General Info

File name

SPAM2.zip

Full analysis
https://app.any.run/tasks/f39b7c5d-97b5-46e7-a25d-663f73f50a55
Verdict
Malicious activity
Analysis date
10/9/2019, 15:49:55
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:

macros

macros-on-open

trojan

stealer

predator

gozi

ursnif

dreambot

loader

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

3d89429cc52fe696a27d4b3ba6a14be0

SHA1

27e199c2b2657fd2eaba028d7e29142b8fd7ed1e

SHA256

f61562eb774e0bd7d47c584a74e1ad8f5c2ca163c114037ea641fab0500bcedb

SSDEEP

12288:R/8/YO3uKaDSC+swLJWSvXo73JLGPvDChecFUWb7prC:RE/t3uKaD1y1veZLGTXcCMRC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
600 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
  • Mozilla Maintenance Service (67.0.4)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • IEXPLORE.EXE (PID: 2472)
  • 20435.exe (PID: 2672)
  • IEXPLORE.EXE (PID: 2380)
  • Toqis.exe (PID: 1952)
URSNIF was detected
  • IEXPLORE.EXE (PID: 2472)
  • WScript.exe (PID: 1048)
  • IEXPLORE.EXE (PID: 2380)
Application was dropped or rewritten from another process
  • 20435.exe (PID: 2672)
  • Toqis.exe (PID: 2176)
  • icath1.exe (PID: 988)
  • Toqis.exe (PID: 1952)
PREDATOR was detected
  • 20435.exe (PID: 2672)
  • Toqis.exe (PID: 1952)
Downloads executable files from the Internet
  • WScript.exe (PID: 1048)
Executes scripts
  • WINWORD.EXE (PID: 1844)
Unusual execution from Microsoft Office
  • WINWORD.EXE (PID: 1844)
Executed via COM
  • iexplore.exe (PID: 2760)
  • iexplore.exe (PID: 2136)
  • iexplore.exe (PID: 2960)
Executable content was dropped or overwritten
  • WScript.exe (PID: 1048)
  • WinRAR.exe (PID: 600)
Reads the cookies of Google Chrome
  • 20435.exe (PID: 2672)
  • Toqis.exe (PID: 1952)
Starts CMD.EXE for commands execution
  • 20435.exe (PID: 2672)
  • Toqis.exe (PID: 1952)
Searches for installed software
  • 20435.exe (PID: 2672)
  • Toqis.exe (PID: 1952)
Starts CMD.EXE for self-deleting
  • 20435.exe (PID: 2672)
  • Toqis.exe (PID: 1952)
Creates files in the Windows directory
  • WINWORD.EXE (PID: 1844)
Reads the machine GUID from the registry
  • WScript.exe (PID: 1048)
  • WinRAR.exe (PID: 600)
Reads Internet Cache Settings
  • WScript.exe (PID: 1048)
Creates files in the program directory
  • WScript.exe (PID: 1048)
Creates files in the user directory
  • Toqis.exe (PID: 1952)
Reads internet explorer settings
  • IEXPLORE.EXE (PID: 2472)
  • IEXPLORE.EXE (PID: 2728)
  • IEXPLORE.EXE (PID: 2380)
Creates files in the user directory
  • IEXPLORE.EXE (PID: 2472)
  • WINWORD.EXE (PID: 1844)
Changes internet zones settings
  • iexplore.exe (PID: 2136)
  • iexplore.exe (PID: 2760)
  • iexplore.exe (PID: 2960)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2760)
  • iexplore.exe (PID: 2136)
  • iexplore.exe (PID: 2960)
Reads the machine GUID from the registry
  • iexplore.exe (PID: 2760)
  • iexplore.exe (PID: 2136)
  • iexplore.exe (PID: 2960)
  • WINWORD.EXE (PID: 1844)
Reads settings of System Certificates
  • iexplore.exe (PID: 2136)
  • WScript.exe (PID: 1048)
  • iexplore.exe (PID: 2960)
Manual execution by user
  • WINWORD.EXE (PID: 1844)
  • Toqis.exe (PID: 2176)
  • icath1.exe (PID: 988)
  • Toqis.exe (PID: 1952)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 1844)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.kmz
|   Google Earth saved working session (60%)
.zip
|   ZIP compressed archive (40%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:10:09 15:47:02
ZipCRC:
0x25cb2223
ZipCompressedSize:
134508
ZipUncompressedSize:
181248
ZipFileName:
icath1.exe

Video and screenshots

Processes

Total processes
60
Monitored processes
17
Malicious processes
8
Suspicious processes
0

Behavior graph

+
start download and start winrar.exe #PREDATOR toqis.exe toqis.exe icath1.exe no specs cmd.exe no specs ping.exe no specs winword.exe no specs #URSNIF wscript.exe iexplore.exe #URSNIF iexplore.exe #PREDATOR 20435.exe cmd.exe no specs ping.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe #URSNIF iexplore.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
600
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SPAM2.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\installer\{90140000-003d-0000-1000-0000000ff1ce}\wordicon.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
1952
CMD
"C:\Users\admin\Desktop\Toqis.exe"
Path
C:\Users\admin\Desktop\Toqis.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\toqis.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll
c:\windows\syswow64\msvcr100.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\dssenh.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\dbghelp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\vaultcli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_5c0be957a009922e\gdiplus.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\cmd.exe

