1

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2556 OUTLOOK.EXE GET –– 64.4.26.155:80 http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig US
––
––
whitelisted
1040 rundll32.exe POST 200 94.156.35.33:80 http://94.156.35.33/index.php BG
binary
text
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2556 OUTLOOK.EXE 64.4.26.155:80 Microsoft Corporation US whitelisted
1040 rundll32.exe 104.25.48.99:443 Cloudflare Inc US shared
1040 rundll32.exe 94.156.35.33:80 BelCloud Hosting Corporation BG malicious

DNS requests

Domain IP Reputation
config.messenger.msn.com 64.4.26.155
whitelisted
chain.so 104.25.48.99
104.25.47.99
whitelisted

Threats

PID Process Class Message
1040 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)

Debug output strings

No debug info.