General Info

URL

http://bricolambert.com/wp-admin/8716_84622/

Full analysis
https://app.any.run/tasks/98db6604-f07c-4301-baf6-c363c97dbdd6
Verdict
Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date
15/01/2022, 03:32:17
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

emotet

loader

emotet-doc

Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • SearchProtocolHost.exe (PID: 3640)
  • rundll32.exe (PID: 3020)
  • rundll32.exe (PID: 2120)
  • rundll32.exe (PID: 1716)
  • rundll32.exe (PID: 3592)
EMOTET was detected
  • chrome.exe (PID: 4092)
Executable content was dropped or overwritten
  • EXCEL.EXE (PID: 380)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 380)
Changes the autorun value in the registry
  • rundll32.exe (PID: 3592)
Connects to CnC server
  • rundll32.exe (PID: 3592)
Loads the Task Scheduler COM API
  • mmc.exe (PID: 2988)
Reads default file associations for system extensions
  • SearchProtocolHost.exe (PID: 3640)
  • rundll32.exe (PID: 3020)
Application launched itself
  • EXCEL.EXE (PID: 1968)
  • rundll32.exe (PID: 3020)
  • rundll32.exe (PID: 1716)
Starts Microsoft Office Application
  • EXCEL.EXE (PID: 1968)
Uses RUNDLL32.EXE to load library
  • EXCEL.EXE (PID: 380)
  • rundll32.exe (PID: 2120)
  • rundll32.exe (PID: 3020)
  • rundll32.exe (PID: 1716)
Drops a file with a compile date too recent
  • EXCEL.EXE (PID: 380)
  • rundll32.exe (PID: 3020)
Starts itself from another location
  • rundll32.exe (PID: 2120)
Executable content was dropped or overwritten
  • rundll32.exe (PID: 3020)
Checks supported languages
  • chrome.exe (PID: 4092)
  • chrome.exe (PID: 3496)
  • chrome.exe (PID: 4056)
  • chrome.exe (PID: 1056)
  • chrome.exe (PID: 1368)
  • chrome.exe (PID: 784)
  • chrome.exe (PID: 2664)
  • chrome.exe (PID: 2432)
  • chrome.exe (PID: 2608)
  • chrome.exe (PID: 1320)
  • chrome.exe (PID: 2660)
  • explorer.exe (PID: 3064)
  • EXCEL.EXE (PID: 3248)
  • EXCEL.EXE (PID: 380)
  • EXCEL.EXE (PID: 1968)
  • rundll32.exe (PID: 2120)
  • rundll32.exe (PID: 3020)
  • chrome.exe (PID: 2256)
  • rundll32.exe (PID: 1716)
  • rundll32.exe (PID: 3592)
  • chrome.exe (PID: 824)
  • taskmgr.exe (PID: 1344)
  • mmc.exe (PID: 2988)
Reads the computer name
  • chrome.exe (PID: 4056)
  • chrome.exe (PID: 1056)
  • chrome.exe (PID: 4092)
  • chrome.exe (PID: 1368)
  • chrome.exe (PID: 2608)
  • chrome.exe (PID: 1320)
  • explorer.exe (PID: 3064)
  • chrome.exe (PID: 2660)
  • EXCEL.EXE (PID: 3248)
  • EXCEL.EXE (PID: 1968)
  • EXCEL.EXE (PID: 380)
  • rundll32.exe (PID: 3020)
  • chrome.exe (PID: 2256)
  • chrome.exe (PID: 824)
  • rundll32.exe (PID: 3592)
  • taskmgr.exe (PID: 1344)
  • mmc.exe (PID: 2988)
Reads the hosts file
  • chrome.exe (PID: 1056)
  • chrome.exe (PID: 4092)
Application launched itself
  • chrome.exe (PID: 1056)
Checks Windows Trust Settings
  • chrome.exe (PID: 1056)
  • rundll32.exe (PID: 3592)
Reads settings of System Certificates
  • chrome.exe (PID: 4092)
  • rundll32.exe (PID: 3592)
Manual execution by user
  • explorer.exe (PID: 3064)
  • EXCEL.EXE (PID: 1968)
  • EXCEL.EXE (PID: 380)
  • mmc.exe (PID: 1616)
  • taskmgr.exe (PID: 1344)
  • mmc.exe (PID: 2988)
Creates files in the user directory
  • EXCEL.EXE (PID: 1968)
  • EXCEL.EXE (PID: 380)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 3248)
  • EXCEL.EXE (PID: 380)
  • EXCEL.EXE (PID: 1968)
Reads the date of Windows installation
  • chrome.exe (PID: 824)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
71
Monitored processes
25
Malicious processes
3
Suspicious processes
3