PID
2176
CMD
"C:\Users\admin\Desktop\Toqis.exe"
Path
C:\Users\admin\Desktop\Toqis.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\toqis.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll
c:\windows\syswow64\msvcr100.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\dssenh.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\dbghelp.dll

PID
988
CMD
"C:\Users\admin\Desktop\icath1.exe"
Path
C:\Users\admin\Desktop\icath1.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Anpart Nitro
Description
ByWater
Version
7.6.12.94
Modules
Image
c:\users\admin\desktop\icath1.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\avifil32.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\msacm32.dll
c:\windows\syswow64\msvfw32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\wbem\wbemprox.dll
c:\windows\syswow64\wbemcomn.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\wbem\wbemsvc.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\ntdsapi.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\sxs.dll

PID
1704
CMD
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\admin\Desktop\Toqis.exe"
Path
C:\Windows\SysWOW64\cmd.exe
Indicators
No indicators
Parent process
Toqis.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\syswow64\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\winbrand.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ping.exe

PID
2536
CMD
ping 127.0.0.1
Path
C:\Windows\SysWOW64\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\ping.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll

PID
1844
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\info_10_09.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.5123.5000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\program files\microsoft office\office14\gkword.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\fm20.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\fm20enu.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\wshext.dll
c:\windows\system32\wscript.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\msohev.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\spool\drivers\x64\3\unidrvui.dll
c:\windows\system32\spool\drivers\x64\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\x64\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll

PID
1048
CMD
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\vnxvmqlysc.js"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
2960
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sxs.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\macromed\flash\flash64_27_0_0_187.ocx
c:\windows\system32\mlang.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\dxgi.dll

PID
2380
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:267521 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\d2d1.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll
c:\windows\syswow64\windowscodecs.dll

PID
2672
CMD
"C:\ProgramData\20435.exe"
Path
C:\ProgramData\20435.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\programdata\20435.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll
c:\windows\syswow64\msvcr100.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\dssenh.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\dbghelp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\vaultcli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_5c0be957a009922e\gdiplus.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\cmd.exe

PID
2420
CMD
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\ProgramData\20435.exe"
Path
C:\Windows\SysWOW64\cmd.exe
Indicators
No indicators
Parent process
20435.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\syswow64\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\winbrand.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ping.exe

PID
2832
CMD
ping 127.0.0.1
Path
C:\Windows\SysWOW64\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\ping.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll

PID
2136
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sxs.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\macromed\flash\flash64_27_0_0_187.ocx
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\mlang.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\linkinfo.dll

PID
2728
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:267521 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\d2d1.dll
c:\windows\syswow64\dwrite.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll

PID
2760
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sxs.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\macromed\flash\flash64_27_0_0_187.ocx
c:\windows\system32\mlang.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\linkinfo.dll

PID
2472
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:267521 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\d2d1.dll
c:\windows\syswow64\dwrite.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll

