974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785

Interactive malware hunting service

General Info

File name: PAYMENT SWIFT_152878_20190110_E3S1805049075282.doc.zip

Full analysis: https://app.any.run/tasks/326483d8-c9a7-4c6b-b299-43c5ac6c78d8

Verdict: Malicious activity

Analysis date: 1/11/2019, 03:00:20

OS:: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)

Tags:: trojan

exploit

CVE-2017-11882

loader

Indicators:

MIME:: application/zip

File info:: Zip archive data, at least v2.0 to extract

MD5: ec14fcd3fdaf4b249f946eebd80cef4c

SHA1: a3cf428a2edc13301129434e113168ffe266f3b4

SHA256: 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785

SSDEEP: 1536:DHjzlUuCsb0Y1kRjTcCSYTrwP1vodSSiGYBPKAu9/:DHXlUuC60IAjQCSYTrm1vodkVgAuF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration: 60 seconds

Additional time used: none

Fakenet option: off

Heavy Evaision option: off

MITM proxy: off

Route via Tor: off

Network geolocation: off

Privacy: Public submission

Autoconfirmation of UAC: on

Software preset

Internet Explorer 8.0.7601.17514
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Behavior activities

MALICIOUS	SUSPICIOUS	INFO
Downloads executable files from the Internet EQNEDT32.EXE (PID: 3752) Equation Editor starts application (CVE-2017-11882) EQNEDT32.EXE (PID: 3752) Suspicious connection from the Equation Editor EQNEDT32.EXE (PID: 3752) Application was dropped or rewritten from another process 1.exe (PID: 3292)	Executable content was dropped or overwritten EQNEDT32.EXE (PID: 3752) Creates files in the user directory EQNEDT32.EXE (PID: 3752)	Reads Microsoft Office registry keys WINWORD.EXE (PID: 2560) Creates files in the user directory WINWORD.EXE (PID: 2560)

MALICIOUS

SUSPICIOUS

INFO

Downloads executable files from the Internet

EQNEDT32.EXE (PID: 3752)

Equation Editor starts application (CVE-2017-11882)

EQNEDT32.EXE (PID: 3752)

Suspicious connection from the Equation Editor

EQNEDT32.EXE (PID: 3752)

Application was dropped or rewritten from another process

1.exe (PID: 3292)

Executable content was dropped or overwritten

EQNEDT32.EXE (PID: 3752)

Creates files in the user directory

EQNEDT32.EXE (PID: 3752)

Reads Microsoft Office registry keys

WINWORD.EXE (PID: 2560)

Creates files in the user directory

WINWORD.EXE (PID: 2560)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD

.zip

| ZIP compressed archive (99.9%)

EXIF

ZipRequiredVersion:

ZipBitFlag:

0x0009

ZipCompression:

Deflated

ZipModifyDate:

2019:01:11 10:02:14

ZipCRC:

0xcd808b47

ZipCompressedSize:

60345

ZipUncompressedSize:

502974

ZipFileName:

PAYMENT SWIFT_152878_20190110_E3S1805049075282.doc

Screenshots

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 17295 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 22341 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 26370 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 31382 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 42494 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 46513 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 48515 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 50516 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 51553 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 52553 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 53554 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 54557 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 55584 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 56593 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 57606 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 58608 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 59621 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 60622 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 61637 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 62653 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 63658 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 64660 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 65686 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 66698 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 67704 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 68712 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 72795 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 73807 ms from task started

Screenshot of 974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785 taken from 74809 ms from task started

Processes

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

–

Specs description

Program did not start

Integrity level elevation

Task сontains an error or was rebooted

Process has crashed

Task contains several apps running

Executable file was dropped

Debug information is available

Process was injected

Network attacks were detected

Application downloaded the executable file

Actions similar to stealing personal data

Behavior similar to exploiting the vulnerability

Inspected object has sucpicious PE structure

File is detected by antivirus software

CPU overrun

RAM overrun

Process starts the services

Process was added to the startup

Behavior similar to spam

Low-level access to the HDD

Probably Tor was used

System was rebooted

Connects to the network

Known threat

Process information

Click at the process to see the details.