Behavior graph

+
start chrome.exe chrome.exe no specs chrome.exe no specs #EMOTET chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs chrome.exe no specs excel.exe no specs excel.exe no specs excel.exe rundll32.exe no specs searchprotocolhost.exe no specs rundll32.exe chrome.exe no specs rundll32.exe no specs rundll32.exe chrome.exe no specs taskmgr.exe no specs mmc.exe no specs mmc.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3640
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\system32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\sechost.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msidle.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\propsys.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\authz.dll
c:\windows\system32\user32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\mssph.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\program files\common files\microsoft shared\office14\msoshext.dll
c:\windows\system32\version.dll
c:\users\admin\erum.ocx

PID
1056
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking "http://bricolambert.com/wp-admin/8716_84622/"
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221225547
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\wldap32.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\clbcatq.dll
c:\windows\system32\userenv.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wpc.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\netutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\samlib.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\duser.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dui70.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\cscui.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\imageres.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\slc.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\mscms.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\atl.dll
c:\windows\system32\mfreadwrite.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\mf.dll
c:\windows\system32\avrt.dll
c:\windows\system32\wship6.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\mssprxy.dll
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\xlicons.exe
c:\windows\system32\msisip.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\wshext.dll
c:\windows\system32\uxtheme.dll

PID
3496
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6e7ed988,0x6e7ed998,0x6e7ed9a4
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll

PID
4056
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1060 /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\winmm.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\avrt.dll
c:\windows\system32\mf.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxgi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\atl.dll
c:\windows\system32\webio.dll
c:\windows\system32\slc.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\evr.dll
c:\windows\system32\dxva2.dll
c:\windows\system32\d3dcompiler_47.dll
c:\program files\google\chrome\application\86.0.4240.198\libegl.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\program files\google\chrome\application\86.0.4240.198\libglesv2.dll
c:\windows\system32\d3d11.dll

PID
4092
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1248 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\google\chrome\application\chrome.exe
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\webio.dll
c:\windows\system32\oleacc.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\secur32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll

PID
784
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\sechost.dll
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\winmm.dll
c:\windows\system32\psapi.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\profapi.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\cryptbase.dll

PID
2432
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\ole32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\webio.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wintrust.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll

PID
2664
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\program files\google\chrome\application\chrome.exe
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\profapi.dll

PID
1368
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=980 /prefetch:2
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\cryptbase.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\webio.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msctf.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\dxva2.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\version.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mf.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\mfplat.dll
c:\windows\system32\ddraw.dll
c:\program files\google\chrome\application\86.0.4240.198\swiftshader\libegl.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\avrt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dxgi.dll
c:\program files\google\chrome\application\86.0.4240.198\swiftshader\libglesv2.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\evr.dll
c:\windows\system32\slc.dll
c:\windows\system32\d3dcompiler_47.dll

PID
2608
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3156 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\gdi32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\version.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\sechost.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\kernel32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\secur32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\winspool.drv
c:\windows\system32\webio.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\dui70.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\duser.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\slc.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscui.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\atl.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\mf.dll
c:\windows\system32\mscms.dll
c:\windows\system32\mfplat.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\mfreadwrite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\avrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\samcli.dll
c:\windows\system32\wpc.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\samlib.dll
c:\windows\system32\credssp.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\firewallapi.dll
c:\program files\microsoft office\office14\olkfstub.dll
c:\program files\common files\microsoft shared\ime14\imekr\imkrtip.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\bthprops.cpl
c:\program files\microsoft office\office14\visshe.dll
c:\program files\common files\microsoft shared\office14\msoshext.dll
c:\program files\microsoft office\office14\onfilter.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\program files\microsoft office\office14\mlshext.dll
c:\program files\microsoft office\office14\msohevi.dll
c:\program files\winrar\rarext.dll
c:\program files\common files\microsoft shared\ime14\imejp\imjptip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\msisip.dll
c:\windows\system32\cryptext.dll
c:\windows\system32\colorui.dll
c:\windows\system32\stobject.dll
c:\program files\windows sidebar\sbdrop.dll
c:\windows\system32\syncui.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\wshext.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\uxtheme.dll