Registry activity

Total events
3116
Read events
2393
Write events
722
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
2472
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
2472
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
2472
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPDaysSinceLastAutoMigration
3
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchLowDateTime
3162786832
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchHighDateTime
30768808
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
3463099801
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30768808
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007F000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{FA19023C-EA9B-11E9-9008-5254004AAD21}
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
4
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009000D00340006009002
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
4
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE
TabBandWidth
500
2960
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateLowDateTime
3484506051
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateHighDateTime
30768808
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListXMLVersionLow
395188360
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListXMLVersionHigh
268435456
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListLastUpdateTime
3670861
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VendorId
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
DeviceId
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
HashFileVersionLowPart
2
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
SubSysId
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
HashFileVersionHighPart
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Revision
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
427423955
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VersionHigh
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30768859
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VersionLow
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
DXFeatureLevel
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VendorId
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-DeviceId
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-SubSysId
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-Revision
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VersionHigh
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VersionLow
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-DXFeatureLevel
0
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB010000000ACE5D27AB2F81409144A8E86E8EDA4F000000000200000000001066000000010000200000005212272BDCEA74BC60854FABC580BC3DF7D3E90C0C95EB62FC3FC8691EDEF18C000000000E800000000200002000000071CA5312976B71F26323DE2D4F076BB751146A549CF54B29D8B711ED54CD4CA13000000046A51C9D3D62F48767078966A609C171E06FB1BCDFF94BDF48E1E1604C3C86167C50DF2285269F8FAC65111B78F63C5D40000000CB783E9EBA84EA72C48EB26328B96CB474DD3941DC5FBD4AC3A523F6EB304167C8E9066CB576D4B40D4E1CFB41B6A2B8F05C5D5EB220BC80C1D3514BA4FA54FE
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
5085DECFA87ED501
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
IECompatVersionHigh
268435456
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
IECompatVersionLow
395188360
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
StaleCompatCache
1
2960
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
StaleCompatCache
0
1952
Toqis.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1952
Toqis.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007D000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1952
Toqis.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1952
Toqis.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1952
Toqis.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1952
Toqis.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1952
Toqis.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
1952
Toqis.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
1952
Toqis.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
">>
223E3E0034070000010000000000000000000000
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
WORDFiles
1330184235
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1330184318
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
ProductFiles
1330184319
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
34070000CD8FECA2A87ED50100000000
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
ah>
61683E003407000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
fo>
666F3E003407000006000000010000005C000000020000004C0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C0069006E0066006F005F00310030005F00300039002E0064006F006300000000000000
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
VBAFiles
1330184196
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{5C4D7386-0A34-4272-A78F-98E03EB09DD3}
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D57EA8A6F00150][O00000000]*C:\Users\admin\Desktop\
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D57EA8A6F4E350][O00000000]*C:\Users\admin\Desktop\info_10_09.doc
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 2
[F00000000][T01D2980A7CD2E900][O00000000]*C:\Users\admin\Desktop\giveprivate.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 3
[F00000000][T01D4CFD840651280][O00000000]*C:\Users\admin\Desktop\formsearth.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 4
[F00000000][T01D36AAFB0B70A00][O00000000]*C:\Users\admin\Desktop\propertystarted.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 5
[F00000000][T01D322BDFA3E7F00][O00000000]*C:\Users\admin\Desktop\teacherarmy.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 6
[F00000000][T01D4932A229E6780][O00000000]*C:\Users\admin\Desktop\incestoperation.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 7
[F00000000][T01D4E3CF7195C980][O00000000]*C:\Users\admin\Documents\bottommade.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 8
[F00000000][T01D4F1B2F9064E00][O00000000]*C:\Users\admin\Documents\powerbetter.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 9
[F00000000][T01D34738A0A3D400][O00000000]*C:\Users\admin\Documents\excellentartist.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 10
[F00000000][T01D4FCF691B03B80][O00000000]*C:\Users\admin\Documents\privatehim.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 11
[F00000000][T01D2B755333F9580][O00000000]*C:\Users\admin\Documents\neededsenior.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 12
[F00000000][T01D4C2E8628E7A00][O00000000]*C:\Users\admin\Documents\greatnotice.rtf
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\167516
167516
04000000340700002500000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0069006E0066006F005F00310030005F00300039002E0064006F0063000E00000069006E0066006F005F00310030005F00300039002E0064006F006300000000000100000000000000103CA3D0807ED501167516001675160000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{B6655405-B1A2-4F0B-B198-30CE03B00E1C}\2.0
Microsoft Forms 2.0 Object Library
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{B6655405-B1A2-4F0B-B198-30CE03B00E1C}\2.0\FLAGS
6
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{B6655405-B1A2-4F0B-B198-30CE03B00E1C}\2.0\0\win32
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{B6655405-B1A2-4F0B-B198-30CE03B00E1C}\2.0\HELPDIR
C:\Users\admin\AppData\Local\Temp\VBE
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids
JSFile
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
1844
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\System32\wshext.dll,-4511
Open &with Command Prompt
1844
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184241
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184242
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184241
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184242
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184266
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184267
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184243
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00100000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1330184244
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184243
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400100000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1330184244
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184268
1844
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400100000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1330184269
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
C0AC079DA84B4CBD8DBAF1BB44146899
