General Info

File name

svchost.exe

Full analysis
https://app.any.run/tasks/6fc54873-5c2d-4ad3-95b9-b269501b1460
Verdict
Malicious activity
Analysis date
3/14/2019, 07:35:06
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

51acfe74483312eade8ae5eb76686973

SHA1

59ef584b7709805d099f35805e5ee90715aa04ae

SHA256

578f329575b12ad98cfcdbb46002016f50a869b9aee5fea84e71e1ad141422b9

SSDEEP

24576:ngm9ZNxgCo3c5EbnXXz6wKBrEFVmj3BE9vxr3OTTfwCWES3UDVG1LcT+/hAdNl:/Do3cKjew/S3Yxr3OTbwIS0Vq/hY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • csrss.exe (PID: 2392)
Application was dropped or rewritten from another process
  • csrss.exe (PID: 2392)
Executable content was dropped or overwritten
  • svchost.exe (PID: 3052)
Uses RUNDLL32.EXE to load library
  • csrss.exe (PID: 2392)
Creates files in the program directory
  • csrss.exe (PID: 2392)
Creates files in the user directory
  • svchost.exe (PID: 3052)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2876)
Creates files in the user directory
  • WINWORD.EXE (PID: 2876)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   InstallShield setup (33%)
.exe
|   Win32 Executable MS Visual C++ (generic) (23.9%)
.exe
|   Win64 Executable (generic) (21.2%)
.scr
|   Windows screen saver (10%)
.dll
|   Win32 Dynamic Link Library (generic) (5%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2013:11:07 12:09:18+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
139264
InitializedDataSize:
53248
UninitializedDataSize:
null
EntryPoint:
0x1c312
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
2.0.0.44
ProductVersionNumber:
2.0.0.44
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Windows NT 32-bit
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
Comments:
null
CompanyName:
null
FileDescription:
null
FileVersion:
2, 0, 0, 44
InternalName:
null
LegalCopyright:
null
LegalTrademarks:
null
OriginalFileName:
null
PrivateBuild:
null
ProductName:
MyProduct Install Program
ProductVersion:
2, 0, 0, 44
SpecialBuild:
null
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
07-Nov-2013 11:09:18
Detected languages
English - United States
Comments:
null
CompanyName:
null
FileDescription:
null
FileVersion:
2, 0, 0, 44
InternalName:
null
LegalCopyright:
null
LegalTrademarks:
null
OriginalFilename:
null
PrivateBuild:
null
ProductName:
MyProduct Install Program
ProductVersion:
2, 0, 0, 44
SpecialBuild:
null
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
4
Time date stamp:
07-Nov-2013 11:09:18
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0002189A 0x00022000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.61963
.rdata 0x00023000 0x0000206A 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.12607
.data 0x00026000 0x000062A0 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.08473
.rsrc 0x0002D000 0x00002BD0 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.65191
Resources
1

2

3

4

5

112

113

131

132

800

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    comdlg32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    VERSION.dll

    COMCTL32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
34
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

+
drop and start start svchost.exe csrss.exe no specs rundll32.exe no specs winword.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3052
CMD
"C:\Users\admin\AppData\Local\Temp\svchost.exe"
Path
C:\Users\admin\AppData\Local\Temp\svchost.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
2, 0, 0, 44
Modules
Image
c:\users\admin\appdata\local\temp\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\riched20.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\windows\csrss.exe

PID
2392
CMD
"C:\Users\admin\AppData\Roaming\Windows\csrss.exe"
Path
C:\Users\admin\AppData\Roaming\Windows\csrss.exe
Indicators
No indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
ООО Яндекс
Description
Client Server Runtime Process
Version
3, 2, 9, 240
Modules
Image
c:\users\admin\appdata\roaming\windows\csrss.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oledlg.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rundll32.exe
c:\users\admin\appdata\roaming\windows\updater\yupdate.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\profapi.dll

PID
4072
CMD
RunDll32.exe shell32.dll,Control_RunDLL input.dll
Path
C:\Windows\system32\RunDll32.exe
Indicators
No indicators
Parent process
csrss.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\input.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\ime\sptip.dll
c:\program files\windows nt\tabletextservice\tabletextservice.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\kbdus.dll