PID
1320
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2964 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\webio.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winmm.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\sspicli.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\version.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dbghelp.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\winshfhc.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\program files\windows defender\mpoav.dll
c:\program files\windows defender\mpclient.dll
c:\windows\system32\apphelp.dll

PID
3064
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\user32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\gdi32.dll
c:\windows\explorer.exe
c:\windows\system32\shlwapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\secur32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\usp10.dll
c:\windows\system32\setupapi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\dui70.dll
c:\windows\system32\slc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll

PID
2660
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3268 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\ole32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\shell32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\winspool.drv
c:\windows\system32\webio.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wininet.dll
c:\windows\system32\version.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winshfhc.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\apphelp.dll
c:\program files\windows defender\mpclient.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\npmproxy.dll
c:\program files\windows defender\mpoav.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rsaenh.dll

PID
1968
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\gdi32.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msi.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\lpk.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\wtsapi32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\system32\user32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\clbcatq.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\winsta.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\slc.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webio.dll
c:\windows\system32\srvcli.dll
c:\program files\microsoft office\office14\msostyle.dll
c:\windows\system32\winmm.dll
c:\windows\system32\dui70.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\duser.dll
c:\windows\system32\explorerframe.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\netutils.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\program files\common files\system\ado\msadox.dll

PID
3248
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /Embedding
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\windows\system32\imm32.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft office\office14\gfx.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\user32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\system32\ntdll.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimtf.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptbase.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msi.dll
c:\windows\system32\cryptsp.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\propsys.dll
c:\program files\common files\microsoft shared\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\devobj.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\profapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\winmm.dll

PID
380
CMD
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde
Path
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
14.0.6024.1000
Modules
Image
c:\windows\system32\lpk.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\usp10.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\setupapi.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\version.dll
c:\windows\system32\winsta.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\powrprof.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\webio.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\slc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\winmm.dll
c:\windows\system32\sxs.dll
c:\program files\common files\microsoft shared\office14\1033\alrtintl.dll
c:\program files\microsoft office\office14\gkexcel.dll
c:\windows\system32\netutils.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll

PID
2120
CMD
C:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
Path
C:\Windows\SysWow64\rundll32.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\shlwapi.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\oleaut32.dll
c:\users\admin\erum.ocx
c:\windows\system32\ws2_32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\advapi32.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\nsi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msctf.dll

PID
3020
CMD
C:\Windows\system32\rundll32.exe "C:\Users\admin\erum.ocx",DllRegisterServer
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\user32.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\gdi32.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\users\admin\erum.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winspool.drv
c:\windows\system32\sechost.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\mssprxy.dll

PID
2256
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\netapi32.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\bcrypt.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winspool.drv
c:\windows\system32\gdi32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sspicli.dll

PID
1716
CMD
C:\Windows\system32\rundll32.exe "C:\Users\admin\AppData\Local\Fqtleptuz\scfkpz.ebq",cKEvqhMOJEaOpc
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\profapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\kernel32.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\userenv.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\fqtleptuz\scfkpz.ebq
c:\windows\system32\winspool.drv
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\usp10.dll

PID
3592
CMD
C:\Windows\system32\rundll32.exe "C:\Users\admin\AppData\Local\Fqtleptuz\scfkpz.ebq",DllRegisterServer
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\imagehlp.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shell32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\imm32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winspool.drv
c:\users\admin\appdata\local\fqtleptuz\scfkpz.ebq
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\setupapi.dll

PID
824
CMD
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=640 /prefetch:8
Path
C:\Program Files\Google\Chrome\Application\chrome.exe
Indicators
No indicators
Parent process
chrome.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Google LLC
Description
Google Chrome
Version
86.0.4240.198
Modules
Image
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\version.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\usp10.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\profapi.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\uiautomationcore.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winspool.drv
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\webio.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\twext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ntmarta.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msi.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\slc.dll
c:\windows\system32\syncui.dll
c:\windows\system32\sfc.dll
c:\windows\system32\cscui.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\propsys.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\zipfldr.dll
c:\windows\system32\synceng.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\acppage.dll
c:\windows\system32\wer.dll
c:\windows\system32\devobj.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\netutils.dll