01000000270000007B39303134303030302D303033442D303030302D313030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Arial Unicode MS
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Batang
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@BatangChe
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DFKai-SB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Dotum
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@DotumChe
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@FangSong
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gulim
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GulimChe
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Gungsuh
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@GungsuhChe
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@KaiTi
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Malgun Gothic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Meiryo UI
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft JhengHei
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@Microsoft YaHei
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU_HKSCS-ExtB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MingLiU-ExtB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Gothic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS Mincho
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PGothic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS PMincho
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@MS UI Gothic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@NSimSun
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@PMingLiU-ExtB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimHei
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
@SimSun-ExtB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Agency FB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aharoni
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Algerian
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Andalus
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Angsana New
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
AngsanaUPC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Aparajita
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arabic Typesetting
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Black
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Narrow
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Rounded MT Bold
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Arial Unicode MS
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Baskerville Old Face
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Batang
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BatangChe
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bauhaus 93
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bell MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Berlin Sans FB Demi
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bernard MT Condensed
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Blackadder ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Black
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Condensed
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bodoni MT Poster Compressed
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Book Antiqua
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookman Old Style
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bookshelf Symbol 7
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Bradley Hand ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Britannic Bold
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Broadway
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Browallia New
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
BrowalliaUPC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Brush Script MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calibri
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calibri Light
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Californian FB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Calisto MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cambria Math
1
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Candara
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Castellar
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Centaur
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Gothic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Century Schoolbook
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Chiller
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Colonna MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Comic Sans MS
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Consolas
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Constantia
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cooper Black
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Bold
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Copperplate Gothic Light
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Corbel
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Cordia New
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
CordiaUPC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Courier New
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Curlz MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DaunPenh
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
David
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DFKai-SB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DilleniaUPC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DokChampa
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Dotum
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
DotumChe
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ebrima
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Edwardian Script ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Elephant
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Engravers MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Bold ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Demi ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Light ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Eras Medium ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Estrangelo Edessa
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
EucrosiaUPC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Euphemia
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FangSong
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Felix Titling
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Fixedsys
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Footlight MT Light
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Forte
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Book
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Demi Cond
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Heavy
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Franklin Gothic Medium Cond
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FrankRuehl
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
FreesiaUPC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Freestyle Script
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
French Script MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gabriola
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Garamond
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gautami
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Georgia
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gigi
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Condensed
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans MT Ext Condensed Bold
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gill Sans Ultra Bold Condensed
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gisha
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gloucester MT Extra Condensed
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Old Style
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Goudy Stout
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gulim
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GulimChe
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Gungsuh
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
GungsuhChe
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Haettenschweiler
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harlow Solid Italic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Harrington
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
High Tower Text
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Impact
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Imprint MT Shadow
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Informal Roman