PID: 3552

CMD: "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PAYMENT SWIFT_152878_20190110_E3S1805049075282.doc.zip"

Path: C:\Program Files\WinRAR\WinRAR.exe

Indicators: No indicators

Parent process: ––

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: Alexander Roshal

Description: WinRAR archiver

Version: 5.60.0

Modules

Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\imageres.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\profapi.dll
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\wordicon.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\samlib.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\winsta.dll
c:\windows\system32\drprov.dll
c:\windows\system32\mpr.dll
c:\windows\system32\slc.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscui.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll

PID: 2560

CMD: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\PAYMENT SWIFT_152878_20190110_E3S1805049075282.doc"

Path: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Indicators: No indicators

Parent process: ––

User: admin

Integrity Level: MEDIUM

Version:

Company: Microsoft Corporation

Description: Microsoft Word

Version: 14.0.6024.1000

Modules

Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\sxs.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\prntvpt.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll

PID: 3752

CMD: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Path: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Indicators

Parent process: ––

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: Design Science, Inc.

Description: Microsoft Equation Editor

Version: 00110900

Modules

Image
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\msi.dll
c:\users\admin\appdata\local\temp\1.exe
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\equation\1033\eeintl.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvbvm60.dll

PID: 3292

CMD: C:\Users\admin\AppData\Local\Temp\1.exe

Path: C:\Users\admin\AppData\Local\Temp\1.exe

Indicators: No indicators

Parent process: EQNEDT32.EXE

User: admin

Integrity Level: MEDIUM

Version:

Company: encountered

Description: Combust

Version: 2.07.0006

Modules

Image
c:\users\admin\appdata\local\temp\1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll

Registry activity

Total events

1364

Read events

1000

Write events

363

Delete events

Modification events

PID

Process

Operation

Key

Name

Value

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes

ShellExtIcon

3552

WinRAR.exe

write

HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E

LanguageList

en-US

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\ArcHistory

C:\Users\admin\AppData\Local\Temp\PAYMENT SWIFT_152878_20190110_E3S1805049075282.doc.zip

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes

ShellExtBMP

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

type

120

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

name

120

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

mtime

100

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

size

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath

C:\Users\admin\Desktop

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface

ShowPassword

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin

Placement

2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General

LastFolder

C:\Users\admin\AppData\Local\Temp

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

name

120

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

size

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

psize

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

type

120

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

mtime

100

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

crc

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout

Band56_0

38000000730100000402000000000000D4D0C800000000000000000000000000880103000000000039000000B40200000000000001000000

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout

Band56_1

38000000730100000500000000000000D4D0C8000000000000000000000000003C01020000000000160000002A0000000000000002000000

3552

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout

Band56_2

38000000730100000400000000000000D4D0C8000000000000000000000000009A0103000000000016000000640000000000000003000000

2560

WINWORD.EXE

delete key

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

2t.

32742E00000A0000010000000000000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

Off

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

ProductFiles

1311441036

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

AutoDetect

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

WORDFiles

1311440918

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

ProductFiles

1311441037

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

000A0000A46279E759A9D40100000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

7v.

37762E00000A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

UNCAsIntranet

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

!w.

21772E00000A00000600000001000000A400000002000000940000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C007000610079006D0065006E0074002000730077006900660074005F003100350032003800370038005F00320030003100390030003100310030005F0065003300730031003800300035003000340039003000370035003200380032002E0064006F006300000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

{063536B5-D95A-40BF-A381-639D00E3A2A8}

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU

Item 1

[F00000000][T01D4A959F19DA150][O00000000]*C:\Users\admin\Desktop\

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 1

[F00000000][T01D4A959F19DA150][O00000000]*C:\Users\admin\Desktop\PAYMENT SWIFT_152878_20190110_E3S1805049075282.doc

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Max Display

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arial

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

PMingLiU

02020500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Dotum

020B0600000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MingLiU

02020509000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gulim

020B0600000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Mangal

02040503050203030202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Sylfaen

010A0502050306030303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Vrinda

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Shruti

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gautami

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tunga

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Estrangelo Edessa

03080600000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Cambria Math

02040503050406030204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arial Unicode MS