PID
1344
CMD
"C:\Windows\system32\taskmgr.exe"
Path
C:\Windows\system32\taskmgr.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Task Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\vdmdbg.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\slc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\taskmgr.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\nsi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\credui.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\samcli.dll
c:\windows\system32\dwm.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\devobj.dll
c:\windows\system32\taskhost.exe
c:\windows\system32\browcli.dll
c:\windows\system32\setupapi.dll
c:\windows\explorer.exe
c:\windows\system32\propsys.dll
c:\windows\system32\audiodg.exe
c:\windows\system32\netapi32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\taskeng.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\netutils.dll
c:\windows\system32\utildll.dll
c:\windows\system32\version.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\acppage.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\imageres.dll
c:\windows\system32\cryptext.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\syncui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cscui.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\wer.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msi.dll
c:\windows\system32\sfc.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\synceng.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\docprop.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\rshx32.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\aclui.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\authz.dll
c:\windows\system32\mpr.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\twext.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\psapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\dui70.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\duser.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webio.dll
c:\windows\system32\winhttp.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sdshext.dll
c:\windows\system32\atl.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\sxproxy.dll
c:\windows\system32\sdengin2.dll
c:\windows\system32\mmc.exe

PID
1616
CMD
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
Path
C:\Windows\system32\mmc.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Microsoft Management Console
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll

PID
2988
CMD
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
Path
C:\Windows\system32\mmc.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Management Console
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\assembly\gac_msil\mmcfxcommon\3.0.0.0__31bf3856ad364e35\mmcfxcommon.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mmcfxcommon\2952b498037461799934fab9d9baeba5\mmcfxcommon.ni.dll
c:\windows\system32\sxs.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\e10fc0c922927179f29b495cf47d62dc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mmcex\b777d79d249471dde7c32c7f27b1b1a3\mmcex.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\94fe1557aab4bc059482da7d99e97641\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\992b101b45c1e2e5563fee65ab5fd691\system.xml.ni.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\msxml3.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\imm32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\23349d393ecff063c3152fcf5229b2ab\mscorlib.ni.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\duser.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\mlang.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dui70.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shell32.dll
c:\windows\system32\mmcndmgr.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mmcbase.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\ole32.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\wininet.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\lpk.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\xmllite.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mmc.exe
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\91efd50cedcf22003233d52464c01816\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\8f5842a3d4d666059db685b319e3a5b3\system.drawing.ni.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\taskscheduler\a772d19d3f9e82341d8c3a6fe885c66a\taskscheduler.ni.dll
c:\windows\assembly\gac_msil\miguicontrols\1.0.0.0__31bf3856ad364e35\miguicontrols.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\miguicontrols\a53754ad192acb82b93b3c0e8b76957e\miguicontrols.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.managemen#\f33b15b0507ae449947f70d7aef9d668\microsoft.managementconsole.ni.dll
c:\windows\assembly\gac_32\custommarshalers\2.0.0.0__b03f5f7f11d50a3a\custommarshalers.dll
c:\windows\system32\comdlg32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\custommarshalers\6cd46cf5629ed0d1b1d97e782316c459\custommarshalers.ni.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\riched20.dll