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
IrisUPC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Iskoola Pota
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
JasmineUPC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Jokerman
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Juice ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KaiTi
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kalinga
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kartika
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Khmer UI
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
KodchiangUPC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kokila
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kristen ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Kunstler Script
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lao UI
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Latha
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Leelawadee
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Levenim MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
LilyUPC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Bright
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Calligraphy
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Console
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Fax
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Handwriting
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Typewriter
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Lucida Sans Unicode
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Magneto
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Maiandra GD
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Malgun Gothic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mangal
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Marlett
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Matura MT Script Capitals
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Meiryo UI
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Himalaya
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft JhengHei
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft New Tai Lue
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft PhagsPa
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Sans Serif
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Tai Le
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Uighur
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft YaHei
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Microsoft Yi Baiti
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU_HKSCS-ExtB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MingLiU-ExtB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Miriam Fixed
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mistral
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Modern No. 20
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Mongolian Baiti
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Monotype Corsiva
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MoolBoran
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Gothic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Mincho
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Outlook
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PGothic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS PMincho
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Sans Serif
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Reference Specialty
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Sans Serif
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS Serif
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MS UI Gothic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MT Extra
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
MV Boli
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Narkisim
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Engraved
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Niagara Solid
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
NSimSun
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Nyala
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
OCR A Extended
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Old English Text MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Onyx
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palace Script MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Palatino Linotype
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Papyrus
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Parchment
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Perpetua Titling MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Plantagenet Cherokee
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Playbill
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
PMingLiU-ExtB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Poor Richard
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Pristina
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Raavi
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rage Italic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Ravie
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Condensed
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rockwell Extra Bold
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Rod
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sakkal Majalla
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Script MT Bold
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Print
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe Script
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Light
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Semibold
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Segoe UI Symbol
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shonar Bangla
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Showcard Gothic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Shruti
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimHei
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Simplified Arabic Fixed
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
SimSun-ExtB
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Small Fonts
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Snap ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Stencil
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Sylfaen
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Symbol
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
System
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tahoma
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tempus Sans ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Terminal
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Times New Roman
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Traditional Arabic
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Trebuchet MS
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tunga
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Tw Cen MT Condensed Extra Bold
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Utsaah
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vani
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Verdana
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vijaya
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Viner Hand ITC
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vivaldi
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vladimir Script
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Vrinda
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Webdings
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wide Latin
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 2
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MathFonts
Wingdings 3
0
1844
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents
LastPurgeTime
26177152
1048
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1048
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1048
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1048
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1048
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1048
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007E000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1048
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
1048
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
1048
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1048
WScript.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
600
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\SPAM2.zip
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Desktop
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_0