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tahoma

020B0604030504040204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Marlett

00000000000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Batang

02030600000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

BatangChe

02030609000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@BatangChe

02030609000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Gungsuh

02030600000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@GungsuhChe

02030609000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

DaunPenh

01010101010101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Euphemia

020B0503040102020104

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Dotum

020B0600000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

DotumChe

020B0609000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Impact

020B0806030902050204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Iskoola Pota

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Kartika

02020503030404060203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Console

020B0609040504020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Meiryo

020B0604030504040204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Meiryo

020B0604030504040204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Meiryo UI

020B0604030504040204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Meiryo UI

020B0604030504040204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft Himalaya

01010100010101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft JhengHei

020B0604030504040204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Microsoft JhengHei

020B0604030504040204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft YaHei

020B0503020204020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Microsoft YaHei

020B0503020204020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MingLiU

02020509000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@PMingLiU

02020500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MingLiU_HKSCS

02020500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MingLiU_HKSCS

02020500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MingLiU-ExtB

02020500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MingLiU-ExtB

02020500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

PMingLiU-ExtB

02020500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@PMingLiU-ExtB

02020500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MS Gothic

020B0609070205080204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS PGothic

020B0600070205080204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MS PGothic

020B0600070205080204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MS Mincho

02020609040205080304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MS PMincho

02020600040205080304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe UI Semibold

020B0702040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe UI Light

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@SimSun-ExtB

02010609060101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft Tai Le

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Aparajita

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Ebrima

02000000000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gisha

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Utsaah

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Andalus

02020603050405020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Simplified Arabic

02020603050405020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Sakkal Majalla

02000000000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Sans Unicode

020B0602030504020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arial Black

020B0A04020102020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Corbel

020B0503020204020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gabriola

04040605051002020D02

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Palatino Linotype

02040502050505030304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe Print

02000600000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Trebuchet MS

020B0603020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Verdana

020B0604030504040204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Webdings

05030102010509060703

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MT Extra

05050102010205020202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Arial Unicode MS

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS Outlook

05010100010000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arial Narrow

020B0606020202030204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Garamond

02020404030301010803

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Baskerville Old Face

02020602080505020303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bauhaus 93

04030905020B02020C02

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bell MT

02020503060305020303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Berlin Sans FB

020E0602020502020306

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bernard MT Condensed

02050806060905020404

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bodoni MT Poster Compressed

02070706080601050204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Britannic Bold

020B0903060703020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Centaur

02030504050205020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Chiller

04020404031007020602

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Colonna MT

04020805060202030203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Footlight MT Light

0204060206030A020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Freestyle Script

030804020302050B0404

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Harlow Solid Italic

04030604020F02020D02

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Harrington

04040505050A02020702

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

High Tower Text

02040502050506030303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU

Max Display

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\252E50

252E50

04000000000A00004900000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C005000410059004D0045004E0054002000530057004900460054005F003100350032003800370038005F00320030003100390030003100310030005F0045003300530031003800300035003000340039003000370035003200380032002E0064006F006300320000005000410059004D0045004E0054002000530057004900460054005F003100350032003800370038005F00320030003100390030003100310030005F0045003300530031003800300035003000340039003000370035003200380032002E0064006F00630000000000010000000000000000D242C294A9D401502E2500502E250000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Fax

02060602050505020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Handwriting

03010101010101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Old English Text MT

03040902040508030806

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Parchment

03040602040708040804

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Playbill

040506030A0602020202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Poor Richard

02080502050505020702

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Informal Roman

030604020304060B0204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Showcard Gothic

04020904020102020604

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Sans Typewriter

020B0509030504030204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Sans

020B0602030504020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Imprint MT Shadow

04020605060303030202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Goudy Stout

0202090407030B020401

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Goudy Old Style

02020502050305020303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gloucester MT Extra Condensed

02030808020601010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gill Sans Ultra Bold Condensed