PID
2876
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\notejuly.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\prntvpt.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\sxs.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\mssp7en.dll
c:\program files\microsoft office\office14\mscss7en.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\program files\microsoft office\office14\css7data0009.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\microsoft office\office14\mscss7cm_en.dub
c:\program files\microsoft office\office14\mscss7wre_en.dub
c:\program files\common files\microsoft shared\office14\1033\alrtintl.dll
c:\program files\microsoft office\office14\gkword.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

Registry activity

Total events
1194
Read events
763
Write events
424
Delete events
7

Modification events

PID
Process
Operation
Key
Name
Value
4072
RunDll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
4072
RunDll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409
4072
RunDll32.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5084
Arabic (101)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5053
Bulgarian (Typewriter)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5065
Chinese (Traditional) - US Keyboard
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5031
Czech
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5007
Danish
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5011
German
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5046
Greek
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5000
US
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5020
Spanish
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5009
Finnish
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5010
French
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5083
Hebrew
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5033
Hungarian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5013
Icelandic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5015
Italian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5061
Japanese
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5063
Korean
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5008
Dutch
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5018
Norwegian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5035
Polish (Programmers)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5003
Portuguese (Brazilian ABNT)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5037
Romanian (Legacy)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5055
Russian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5030
Croatian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5039
Slovak
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5029
Albanian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5022
Swedish
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5079
Thai Kedmanee
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5060
Turkish Q
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5129
Urdu
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5058
Ukrainian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5052
Belarusian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5041
Slovenian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5042
Estonian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5043
Latvian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5045
Lithuanian IBM
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5151
Tajik
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5124
Persian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5118
Vietnamese
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5120
Armenian Eastern
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5117
Azeri Latin
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5163
Sorbian Standard (Legacy)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5109
Macedonian (FYROM)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5191
Setswana
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5119
Georgian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5108
Faeroese
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5096
Devanagari - INSCRIPT
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5140
Maltese 47-Key
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5138
Norwegian with Sami
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5113
Kazakh
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5128
Kyrgyz Cyrillic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5150
Turkmen
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5116
Tatar
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5135
Bengali
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5101
Punjabi
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5097
Gujarati
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5100
Oriya
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5102
Tamil
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5103
Telugu
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5098
Kannada
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5139
Malayalam
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5177
Assamese - INSCRIPT
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5104
Marathi
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5127
Mongolian Cyrillic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5154
Tibetan (PRC)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5145
United Kingdom Extended
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5161
Khmer
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5162
Lao
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5130
Syriac
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5166
Sinhala
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5169
Nepali
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5159
Pashto (Afghanistan)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5132
Divehi Phonetic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5187
Hausa
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5189
Yoruba
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5186
Sesotho sa Leboa
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5148
Bashkir
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5168
Luxembourgish
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5170
Greenlandic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5188
Igbo
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5165
Uyghur (Legacy)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5146
Maori
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5160
Yakut
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5190
Wolof
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5072
Chinese (Simplified) - US Keyboard
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5024
Swiss German
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5025
United Kingdom
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5017
Latin American
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5002
Belgian French
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5001
Belgian (Period)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5019
Portuguese
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5038
Serbian (Latin)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5115
Azeri Cyrillic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5144
Swedish with Sami
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5114
Uzbek Cyrillic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5158
Mongolian (Mongolian Script)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5156
Inuktitut - Latin
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5192
Chinese (Traditional, Hong Kong S.A.R.) - US Keyboard
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5005
Canadian French (Legacy)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5057
Serbian (Cyrillic)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5193
Chinese (Simplified, Singapore) - US Keyboard
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5004
Canadian French
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5023
Swiss French
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5194
Chinese (Traditional, Macao S.A.R.) - US Keyboard
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5014
Irish
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5155
Bosnian (Cyrillic)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5085
Arabic (102)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5054
Bulgarian (Latin)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5032
Czech (QWERTY)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5012
German (IBM)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5048
Greek (220)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5092
United States-Dvorak
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5021
Spanish Variation
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5034
Hungarian 101-key
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5016
Italian (142)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5036
Polish (214)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5126
Portuguese (Brazilian ABNT2)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5175
Romanian (Standard)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5056
Russian (Typewriter)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5040
Slovak (QWERTY)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5080
Thai Pattachote
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5059
Turkish F
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5044
Latvian (QWERTY)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5088
Lithuanian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5121
Armenian Western
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5164
Sorbian Extended
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5174
Macedonian (FYROM) - Standard
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5182