4C000000730100000402000000000000D4D0C800000000000000000000000000000000000000000032010700000000000000000039000000B402000000000000000000000000000001000000
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_1
4C000000730100000500000000000000D4D0C8000000000000000000000000000000000000000000140209000000000000000000160000002A00000000000000000000000000000002000000
600
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_2
4C000000730100000400000000000000D4D0C8000000000000000000000000000000000000000000240204000000000000000000160000006400000000000000000000000000000003000000
2380
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
2380
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
2380
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:
2672
20435.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2672
20435.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000080000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2672
20435.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2672
20435.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2672
20435.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2672
20435.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2672
20435.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2672
20435.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2672
20435.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000081000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{14101E64-EA9C-11E9-9008-5254004AAD21}
0
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
5
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009000D00340032006701
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
5
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
00000000A6070000F857EEBDDB76A11D366665EFC449B1533D767455052CE551D416316E6F33875EC049100A83C1FD663A26B577619410C9F476B717184BAAB0695941381E8BA7D2EAE0A5B3451D9BF16CB31179920C5F25E3AB9C023ECB4A90CF78F1D7BE4C03CB7E3CD08CB0299F424A2DE37FE5BE04801436D196B74CF7141D95F8FF7C17ABD3217D0108568755C865B468E6FB49CED5683549BB9D6E8AF39BCE953D918AF439A6C2E95F66D60A6D6E688C1F834DF6299CC98E50E5D17ED00D45F4E87447253CA32DB007CFB52E3E636945CF916A7A3EE812E008FE1551A3CB1808E275ECF4CAB8DD687361C60D1938D60CB1ED4002DC403106951DDB5E3861691D26A91AFDD416F2742A72A88E7015D252520E6F83A711446E243EC174B7BB56392E6F72D824738C662BBBFA2D200B7AA79A3097D787BD6C5A2B0C68533D3B018B1DDB92BCD2A0CA23A20E5E864AEFEFED234058489B61CA6386ED708689838851C62C1CBE40FCCE1FED7D735F52FF5126614252F2C2297C87E0AA7925B8160D707510AE88A82CB74BEF86D80DD5FBC0E19B372518B2FDA3BD75B823760992AE559689E9613D06A5E0B40C2FDCC5F25C81B59C70879C8C5F111A2A0F60BE178D7923736E92D487B7DC694317D087CB4520C8B5D5C16651D14C9A4CDB9C0365C946E4D8DB6A2CDE0FCB9DD62FB126CD9B0A87B1F3686E0F175D6502281BEDFD81D6807AD26BB111CC8FD635197497D77E567DCA6A4DE2C8526E8AA9965C7C59D7D35FCCF139E4090E847850743F088A0E8911B3DA7CA767A3F304E2C556BEAFE9A457E9D9404408F573F6ABDFB047B66B72630DE3C2CE63280F5AA85529F551D95930332BB6CFBEA09A597DFC3733A5B54BEE4A25299FF102578475E78CD3C6C5F6F2C8856811E331A5149E69F93BA00C16072540F127B951402F421991C54BCF9B085289EBBE03C71428EAC8FBF6F7904A235AD4A2677636CE45248C874BD215EF2EAFD513E767822A9706B8FAC2AB61E1ED49818D065CCF18CD59E0726625B90133A40A3CB3C181462DF3D80678EA9FFB3405E72399C03DDB12D7B5A20DE1D9BE882EC9C2B1CFE6A590F9CA9A2B9C6A8A9DC3A5FF7793A04727E0AB2EC033977CA4B3B061B6E8D06BA7322D370381E2A532B05DBB24361960AC9F62CB1ABB11052F44616948355F074D98A09B136128D4B5F4AE5445A1C6C1EF7A7BAE811469AA08F97AB9A17FB30D56B5C5C359455A9BCCE838EE239DC8E259149451DFDEBD6113DF9C183EBBEBB4E56E3BF3B5239940F88D9BA0CA1C40A4286F4E1D69022F9DD7116852F78F29E50E94A1C1036D05825D1777A2A70A4CB97AB949618191DD1DF5E67CB6B40D8C37CDF999C53A4ABEA35D2C6C0AC4D70D13B1DA25CD98F4E90661597ADAAA5534F1475EC27AA057E411FE361AEA8A97A31A16AE825D3123720478FC00F7278A403B63B3BB050A5D97BE220B21D41D732F95DB42012CE3DF972DDE4FB0A6F393D243ABA5265C3359F7589440210B3EB5CF74693740177A1E7A702F6928173FFC09D4815BA25C1A6D24A8DA8AB98FC2BBA4B4F63DE0E91EC8393D81FF0939203F054AA7FCCE79782F3E0EE3978B219D7CCF0979F681829055F697B05CF404A16AE61D0D134C443F3765C57CA0369370216E5DE0DCC36A73D5CFDE85E8878C60CDCBE0FC46BBB32F28B9AF9BDD5A48BACBA246A2F146CCA471E68FA1446452BEE1D6C08785BAC57A365A2276BB978D838F8B7797AAAA70ABF759DE407129939A7026BB4E73EB98711E68436BF58D40AF1B4AF2274690902E274A6ACABB7769A456DBE29B35ED144D1D0366BA42DC34C90FFD45C823965A83B7D7D13031EF6C373F1549B8B65F77FC084BD10C6824D370B7C5B6C4165D0D433D228922FD2FDBCBBAF3E2B018E3F206A4604DCF5C059C4D67C3125FEB858FFA9D49060C70D954F4F797245072184382EF622558031F859835155B3BB0AE0AE00A6EC9E5118BB0EB23209C78DE9DDC12FF71E8E275123C2FF5DCB3189B7864A28BAFCBD493E693B357AE4EC606143AFEFDADA853817DF23B9F3865E47284F03D0C2E4D9E3E8BDBC58D602F826C1CA14DD63622D6FB02016B494A490F4B70B6EC690A78E4F918C54CD9588FEADB547801972CE141AC4056B54E30634002DD531EFA62F138762F5BF830B531C5325EA350DAAF8E51D0D7D1AFFA0BDF4CDD6B85802B5845FDC46EE7581497544350D9DA00CADFBEB1A8677D7941FCDE8687BA531E880AE912657617CE4B1E0B36F764F0C3B1DC91D10F90422B10210B5ABB6AC9854F9A575C0DE89C06A069459617A170ABBEC6A59139F24FE4FB9BCF37661C5C05E226720CCE62430ED59A4554982E0BACBDBD55B8222DF25BA88A05D1666EFEF542D023C753862CEA05D0167F83AD3232A2E1B73B59E1350A560FE2A825015F14EDB61894FBF207CB412BBBB92EBDFFBFBE52A95B0AAED4DFBE483FE917759DEC32FA6C9DCB4733CADFCAA7FC9CFDB5A08730C98766347089DB567397C86A2F56BABABDBD3A261B35D5CF2BADFD0F1AAF9E9BBC1883128346D3590309838025FA38188EE5882DB471BD59F4FF73921825C2B373DAE3EA28552872B8B79957A7F1AB32494A4EFEAF677588B8AE8725867C6C992361C85B62E0EBBFD4576290B06E152A6B63F037EF81757C2FFDE86A6066696B9535C905B38BB861764731C90176821E39BEDF79383AB7540B0B4F007AC7734ABCCBF988A68A6779234A00A38AAC02305D9F0065A93CD432D57CE386010000000E0000007A67784775642F5046646B2533640200000000000000
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB010000000ACE5D27AB2F81409144A8E86E8EDA4F00000000020000000000106600000001000020000000C005FBF8B5FCEEF0F4BA3BBF74F75D4E13ED8347665D2CB2164A972642A49DA3000000000E800000000200002000000054A31E36921D7AB4056721EA2B88B6998ABB06640775F876F3F6DF728A3E0A3B500000005CCD3C51E521E21BC807DA553C3A5F9B668960F7EC4BB1C407DDE102B90B231D4E73E093EB6114E9045585971C06059FF86A491DE4B7A70D12863CC3E0414D01C04D5F4B87828ACB8F77903E680CD00140000000FCCDAC0F4BE4CC090560EB78A9B345930BFA66719303612932B1497A0117F938B3E5BD3D45EB15E7C4DCD6D653293DFB315D9D3C942FCC2D8DE1F42C9DC2888D
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
ChangeNotice
0
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB010000000ACE5D27AB2F81409144A8E86E8EDA4F00000000020000000000106600000001000020000000224B58BE954FD2F5B1F5240184ACE5142751230824746293D2471E7F3F78E6AE000000000E80000000020000200000006F27679CA0DC096C591C5FFE54552DF6E4A325D6D92E9FD15BDAB128BBE1969810000000D3A83E67CF160C9A91EBFA7CE9F48F0C400000000C234CD9595584056462103BC897325ED67FD3DA1740F233183847DA717CA0E9C0BF6526236F960590A73E169E2FDE0D35F3E42582DB54923DD82348E2BB4385
2136
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB010000000ACE5D27AB2F81409144A8E86E8EDA4F000000000200000000001066000000010000200000007B1DFC10E43DD3B9E71B46822EBCBD4AD03295DFE17F95CC6D9ABFDFF325C863000000000E80000000020000200000004A3400A26A702FC0B5124D0BAC95D78A1141770C27AC78D3058956CEEBB914A5300000002F91CD5277DB493068E2142ACD872351CDA50F6D0455382B48966335309CD9F284FAFFEE07717E89D1900ADF62641E9040000000CEF931BB549F04AD649E7D35E269C4732CB724B5C8A5C19393B9A23CA633CE564EF537D3E58E0873F897CCD2ED8460D2E58572A9B7E92FF8434153DDF6C1AD42
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
508B9BDAA87ED501
2136
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE
TabBandWidth
500
2728
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
2728
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
2728
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000082000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{2490E55C-EA9C-11E9-9008-5254004AAD21}
0
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
6
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009000D00350011006B03
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
6
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB010000000ACE5D27AB2F81409144A8E86E8EDA4F000000000200000000001066000000010000200000001AA1A523EECA3BFAE25D559C66DB31D58A4C64E1043C2B2A4BA14471EBE38F8F000000000E80000000020000200000009CFF9872F177ED143EF70F9AF5D7616740A8C3EDF6121220E7ABEBA3635CE57330000000471B7702D9032A674552176C781928DC009E1BC8599E2D03FB4FA0FA137CE3292A1D3D99F2318FF54A7C3B24BBBC1A33400000004EFCE347F8624D9962F74F262A880D796D230242DB920CE72E8C33ADA6089D75558A901A4E8D366E89EFC5B1D513AD15B04F5F77456A2C303E19BC02C9909E8D
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
D01051E8A87ED501
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
15BC8CE8A87ED501
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE
TabBandWidth
500