Registry activity

Total events
23843
Read events
0
Write events
309
Delete events
22

Modification events

PID
Process
Operation
Key
Name
Value
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
StatusCodes
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
StatusCodes
01000000
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
failed_count
0
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
2
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
state
1
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
dr
1
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome
UsageStatsInSample
0
1056
chrome.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
usagestats
0
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_installdate
0
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
metricsid_enableddate
0
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
user_experience_metrics.stability.exited_cleanly
0
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
lastrun
13286691141501062
1056
chrome.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
user_experience_metrics.stability.exited_cleanly
1
4092
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
2608
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecision
0
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadNetworkName
Network 4
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionReason
1
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionReason
1
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecision
0
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionTime
7CA21D86C009D801
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
7CA21D86C009D801
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
010000000000000029005086C009D801
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E607010006000F00030020001D008903010000001E768127E028094199FEB9D127C57AFE
1320
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E607010006000F00030020001D008603010000001E768127E028094199FEB9D127C57AFE
2660
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2660
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2660
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2660
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2660
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A86438000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2660
chrome.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1968
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
(default)
1968
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
(default)
1968
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
(default)
1968
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\118105
(default)
1968
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\118115
(default)
1968
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\119C6D
(default)
1968
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1182EA
(default)
1968
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\119C9C
(default)
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
Off
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
2n<
326E3C00B0070000010000000000000000000000
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
Off
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
B0070000EDA7D88CC009D80100000000
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\118115
118115
04000000B00700002B00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0038003600300035003700300034003400310035003600370036002E0078006C0073006D00000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C000100010000000000F0A9488DC009D801158111001581110000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\118105
118105
04000000B00700002B00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0038003600300035003700300034003400310035003600370036002E0078006C0073006D00000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C000100000000000000F038468DC009D801058111000581110000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\118115
118115
04000000B00700002B00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0038003600300035003700300034003400310035003600370036002E0078006C0073006D00000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C000100000000000000F0A9488DC009D801158111001581110000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10061400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1046
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10065400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1110
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100D2400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1069
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10010400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1025
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10022400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1058
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10031400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1043
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
StemmerFiles_1042
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100F1400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1055
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
SpellingAndGrammarFilesExp6_1042
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10001400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1040
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10091400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1049
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10030400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1027
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1968
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10070400000000000F01FEC\Usage
SpellingAndGrammarFiles_1031
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 2
[F00000000][T01D56F99396E0A50][O00000000]*C:\Users\admin\Documents\
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\1182EA
1182EA
04000000B00700002B00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0038003600300035003700300034003400310035003600370036002E0078006C0073006D00000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C000100010001000000403A908DC009D801EA821100EA82110000000000AC020000660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 1
[F00000000][T01D809C08D973F20][O00000000]*C:\Users\admin\Downloads\8605704415676.xlsm
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 1
[F00000000][T01D809C08D94F530][O00000000]*C:\Users\admin\Downloads\
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 2
[F00000000][T01D56F99396E0A50][O00000000]*C:\Users\admin\Documents\test.xlsx
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\119C6D
119C6D
04000000B00700002B00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0038003600300035003700300034003400310035003600370036002E0078006C0073006D00000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C00010000000000000070C77491C009D8016D9C11006D9C110000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\119C6D
119C6D
04000000B00700002B00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0038003600300035003700300034003400310035003600370036002E0078006C0073006D00000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C00010000000000000070C77491C009D8016D9C11006D9C110000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\119C9C