Georgian (QWERTY)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5105
Hindi Traditional
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5141
Maltese 48-Key
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5143
Sami Extended Norway
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5136
Bengali - INSCRIPT (Legacy)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5131
Syriac Phonetic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5167
Sinhala - Wij 9
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5171
Inuktitut - Naqittaut
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5133
Divehi Typewriter
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5185
Uyghur
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5089
Belgian (Comma)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5137
Finnish with Sami
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5110
Canadian Multilingual Standard
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5125
Gaelic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5086
Arabic (102) AZERTY
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5173
Bulgarian (Phonetic)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5087
Czech Programmers
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5049
Greek (319)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5026
United States-International
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5176
Romanian (Programmers)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5081
Thai Kedmanee (non-ShiftLock)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5179
Ukrainian (Enhanced)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5172
Lithuanian Standard
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5184
Sorbian Standard
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5181
Georgian (Ergonomic)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5178
Bengali - INSCRIPT
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5142
Sami Extended Finland-Sweden
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5180
Bulgarian
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5050
Greek (220) Latin
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5027
United States-Dvorak for left hand
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5082
Thai Pattachote (non-ShiftLock)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5195
Bulgarian (Phonetic Traditional)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5051
Greek (319) Latin
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5028
United States-Dvorak for right hand
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5047
Greek Latin
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5123
US English Table for IBM Arabic 238_L
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5122
Greek Polytonic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\system32\input.dll,-5183
Microsoft IME
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5149
Chinese (Traditional) - New Quick
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5067
Chinese (Traditional) - ChangJie
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5111
Chinese (Traditional) - Quick
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5066
Chinese (Traditional) - Phonetic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5090
Chinese (Traditional) - New Phonetic
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5093
Chinese (Traditional) - New ChangJie
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5091
Chinese (Simplified) - Microsoft Pinyin New Experience Input Style
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\SYSTEM32\input.dll,-5076
Chinese (Simplified) - Microsoft Pinyin ABC Input Style
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-90
Tablet PC Correction
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\input.dll,-5183
Microsoft IME
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\IME\SpTip.DLL,-102
Speech Recognition
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-10
Chinese Traditional DaYi (version 6.0)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-11
Chinese Traditional Array (version 6.0)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-17
Amharic Input Method (version 1.0)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-16
Yi Input Method (version 1.0)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-12
Chinese Simplified QuanPin (version 6.0)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-14
Chinese Simplified ZhengMa (version 6.0)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Windows NT\TableTextService\TableTextService.dll,-13
Chinese Simplified ShuangPin (version 6.0)
4072
RunDll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll,-91
Tablet PC Text Insertion
4072
RunDll32.exe
write
HKEY_CURRENT_USER\Keyboard Layout\Preload
1
00000409
4072
RunDll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Default
{00000000-0000-0000-0000-000000000000}
4072
RunDll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
Profile
{00000000-0000-0000-0000-000000000000}
4072
RunDll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}
KeyboardLayout
67699721
4072
RunDll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\Language
00000000
00000409
4072
RunDll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
CLSID
{00000000-0000-0000-0000-000000000000}
4072
RunDll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
Profile
{00000000-0000-0000-0000-000000000000}
4072
RunDll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000
KeyboardLayout
67699721
2392
csrss.exe
write
HKEY_CURRENT_USER\Control Panel\Desktop
LowLevelHooksTimeout
3000
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
mb&
6D6226003C0B0000010000000000000000000000
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831839
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831952
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831953
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
3C0B0000B6A3462E30DAD40100000000
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
d&
206426003C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
xe&
786526003C0B000006000000010000005800000002000000480000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C006E006F00740065006A0075006C0079002E00720074006600000000000000
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{7707D44C-35F8-4D60-AFF7-CAC01B2115EC}
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D4DA302F39CEB0][O00000000]*C:\Users\admin\Desktop\
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D4DA302F39CEB0][O00000000]*C:\Users\admin\Desktop\notejuly.rtf
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\19F331
19F331
040000003C0B00002300000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C006E006F00740065006A0075006C0079002E007200740066000C0000006E006F00740065006A0075006C0079002E00720074006600000000000100000000000000805FA417B259D30131F3190031F3190000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2876
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831849
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831850
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831849
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831850
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831870
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831871
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831851
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831852
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831851
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831852
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831872
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831873
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831874
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831875
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831876
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831877
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1315831818
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1315831819
2876
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\19F331
2876
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
2876
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00010033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25026A1100A00633090060007000A002D001600000016000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D000100000000000000020050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D000000000000000000000000D4944600D49446010000002F91010000080A000600000003333296040000000A050C0C0302040600000300000101010606060000000000000000000000000000000000000063631900000001000000000000000000000000000000030000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002100190000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000B01300004B0000004B000000640000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000009002000002000001010101010101000101010101010001010100010001000101010101010101000100020003010301030103000301020003010301030103010000230101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101120101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010301010101010101010101010101FFFFCFFFFFFF00008602FFFF00008602FFFF00000C00FFFF00000100FFFF00000100FFFF0000010061000000610064006D0069006E000000000000000000000087FFFF0300003E00020200000600090034000000000090009000000000000F000000FFFFFF000000000000001400140000000000000002637800C80000000000140000000000900090008000FFFF00000800FFFF00000800FFFF0B00040001002000018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E00650077000180140001002000018014000B0043006F007500720069006500720020004E00650077000180140009004D005300200047006F0074006800690063000180150007004D0069006E0067004C0069005500018018000600530069006D00530075006E0001801500050044006F00740075006D00018014000100200001801C0000000000
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
BackgroundOpen
0
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831954
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831955
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTF
95
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTA
95