Files activity

Executable files
4
Suspicious files
5
Text files
15
Unknown types
4

Dropped files

PID
Process
Filename
Type
600
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa600.5887\icath1.exe
executable
MD5: 1305facf04225fa182a892fd38ff825f
SHA256: e539dc4fbc20a1cfda5a8ca10a8ec1a6a82b6614d51059266e997a9616b8de57
1048
WScript.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\Toqis[1].php
executable
MD5: d54dfbf928d1364872e93a4e48f87271
SHA256: 3ea62e2c2337f27784b7726fb704914a9dd0e5e6d6f4254b7971c058cc2c01e6
600
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa600.5887\Toqis.exe
executable
MD5: d54dfbf928d1364872e93a4e48f87271
SHA256: 3ea62e2c2337f27784b7726fb704914a9dd0e5e6d6f4254b7971c058cc2c01e6
1048
WScript.exe
C:\ProgramData\20435.exe
executable
MD5: d54dfbf928d1364872e93a4e48f87271
SHA256: 3ea62e2c2337f27784b7726fb704914a9dd0e5e6d6f4254b7971c058cc2c01e6
2760
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{2490E55E-EA9C-11E9-9008-5254004AAD21}.dat
––
MD5:  ––
SHA256:  ––
2760
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF4CE057858E119E33.TMP
––
MD5:  ––
SHA256:  ––
2472
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\M5PVQQCS.txt
text
MD5: a88544ec546f61469796337eabd13c48
SHA256: 64f642a28f96d278d6f88e0261b3435b06b72862de8d7844ff08036b31535894
2136
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFE78258ACE3DE3CBA.TMP
––
MD5:  ––
SHA256:  ––
2136
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{14101E64-EA9C-11E9-9008-5254004AAD21}.dat
––
MD5:  ––
SHA256:  ––
2136
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{14101E66-EA9C-11E9-9008-5254004AAD21}.dat
––
MD5:  ––
SHA256:  ––
2136
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF5F93E991BE68167F.TMP
––
MD5:  ––
SHA256:  ––
2136
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2136
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2136
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2728
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\httpErrorPagesScripts[1]
text
MD5: 3f57b781cb3ef114dd0b665151571b7b
SHA256: 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
2728
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\errorPageStrings[1]
text
MD5: 6b26ecfa58e37d4b5ec861fcdd3f04fa
SHA256: 7f7d1069ca8a852c1c8eb36e1d988fe6a9c17ecb8eff1f66fc5ebfeb5418723a
2728
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\NewErrorPageTemplate[1]
text
MD5: cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA256: 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
2728
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\dnserror[1]
html
MD5: 73c70b34b5f8f158d38a94b9d7766515
SHA256: 3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
2960
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FA19023C-EA9B-11E9-9008-5254004AAD21}.dat
––
MD5:  ––
SHA256:  ––
2960
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF86779776EE740A9D.TMP
––
MD5:  ––
SHA256:  ––
2960
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
xml
MD5: 7c0e98813a48d3d9d55c1037a6d2fa68
SHA256: 5b8274093f4b5529f6f7b0977167fd202c1d6fc1a7a9d3931a1b04c3ee8b8cad
2960
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\iecompatviewlist[1].xml
xml
MD5: 7c0e98813a48d3d9d55c1037a6d2fa68
SHA256: 5b8274093f4b5529f6f7b0977167fd202c1d6fc1a7a9d3931a1b04c3ee8b8cad
2960
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\urlblockindex[1].bin
binary
MD5: fa518e3dfae8ca3a0e495460fd60c791
SHA256: 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
2760
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF5F2BBFAEDA1F9C02.TMP
––
MD5:  ––
SHA256:  ––
2760
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\toi5kkc\imagestore.dat
binary
MD5: 7bb7f30c3355cc2ef78321edf9ed7575
SHA256: bdc43759dc61e593049f704fc73a9f03c9bf98a7e9b794889b6e8cf1b7941335
2960
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{FA19023E-EA9B-11E9-9008-5254004AAD21}.dat
binary
MD5: 78317e81fc74f449a852a89f19387d1d
SHA256: eec9a7566f3e9270ca3d6174847f5460c314f3179e93f4415c6c8d56d2b0994d
2960
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFC3F39C7F600BA65F.TMP
––
MD5:  ––
SHA256:  ––
2380
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\robot[1].png
image
MD5: 4c9acf280b47cef7def3fc91a34c7ffe
SHA256: 5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7
2380
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\googlelogo_color_150x54dp[1].png
image
MD5: 9d73b3aa30bce9d8f166de5178ae4338
SHA256: dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139
1844
WINWORD.EXE
C:\Windows\Temp\vnxvmqlysc.js
text
MD5: 48c2c5f2077215c26ec2a62f36a87994
SHA256: 20890c36004884fe2a0b5e2b0e2d250ab005937ff9a32b89c32c7dd58d86b36e
1844
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
tlb
MD5: 9bb74bce8b10c7a59796b24872a6d51b
SHA256: d919fe3777ef5314a7d392b528095c2e610099915c719a91c34b85a609dc205f
1844
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: 996204c1e2761b266fa1a45f91afaa38
SHA256: 1f08b58f458acc50bc860281e56c505b2fe2f04d80416c5ffe3081c309d0f1fe
1844
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\info_10_09.doc.LNK
lnk
MD5: 993fc0c9282f026d8873f95ce5e0d1d7
SHA256: 8e53c1b7c1628260e485171030a2e069ca0f765cca4d408cff222e2d17e7c63f
1844
WINWORD.EXE
C:\Users\admin\Desktop\~$fo_10_09.doc
pgc
MD5: fd0837fe0ed1b86cf49cc63a3834d5d1
SHA256: a3ea3f5aa6687f9bcf2a44285cf7698cd29c6479228cdccd86894f16b9488fbf
1844
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR5E13.tmp.cvr
––
MD5:  ––
SHA256:  ––
1952
Toqis.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\IFV50UQI.txt
text
MD5: aa08bf55416b02b79875b91c1d6af139
SHA256: 7dbba044a45e979e9755c329aa81c202dd75e8065573861c07abe06076c9d3a6
2760
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\favicon[1].ico
image
MD5: f74755b4757448d71fdcb4650a701816
SHA256: e78286d0f5dfa2c85615d11845d1b29b0bfec227bc077e74cb1ff98ce8df4c5a
600
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa600.5887\info_10_09.doc
document
MD5: 8ea2e0ff3ae39c33c9a9efe6213352a0
SHA256: 8d4cb3ee4870cab44f234ef41a4c9b7fc7522d45f657149f9270c5690fd78281
2760
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{2490E55C-EA9C-11E9-9008-5254004AAD21}.dat
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
20
TCP/UDP connections
22
DNS requests
17
Threats
15