020B0A06020104020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gill Sans Ultra Bold

020B0A02020104020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gill Sans MT Condensed

020B0506020104020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gill Sans MT

020B0502020104020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gill Sans MT Ext Condensed Bold

020B0902020104020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gigi

04040504061007020D02

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

French Script MT

03020402040607040605

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Medium Cond

020B0606030402020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Heavy

020B0903020102020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Demi Cond

020B0706030402020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Demi

020B0703020102020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Book

020B0503020102020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Forte

03060902040502070203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Felix Titling

04060505060202020A04

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Eras Medium ITC

020B0602030504020804

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Eras Light ITC

020B0402030504020804

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Eras Demi ITC

020B0805030504020804

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Eras Bold ITC

020B0907030504020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Engravers MT

02090707080505020304

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

1311440934

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1311440951

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

1311440936

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1311440952

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1311440953

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing

019C826E445A4649A5B00BF08FCC4EEE

01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1311440954

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1311440955

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Courier New

02070309020205020404

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Symbol

05050102010706020507

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Wingdings

05000000000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS Mincho

02020609040205080304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Batang

02030600000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

SimSun

02010600030101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS Gothic

020B0609070205080204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

SimHei

02010609060101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Century

02040604050505020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Angsana New

02020603050405020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Cordia New

020B0304020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Latha

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Raavi

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gungsuh

02030600000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

GungsuhChe

02030609000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

DokChampa

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Vani

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Gulim

020B0600000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

GulimChe

020B0609000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@GulimChe

020B0609000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@DotumChe

020B0609000101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Kalinga

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Khmer UI

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lao UI

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Malgun Gothic

020B0503020000020004

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Malgun Gothic

020B0503020000020004

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MingLiU_HKSCS-ExtB

02020500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MingLiU_HKSCS-ExtB

02020500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Mongolian Baiti

03000500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS UI Gothic

020B0600070205080204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MS UI Gothic

020B0600070205080204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS PMincho

02020600040205080304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MV Boli

02000500030200090000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft New Tai Lue

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Nyala

02000504070300020003

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft PhagsPa

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Plantagenet Cherokee

02020602070100000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe Script

020B0504020000000003

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe UI

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe UI Symbol

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@SimSun

02010600030101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

NSimSun

02010609030101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@NSimSun

02010609030101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

SimSun-ExtB

02010609060101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Shonar Bangla

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft Yi Baiti

03000500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft Sans Serif

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Kokila

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Leelawadee

020B0502040204020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft Uighur

02000000000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MoolBoran

020B0100010101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Vijaya

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arabic Typesetting

03020402040406030203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Simplified Arabic Fixed

02070309020205020404

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Traditional Arabic

02020603050405020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Aharoni

02010803020104030203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

David

020E0502060401010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

FrankRuehl

020E0503060101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Levenim MT

02010502060101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Miriam

020B0502050101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Miriam Fixed

020B0509050101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Narkisim

020E0502050101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Rod

02030509050101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

FangSong

02010609060101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@FangSong

02010609060101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@SimHei

02010609060101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

KaiTi

02010609060101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@KaiTi

02010609060101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

AngsanaUPC

02020603050405020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Browallia New

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

BrowalliaUPC

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

CordiaUPC

020B0304020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

DilleniaUPC

02020603050405020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

EucrosiaUPC

02020603050405020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

FreesiaUPC

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

IrisUPC

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

JasmineUPC

02020603050405020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

KodchiangUPC

02020603050405020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

LilyUPC

020B0604020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

DFKai-SB

03000509000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@DFKai-SB

03000509000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Candara

020E0502030303020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Comic Sans MS

030F0702030302020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Consolas

020B0609020204030204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Constantia

02030602050306030303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Medium

020B0603020102020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Georgia

02040502050405020303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Wingdings 2

05020102010507070707

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Wingdings 3

05040102010807070707

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Book Antiqua

02040602050305030304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Century Gothic

020B0502020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Haettenschweiler

020B0706040902060204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Monotype Corsiva