Files activity

Executable files
9
Suspicious files
2
Text files
11
Unknown types
4

Dropped files

PID
Process
Filename
Type
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\diary.dll
executable
MD5: c6903bfff5ebcb364e64aa70ff3480c1
SHA256: 3e46b0ada273fb59664e7e58378d56f4acb8dc0540a2b334523753bff59ded94
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\ps64ldr.exe
executable
MD5: 2b958440c53bb6599279e081c718aa63
SHA256: 4bf2550d2ac0f9d70d5cdea3ce5dacf51d050365ad390ae50cbdb0411dd53293
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\layouts.exe
executable
MD5: 10231db5ad7a2f6b259f44d8b50bfa4c
SHA256: db75f70a724d47acf8c0fbf861a6c809057c4a066be3478b153c1a7057fc926d
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\pshook.dll
executable
MD5: 408b385126b9ed2202988ddb34bfa3de
SHA256: 02699c4b8746753805b7351f583bca86cf1fbdb7febc7e6f5e5bcb8e8649441a
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\diary.exe
executable
MD5: 4d634d382f8095af6e1bb3afcc0e6f28
SHA256: 3641e0cfd29771a99eb1eaa35aae8f77f7dfe594dd33c9e134d99df54c8cea80
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Updater\yupdate.dll
executable
MD5: 3ed71ba5726ad6b7c9e794d0d34623e1
SHA256: 10f2835a60f1590501a5b8b93b7a3ca5d7f78fdb363601ae856d36070cd5ca6f
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Updater\yupdate.exe
executable
MD5: 5adfdc4aee1dc811616f240ab5a828a8
SHA256: a186d96174953bbfd1451c2b7ffb788c797e65a5109fe1de0ef3fcc8214f0e4b
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\pshook64.dll
executable
MD5: 3a686eca46192a68d1d006b71faab3e0
SHA256: 91847fccb43647b74592c255ba1ae4fc2935cf007e258f82dbc31ebc2902a901
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\csrss.exe
executable
MD5: 15dd96c0df2300a71b47c560e24ac1ba
SHA256: 464d5d13522930a028567b59af87b24993aafc6c7a57f65c3ffa9b120907ea8b
2876
WINWORD.EXE
C:\Users\admin\Desktop\~$tejuly.rtf
pgc
MD5: d043543b7ffbc0e6e50ff05695ce5ce3
SHA256: eff9f15231885a2e716f3dceae3197909bea4febbcc1c0ffbee3a73ee7a3ffe9
2392
csrss.exe
C:\Users\admin\AppData\Roaming\Yandex\Punto Switcher\User Data\preferences.xml
xml
MD5: ce7e0731a9599a32d5e85be1de2b2492
SHA256: e399dcc1455791eac409067b62f82e4a49d16d7bbafb3958cd21785f6f8affcf
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Yandex\ui.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Yandex\Punto Switcher\User Data\user.dic
––
MD5:  ––
SHA256:  ––
2392
csrss.exe
C:\ProgramData\Yandex\clids-punto.xml
xml
MD5: f239ea28af7915620a9361cae3189792
SHA256: e5cdf7af4a92d9e76134c75915385cabe058c67e8d8c3a30648d50d4bd0e5d54
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Yandex\Punto Switcher\User Data\diary.dat
binary
MD5: 127f5250f89fba69df17913ddb6f5d87
SHA256: 8877e35646b5cd5e1f151658b2eaa73fa8769d311d5445177bf08c1dd232d6e6
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Yandex\Punto Switcher\User Data\preferences.xml
xml
MD5: ce7e0731a9599a32d5e85be1de2b2492
SHA256: e399dcc1455791eac409067b62f82e4a49d16d7bbafb3958cd21785f6f8affcf
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Yandex\Punto Switcher\User Data\replace.dat