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
1952 Toqis.exe POST 200 47.88.101.83:80 http://gacraze0710.com/api/check.get US
text
malicious
1952 Toqis.exe POST 200 47.88.101.83:80 http://gacraze0710.com/api/gate.get?p1=2&p2=15&p3=0&p4=0&p5=0&p6=0&p7=0&p8=0&p9=0&p10=YGFhKf21IbygzqkzseBNx2QBMxUJbMVilqO8 US
binary
binary
malicious
1048 WScript.exe GET 404 104.109.84.249:443 https://docs.microsoft.com/en-us/aspnet/index/404 NL
html
whitelisted
1048 WScript.exe GET 404 104.109.84.249:443 https://docs.microsoft.com/en-us/office/index/404 NL
html
whitelisted
1048 WScript.exe GET 404 184.30.217.76:443 https://www.trendmicro.com/de_de/404.html NL
html
unknown
2380 IEXPLORE.EXE GET 404 172.217.21.206:80 http://google.com/images/pje0hReC8I0AARcj1tkv/mLptjeGh2VQJsE70dHs/yVm9Hy3AaRSsLjOfPcpzBD/F86_2Br7AYwYY/Vk_2Fx9Q/a72uUA_2BTluC47V0nU6ivh/Ai556t2Vk2/sbaUUfAASnwHJmS4S/JHkDoO9L5Vwq/GMLbN9_2B/tp4rd.avi US
html
whitelisted
2380 IEXPLORE.EXE GET 200 172.217.21.228:80 http://www.google.com/images/errors/robot.png US
image
whitelisted
2380 IEXPLORE.EXE GET 200 172.217.21.228:80 http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png US
image
whitelisted
1048 WScript.exe GET 404 85.143.222.152:80 http://zelinopats.com/angosz/cecolf.php?l=icath1.tar RU
––
––
malicious
1048 WScript.exe GET 200 162.244.32.162:80 http://seetelcury.com/Toqis.php US
executable
suspicious
2672 20435.exe POST 200 47.88.101.83:80 http://gacraze0710.com/api/check.get US
text
malicious
2672 20435.exe POST 200 47.88.101.83:80 http://gacraze0710.com/api/gate.get?p1=2&p2=15&p3=0&p4=0&p5=0&p6=0&p7=0&p8=0&p9=0&p10=YGFhKf21IbygzqkzseBNx2QBMxUJbMVilqO8 US
binary
binary
malicious
2960 iexplore.exe GET 304 152.199.19.161:443 https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml US
––
––
whitelisted
2960 iexplore.exe GET 200 152.199.19.161:443 https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblockindex.bin US
binary
whitelisted
2960 iexplore.exe GET 200 152.199.19.161:443 https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml US
xml
whitelisted
2960 iexplore.exe GET 200 152.199.19.161:443 https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblocklist.bin US
––
––
whitelisted
2136 iexplore.exe GET 200 204.79.197.200:443 https://www.bing.com/favicon.ico US
image
whitelisted
2136 iexplore.exe GET 200 204.79.197.200:443 https://www.bing.com/favicon.ico US
image
whitelisted
2472 IEXPLORE.EXE GET 200 176.119.156.135:80 http://t7763jykqeiy.com/images/TmOTddMa_/2Bkf6LSQJ_2FzOZ7yW5M/r_2FJtEtIrsS8B04xE6/_2FgM_2F8lUanl3zG1pn_2/Bd5WKeSb_2F_2/BjYn_2FN/6v55yxyovJ304ABLT4V9qE3/h3fnyhuJVt/LoO2O0nnZ3dARQhR7/tHyFGplL7O9f/aOBUc7aRXcH/0ZpX.avi unknown
––
––
malicious
2760 iexplore.exe GET 200 176.119.156.135:80 http://t7763jykqeiy.com/favicon.ico unknown
image
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
1952 Toqis.exe 47.88.101.83:80 Alibaba (China) Technology Co., Ltd. US malicious
1048 WScript.exe 104.109.84.249:443 Akamai International B.V. NL whitelisted
1048 WScript.exe 184.30.217.76:443 Akamai International B.V. NL unknown
2380 IEXPLORE.EXE 172.217.21.206:80 Google Inc. US whitelisted
2380 IEXPLORE.EXE 172.217.21.228:80 Google Inc. US whitelisted
1048 WScript.exe 85.143.222.152:80 Trader soft LLC RU malicious
1048 WScript.exe 162.244.32.162:80 Hosting Solution Ltd. US suspicious
2672 20435.exe 47.88.101.83:80 Alibaba (China) Technology Co., Ltd. US malicious
2960 iexplore.exe 152.199.19.161:443 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
2136 iexplore.exe 204.79.197.200:443 Microsoft Corporation US whitelisted
2472 IEXP