119C9C
04000000B00700002B00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0038003600300035003700300034003400310035003600370036002E0078006C0073006D00000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C00010000000100000038165286C009D8019C9C11009C9C110000000000AC020000660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents\TrustRecords
%USERPROFILE%/Downloads/8605704415676.xlsm
3567FC84C009D801000000000000000034A3A10101000000
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTF
86
1968
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTA
86
380
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency
(default)
380
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
(default)
380
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11BA45
(default)
380
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery
(default)
380
EXCEL.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11BA74
(default)
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
jm3
6A6D33007C010000010000000000000000000000
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTT
7C010000B0DCD295C009D80100000000
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
Off
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
Off
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
380
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11BA45
11BA45
040000007C0100002B00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0038003600300035003700300034003400310035003600370036002E0078006C0073006D00000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C000100000000000000E0650296C009D80145BA110045BA110000000000AC020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
380
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
EXCELFiles
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11BA74
11BA74
040000007C0100002B00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0038003600300035003700300034003400310035003600370036002E0078006C0073006D00000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C00010000000100000038165286C009D80174BA110074BA110000000000AC020000660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\11BA45
11BA45
040000007C0100002B00000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C0038003600300035003700300034003400310035003600370036002E0078006C0073006D00000000001900000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073005C000100000000000000E0650296C009D80145BA110045BA110000000000AC020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 2
[F00000000][T01D56F99396E0A50][O00000000]*C:\Users\admin\Documents\test.xlsx
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Max Display
25
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Max Display
25
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 1
[F00000000][T01D809C0961578B0][O00000000]*C:\Users\admin\Downloads\
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU
Item 2
[F00000000][T01D56F99396E0A50][O00000000]*C:\Users\admin\Documents\
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\File MRU
Item 1
[F00000000][T01D809C0961578B0][O00000000]*C:\Users\admin\Downloads\8605704415676.xlsm
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionReason
1
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionTime
0C762D96C009D801
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
0C762D96C009D801
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
7CA21D86C009D801
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDetectedUrl
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecision
0
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A86438000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadNetworkName
Network 4
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecision
0
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionReason
1
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
538F6C892AD540068154C6670774E980
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
380
EXCEL.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTF
120
380
EXCEL.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel
MTTA
120
2256
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003E010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A86438000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecision
0
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
939EEBA0C009D801
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionReason
1
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecision
0
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadNetworkName
Network 4
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionReason
1
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionTime
939EEBA0C009D801
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
0C762D96C009D801
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDetectedUrl
3592
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3592
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
scfkpz.ebq
C:\Windows\system32\rundll32.exe "C:\Users\admin\AppData\Local\Fqtleptuz\scfkpz.ebq",eYhtXU
824
chrome.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
1344
taskmgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Preferences
30030000E803000001000000010000005F00000021000000B6040000940200000100000001000000000000000000000001000000000000000100000000000000000000000200000004000000090000001D000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009C000000400000002100000046000000FD000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000002000000010000000300000004000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0500000000000000FFFFFFFF00000000020000000300000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000630060003C005A00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000010000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0400000000000000FFFFFFFF00000000FFFFFFFF4F00000028000000500000003400000050000000000000000100000002000000030000000400000000000000FFFFFFFF43000000000000000000000001000000
1344
taskmgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
UsrColumnSettings
1C0C0000340400000000000050000000010000001D0C0000350400000000000023000000010000001E0C000036040000000000003C000000010000001F0C000039040000000000004E00000001000000200C000037040000000000004E00000001000000
2988
mmc.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Microsoft Management Console\Recent File List
(default)
2988
mmc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
HelpTopic
C:\Windows\Help\taskscheduler.chm
2988
mmc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
LinkedHelpTopics
C:\Windows\Help\taskscheduler.chm
2988
mmc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Microsoft Management Console\Recent File List
File3
C:\Windows\system32\devmgmt.msc
2988
mmc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Microsoft Management Console\Recent File List
File4
C:\Windows\system32\certmgr.msc
2988
mmc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Microsoft Management Console\Recent File List
File1
C:\Windows\system32\taskschd.msc
2988
mmc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Microsoft Management Console\Recent File List
File2
C:\Windows\System32\services.msc