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Yandex\Punto Switcher\User Data\preferences.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Yandex\Punto Switcher\User Data\diary.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Updater\yupdate.$$A
––
MD5:  ––
SHA256:  ––
2876
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVREE6D.tmp.cvr
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Updater\clids-punto.xml
xml
MD5: f239ea28af7915620a9361cae3189792
SHA256: e5cdf7af4a92d9e76134c75915385cabe058c67e8d8c3a30648d50d4bd0e5d54
2876
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2D42D7A1-076C-44BE-B441-C3CC62BE4F19}.tmp
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Updater\clids-punto.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\pshook64.$$A
––
MD5:  ––
SHA256:  ––
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: a81d4f3547d43b6e89b4d6a67f3c487f
SHA256: 976a67b7969a88a1eb17d4f652d3000ce7d2826b58dd3bdf85b186ac88e374c7
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Yandex\ui
text
MD5: e6db56d5ac7c366fc0b3705a41906f09
SHA256: e92b43b8fc8fdc205564387d6b972b78835c2812553ea34605985b9735d3ff1f
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: c326fac86014beeb27e21462a62f8110
SHA256: a0343bb2f46a5619b8cf4a03bc8a2b410a7c16da11e428190ebc2d008adc707c
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\notejuly.rtf.LNK
lnk
MD5: 924e31bad37d4ab083f90268cd42f7b1
SHA256: 8fa5b54317f11b3fe35297a498e6299581a5c560835e30d0ed30ecbc2a1b7f1d
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\pshook.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\ps64ldr.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\layouts.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\diary.$$A
––
MD5:  ––
SHA256:  ––
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
text
MD5: f3b25701fe362ec84616a93a45ce9998
SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\csrss.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Data\translit-ru.dat
text
MD5: dd551760ca743124e8b677698cdffbe2
SHA256: 5e56eaf7ee487494a4510a101fb6dff5cbdd3cfcd5755527e2d92082e6fb73b2
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Data\triggers.dat
text
MD5: 133bd653b679598c891733be5cd400e5
SHA256: 9640660f2f2f713370a8e7f64a7eb6a0f18c0d283b60c30e551a05f9aed61ff2
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Data\translit-en.dat
text
MD5: 1ee7ee65e179a06a0afa35929957c213
SHA256: 4349c79db8147dc13862ae66cc8265af156594f7b6aeedfd2546cbd3ec5ac4ec
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Data\triggers.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Data\translit-ru.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Data\translit-en.$$A
––
MD5:  ––
SHA256:  ––
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Data\ps.dat
binary
MD5: 3c325e0994b25d75aa0fab7b094ed99e
SHA256: 9fc86cd31fd5ba47f07f82da326fafb1c37bc31e18bf8eeda595837889d630f1
3052
svchost.exe
C:\Users\admin\AppData\Roaming\Windows\Data\ps.$$A
––
MD5:  ––
SHA256:  ––
2876
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FD959111-DD91-4AA4-BD8D-FF239B901DB3}.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.