03010101010201010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Algerian

04020705040A02060702

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Broadway

04040905080B02020502

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Brush Script MT

03060802040406070304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Californian FB

0207040306080B030204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Cooper Black

0208090404030B020404

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Jokerman

04090605060D06020702

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Juice ITC

04040403040A02020202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Kristen ITC

03050502040202030202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Kunstler Script

030304020206070D0D06

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Bright

02040602050505020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Calligraphy

03010101010101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Magneto

04030805050802020D02

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Matura MT Script Capitals

03020802060602070202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Mistral

03090702030407020403

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Modern No. 20

02070704070505020303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Niagara Engraved

04020502070703030202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Niagara Solid

04020502070702020202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Onyx

04050602080702020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Ravie

04040805050809020602

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Snap ITC

04040A07060A02020202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Stencil

040409050D0802020404

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tempus Sans ITC

04020404030D07020202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Viner Hand ITC

03070502030502020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Vivaldi

03020602050506090804

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Vladimir Script

03050402040407070305

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Wide Latin

020A0A07050505020404

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tw Cen MT

020B0602020104020603

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tw Cen MT Condensed

020B0606020104020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Script MT Bold

03040602040607080904

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Rockwell Extra Bold

02060903040505020403

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Rockwell Condensed

02060603050405020104

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Rockwell

02060603020205020403

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Rage Italic

03070502040507070304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Pristina

03060402040406080204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Perpetua Titling MT

02020502060505020804

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Perpetua

02020502060401020303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Papyrus

03070502060502030205

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Palace Script MT

030303020206070C0B05

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

OCR A Extended

02010509020102010303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Maiandra GD

020E0502030308020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Elephant

02020904090505020303

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Edwardian Script ITC

030303020407070D0804

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Curlz MT

04040404050702020202

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Copperplate Gothic Light

020E0507020206020404

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Copperplate Gothic Bold

020E0705020206020404

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Century Schoolbook

02040604050505020304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Castellar

020A0402060406010301

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Calisto MT

02040603050505030304

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bradley Hand ITC

03070402050302030203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bookman Old Style

02050604050505020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bodoni MT Condensed

02070606080606020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bodoni MT Black

02070A03080606020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bodoni MT

02070603080606020203

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Blackadder ITC

04020505051007020D02

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arial Rounded MT Bold

020F0704030504030204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Agency FB

020B0503020202020204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bookshelf Symbol 7

05010101010101010101

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS Reference Sans Serif

020B0604030504040204

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS Reference Specialty

05000500000000000000

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Berlin Sans FB Demi

020E0802020502020306

2560

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tw Cen MT Condensed Extra Bold

020B0803020202020204

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

1311440933

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

1311440933

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

1311440934

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1311440950

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

1311440935

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

1311440936

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

1311440935

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1311440956

2560

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1311440957

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage

EquationEditorFilesIntl_1033

1311440899

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32

EnableFileTracing

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32

EnableConsoleTracing

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32

FileTracingMask

4294901760

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32

ConsoleTracingMask

4294901760

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32

MaxFileSize

1048576

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASAPI32

FileDirectory

%windir%\tracing

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS

EnableConsoleTracing

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS

ConsoleTracingMask

4294901760

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS

FileDirectory

%windir%\tracing

3752

EQNEDT32.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

UNCAsIntranet

3752

EQNEDT32.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

AutoDetect

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS

EnableFileTracing

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS

FileTracingMask

4294901760

3752

EQNEDT32.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EQNEDT32_RASMANCS

MaxFileSize

1048576

3752

EQNEDT32.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

ProxyEnable

3752

EQNEDT32.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

Files activity

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID

Process

Filename

Type

3752

EQNEDT32.EXE

C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\standardn[1].jpg

executable

MD5: 6f609e3b82a0e25f97028033c2beb6b5

SHA256: e811a39ed7e4f857bc280c30a2017b12693e10d9a4a08ca7751061d95cc70aea

3752

EQNEDT32.EXE

C:\Users\admin\AppData\Local\Temp\1.exe

executable

MD5: 6f609e3b82a0e25f97028033c2beb6b5

SHA256: e811a39ed7e4f857bc280c30a2017b12693e10d9a4a08ca7751061d95cc70aea

2560

WINWORD.EXE

C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

text

MD5: e9805cbc37c8f234264fc34f99e8c768

SHA256: 84382265b34597030afc0a8012740c4095d03c0173eea12a58e7ddab3729dbc1

2560

WINWORD.EXE

C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\PAYMENT SWIFT_152878_20190110_E3S1805049075282.doc.LNK