Files activity

Executable files
3
Suspicious files
49
Text files
99
Unknown types
13

Dropped files

PID
Process
Filename
Type
3020
rundll32.exe
C:\Users\admin\AppData\Local\Fqtleptuz\scfkpz.ebq
executable
MD5: 074eb078491e87ec963c92f3221684b8
SHA256: 60fc19cb968ea200bb51a664773500ee702692a6d403efce6a92ead2f00b903a
380
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\5bEEI[1].dll
executable
MD5: 074eb078491e87ec963c92f3221684b8
SHA256: 60fc19cb968ea200bb51a664773500ee702692a6d403efce6a92ead2f00b903a
380
EXCEL.EXE
C:\Users\admin\erum.ocx
executable
MD5: 074eb078491e87ec963c92f3221684b8
SHA256: 60fc19cb968ea200bb51a664773500ee702692a6d403efce6a92ead2f00b903a
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal
––
MD5:  ––
SHA256:  ––
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal
––
MD5:  ––
SHA256:  ––
2988
mmc.exe
C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd
xml
MD5: 56f6574f24e4750168298b06358617cb
SHA256: c8ba4b9c1161b2370774bb239e5cbe937249183a339d01d359175785b62fc620
380
EXCEL.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3807032.gif
image
MD5: 48de139978e7036385310ffe27cf4d78
SHA256: 2495f9a8fa6494f99f7d8a560094c0cfead62b309e4df7167338c0c4db96c526
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG
text
MD5: 4858815ff3ac9e253f63db1ca044b4bf
SHA256: 06760cb96479c402502c3bf026c8db6d533e2c7eea20b315f96fe66dc2a4b4e8
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\000003.log
binary
MD5: 0407b455f23e3655661ba46a574cfca4
SHA256: ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG
text
MD5: 7df1b0358aa4a43199e5dcb52c92a8aa
SHA256: 8670ebbc1cd155e3fa17200d13188464197ce4862a457cbaad76110c53782b47
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000060
binary
MD5: 5702f00f119bb0dcccb7c1ecb800663e
SHA256: 5705a2eb7712163a2602ab9abaa9ce6174cc687890d2dc62738faef1b70bf5c1
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\000003.log
binary
MD5: 0407b455f23e3655661ba46a574cfca4
SHA256: ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7
4092
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State
text
MD5: 11687a9c9d783612205beca268b77d0a
SHA256: 16692e8350c88bc68fc365e9b0d0eb8336612d745dc203eb42f17820872899fd
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF121f48.TMP
text
MD5: ba5d3769c421fa487310f60ced5fc84f
SHA256: 07e9ca89670db9664dc8bfac3c0202903efd06639a8591b6758daf39b12857a5
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\58a06b18-1f79-499b-b709-bae78cd53a74.tmp
text
MD5: ba5d3769c421fa487310f60ced5fc84f
SHA256: 07e9ca89670db9664dc8bfac3c0202903efd06639a8591b6758daf39b12857a5
4092
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\66888182-9f5a-4b93-b580-5873216ca771.tmp
text
MD5: 11687a9c9d783612205beca268b77d0a
SHA256: 16692e8350c88bc68fc365e9b0d0eb8336612d745dc203eb42f17820872899fd
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor
sqlite
MD5: bc669b31fdb5889b7fe69b350a50a046
SHA256: 43852ddba7c2c8bc6a0851968944a9befb19c1e82b6a792735b03aa6ef4fe0b6
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Shortcuts
sqlite
MD5: 4f9560925612851f907fd4d60e0e253a
SHA256: 6baa0db6d71a5ecc2981cc186186584bbbfc43c4a1c0f99e41c5719f9c4a92de
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG
text
MD5: ff680b7d821b70a3ebd275a7df347b3c
SHA256: 1da3b4353e1aef4ad54a4e1831f0bf5aa49e06e264e31fba7554d7da9518c352
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: ba5d3769c421fa487310f60ced5fc84f
SHA256: 07e9ca89670db9664dc8bfac3c0202903efd06639a8591b6758daf39b12857a5
4092
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State~RF121f67.TMP
text
MD5: 754eaf5a9250886bb4dec99ea2e40877
SHA256: ffe04e366cac48d4d156535496bf4887b4b492e1c32d7592e8f82f4e94133ba3
4092
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
––
MD5:  ––
SHA256:  ––
4092
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL-journal
––
MD5:  ––
SHA256:  ––
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Favicons
sqlite
MD5: 46916ae0f849ed10af9ddf361a91ed98
SHA256: 0beb99990c5d44e3059ffc325bb43172baa54aecd770442a0375e4646de37373
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\55ca850e-fc38-4b73-80c2-eec02ed4b334.tmp
text
MD5: 9c604ed2847e3053c4169fbedf2e2513
SHA256: eb01bee5f4adfd9004707aca30350ad87861c3fc778f9016426eccedc4096de8
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: 9c604ed2847e3053c4169fbedf2e2513
SHA256: eb01bee5f4adfd9004707aca30350ad87861c3fc778f9016426eccedc4096de8
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF121f38.TMP
text
MD5: c33e40134bb91fd2085391a52f61ee94
SHA256: 049a7f937b661ba320995b06f602cfd1bff57db9105193138e0d7c6b9bc48a03
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History-journal
––
MD5:  ––
SHA256:  ––
4092
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Reporting and NEL
sqlite
MD5: 32f2e3eb98d3237202e84466c1dbc43b
SHA256: 3d61a3448143501534fdb97462590ba6eeaebf8a13fea3ddf099fa08983377f5