lnk

MD5: ac6f22edbf3dde0fcb26d95b95284ed7

SHA256: c13e32935e376ab84de44c6a609ba443a80639bbf67dc027844dfefb494e8300

3752

EQNEDT32.EXE

C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat

dat

MD5: d7a950fefd60dbaa01df2d85fefb3862

SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a

3752

EQNEDT32.EXE

C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt

text

MD5: 733ead24a48075b54b797839a1801183

SHA256: 9d976b663b0a518f0696f13856bfcb2a847e2d9160900a78910cc89dc3548f1f

2560

WINWORD.EXE

C:\Users\admin\Desktop\~$YMENT SWIFT_152878_20190110_E3S1805049075282.doc

pgc

MD5: 36356d1342faea88d2d15273d70b8a9e

SHA256: fb8d52795d5f5d4af46b2ba57bce3b5dba6acefa435713ae5a162a65723a64f4

2560

WINWORD.EXE

C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

pgc

MD5: 7248a92a3baa44f440ab8380ef50bd21

SHA256: 111a0db2e33572ec7bc037047ac4953e169d9a8fdd42e8f75c9a28e67c2630f2

2560

WINWORD.EXE

C:\Users\admin\AppData\Local\Temp\CVRECB2.tmp.cvr

––

MD5: ––

SHA256: ––

3552

WinRAR.exe

C:\Users\admin\Desktop\PAYMENT SWIFT_152878_20190110_E3S1805049075282.doc

text

MD5: d637ea1ae3b78d3dbe6c5fba08683d0a

SHA256: b9da40721a85af30eca480438dcadb43b23cceb3ed57d37ac5fdaadcad703b13

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3752	EQNEDT32.EXE	GET	301	67.199.248.10:80	http://bit.ly/2rCPcMu	US	html	120 b	shared
3752	EQNEDT32.EXE	GET	200	221.121.138.114:80	http://com2c.com.au/standardn.jpg	AU	executable	881 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	ASN	CN	Reputation
3752	EQNEDT32.EXE	67.199.248.10:80	Bitly Inc	US	shared
3752	EQNEDT32.EXE	221.121.138.114:80	Wholesale Services Provider	AU	suspicious

DNS requests

Domain	IP	Reputation
bit.ly	67.199.248.10 67.199.248.11	shared
com2c.com.au	221.121.138.114	malicious

Threats

PID	Process	Class	Message
3752	EQNEDT32.EXE	A Network Trojan was detected	MALWARE [PTsecurity] PowerShell.Downloader httpHeader
3752	EQNEDT32.EXE	A Network Trojan was detected	ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3752	EQNEDT32.EXE	A Network Trojan was detected	SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
3752	EQNEDT32.EXE	Misc activity	SUSPICIOUS [PTsecurity] PE as Image Content type mismatch

2 ETPRO signatures available at the full report

Debug output strings

No debug info.

General Info

PAYMENT SWIFT_152878_20190110_E3S1805049075282.doc.zip

trojan

exploit

CVE-2017-11882

loader

Take your security to the next level

ec14fcd3fdaf4b249f946eebd80cef4c

a3cf428a2edc13301129434e113168ffe266f3b4

974ff3ae9f6be5cfb5841e613a110cc4b2a6fc56cb986c41791963781c6e3785

1536:DHjzlUuCsb0Y1kRjTcCSYTrwP1vodSSiGYBPKAu9/:DHXlUuC60IAjQCSYTrm1vodkVgAuF

Launch configuration

Software preset

Hotfixes

Behavior activities

Static information

Screenshots

Processes

Behavior graph

Process information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings

Take your security
to the next level