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG
text
MD5: 3d96fedb90a46cef890ff090c1d4c635
SHA256: 43b85674c30b0ddda26c6f9a3c93d4a39f8263ddc769313e9c06d1a7ec80726a
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000008.log
binary
MD5: 13477b525002f46b23e5589f0f8fb5b3
SHA256: 6debe9bed595904dfccca93c065c51953e9c0553c2d1ca563504d06e20b24618
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\MANIFEST-000002
binary
MD5: 22bf0e81636b1b45051b138f48b3d148
SHA256: e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\000003.log
binary
MD5: 5287dcb37198e7a258644d82704c52f9
SHA256: 81cff9dd71143c2d0c3cae011934106cf8ce004a4eb24c45bf3503b3c33de96f
4092
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies
sqlite
MD5: 121b7adfbf905c8ccd7c259444f6e14e
SHA256: b610481847b23f3b2fe7ad2f0b000ead550d304e1681b5318d1f0fe6d302a3b6
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
text
MD5: b27153fcc0c090e0f294878a3a53f100
SHA256: 4d6e0401149d993f0c4dde4de1f180126d961029050a04bd4cc69ef40626b61d
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History
sqlite
MD5: 7c162f10ed7a34baba6df31f0e5867cd
SHA256: f7b3486439de4d6a99bc4e19f0ea33eba16124c38ae1969809846cb4cebf5a52
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG
text
MD5: 82a25d983877d860e1d8c7318032aceb
SHA256: adef3912af9de5e167b27ec404590e8cb1b80dadcf4e5c7db70321c9435b7dee
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log
bc
MD5: 36ae1954407f66426d7a59fbed3bff78
SHA256: 526ee965c4b5f54395d0e0dc0171d3bb7711bebb2cfc8fb560a679625a0e67b8
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG
text
MD5: 48c481db2b14c9ca287f60db14b73d17
SHA256: e91f615937a032f9967c6d2b587644258fdfbd1187b6ff53122d5b1d30382a23
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
text
MD5: e10e5ecf57d16d6652d0915e65ae562e
SHA256: c99ad7e1db9ac2ef753df590bfa8d6da3d15846fb84d178b61bb4bd70b274032
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log
binary
MD5: 106864762b9a71c17221acbfc41d19fa
SHA256: be4829c5d3ba54d387d98cb52e49ca98d43cdbe782b681fe9940e0dd62576338
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
text
MD5: a1f9a820741f28e9463e80df45b42ddf
SHA256: 34ee5e7f4ec055b2abdd9ce878a189a652ef2c93a386f043d9228b7e18253cd6
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG
text
MD5: b9c0dc78decc6d8b9e77ccbd6157a001
SHA256: 532e4dad915d0a1c64bac28a512002679709bcb17df5f2bac4f9f8f7fece701e
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log
binary
MD5: da4fdf584735357f59f819c69e466b3a
SHA256: 5e7e9f1aa72d8ad0918fa2d4a91ce3e939bf438826e5909b9ed4a18a92de466a
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log
binary
MD5: 018a3280bdb6388da77e8831959a2799
SHA256: 1cd1e30879039d9922f28f997b206274a408ae8886b1be4ad718cd401e89c459
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13286691141297937
binary
MD5: 9727d03dbfc56c3a46e9c58799c21399
SHA256: 575b9dca1d2b0cc5c1af0540db32484925ab589735a0c1778ca14160bac3c698
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG
text
MD5: 33d56cb242d2a828eb6760849f59bf86
SHA256: 66c2221b056a162b2b9de921ceb166adb9a7c455dc7c6e0cb9c2519261f4eda4
4092
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal
––
MD5:  ––
SHA256:  ––
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Shortcuts-journal
––
MD5:  ––
SHA256:  ––
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
binary
MD5: bd801702ced176f23ba015b6cc8e6da4
SHA256: 102eae254047db640c2c5106bec330c3304106b6df9f4518c80d849d9a721199
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links
binary
MD5: ff21e91a43f9d77da5d64a3a4e748c40
SHA256: cacca199d0614dc4099749225b9c112936c2a18d5b3444bea8e470679a3c3540
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
text
MD5: fd4a5d96482ee6c0d412dd1b13703447
SHA256: a6092c2f2a825f47fee66cca15b8bd32ae1132d8fd542bd29f066ed3831b2ccb
4092
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies
sqlite
MD5: e0cb7737a7a8855a0403dfb4b2baac1b
SHA256: dfcd8c59fce733b2776b5e76a39921583876e4953e28a938d70166ef0f8bbf37
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13286691141188937
binary
MD5: a1ee0c6877c38527e5c98f48430c3375
SHA256: 3a384265c54bb63f2c4770340690e73492c1d207c8bdeb267a17e1839df7600b
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State~RF121f19.TMP
text
MD5: 6acd4c44840d43589c9e09b6ededca82
SHA256: a418523295e7f8a514d479f9e7f4327a7bd2272999d9d101444b3cf46b0160ed
3592
rundll32.exe
C:\Users\admin\AppData\Local\Temp\TarD47.tmp
cat
MD5: d99661d0893a52a0700b8ae68457351a
SHA256: bdd5111162a6fa25682e18fa74e37e676d49cafcb5b7207e98e5256d1ef0d003
3592
rundll32.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
compressed
MD5: acaeda60c79c6bcac925eeb3653f45e0
SHA256: 6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG
text
MD5: 86c3083f723b983aa678f9d9b6f6760a
SHA256: 9f0eef2f1c113ea25655771fb5dbc738c432468b05f0ba3590bb2d1c95f74ca6
1056
chrome.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Budg