Analysis

Category Package Started Completed Duration Options Log
FILE doc 2019-08-13 17:54:57 2019-08-13 17:58:40 223 seconds Show Options Show Log
procmemdump = 1
procdump = 1
route = internet
2019-08-13 18:54:58,000 [root] INFO: Date set to: 08-13-19, time set to: 17:54:58, timeout set to: 200
2019-08-13 18:54:58,015 [root] DEBUG: Starting analyzer from: C:\hwrueeg
2019-08-13 18:54:58,015 [root] DEBUG: Storing results at: C:\OtenDjDZe
2019-08-13 18:54:58,015 [root] DEBUG: Pipe server name: \\.\PIPE\pKBcCq
2019-08-13 18:54:58,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-08-13 18:54:58,015 [root] INFO: Automatically selected analysis package "doc"
2019-08-13 18:54:58,374 [root] DEBUG: Started auxiliary module Browser
2019-08-13 18:54:58,374 [root] DEBUG: Started auxiliary module Curtain
2019-08-13 18:54:58,374 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-13 18:54:58,670 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-08-13 18:54:58,670 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-13 18:54:58,670 [root] DEBUG: Started auxiliary module DigiSig
2019-08-13 18:54:58,686 [root] DEBUG: Started auxiliary module Disguise
2019-08-13 18:54:58,686 [root] DEBUG: Started auxiliary module Human
2019-08-13 18:54:58,686 [root] DEBUG: Started auxiliary module Screenshots
2019-08-13 18:54:58,686 [root] DEBUG: Started auxiliary module Sysmon
2019-08-13 18:54:58,686 [root] DEBUG: Started auxiliary module Usage
2019-08-13 18:54:58,686 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL option
2019-08-13 18:54:58,686 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL_64 option
2019-08-13 18:54:58,763 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" with arguments ""C:\Users\user\AppData\Local\Temp\394.doc" /q" with pid 420
2019-08-13 18:54:58,779 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-08-13 18:54:58,779 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-13 18:54:58,779 [lib.api.process] INFO: 32-bit DLL to inject is C:\hwrueeg\dll\ilLjEWMV.dll, loader C:\hwrueeg\bin\NJLQWHj.exe
2019-08-13 18:54:58,811 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\pKBcCq.
2019-08-13 18:54:58,811 [root] DEBUG: Loader: Injecting process 420 (thread 264) with C:\hwrueeg\dll\ilLjEWMV.dll.
2019-08-13 18:54:58,811 [root] DEBUG: Process image base: 0x2FD10000
2019-08-13 18:54:58,811 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hwrueeg\dll\ilLjEWMV.dll.
2019-08-13 18:54:58,811 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x2FE6D000 - 0x77110000
2019-08-13 18:54:58,811 [root] DEBUG: InjectDllViaIAT: Allocated 0x178 bytes for new import table at 0x2FE70000.
2019-08-13 18:54:58,811 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-13 18:54:58,811 [root] DEBUG: Successfully injected DLL C:\hwrueeg\dll\ilLjEWMV.dll.
2019-08-13 18:54:58,811 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 420
2019-08-13 18:55:00,822 [lib.api.process] INFO: Successfully resumed process with pid 420
2019-08-13 18:55:00,822 [root] INFO: Added new process to list with pid: 420
2019-08-13 18:55:00,838 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-08-13 18:55:00,838 [root] DEBUG: Full process memory dumps enabled.
2019-08-13 18:55:00,838 [root] DEBUG: Process dumps enabled.
2019-08-13 18:55:00,885 [root] INFO: Disabling sleep skipping.
2019-08-13 18:55:00,885 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-08-13 18:55:00,885 [root] INFO: Disabling sleep skipping.
2019-08-13 18:55:00,885 [root] INFO: Disabling sleep skipping.
2019-08-13 18:55:00,885 [root] INFO: Disabling sleep skipping.
2019-08-13 18:55:00,885 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 420 at 0x747e0000, image base 0x2fd10000, stack from 0x236000-0x240000
2019-08-13 18:55:00,885 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\user\AppData\Local\Temp\394.doc" \q.
2019-08-13 18:55:00,885 [root] INFO: Monitor successfully loaded in process with pid 420.
2019-08-13 18:55:00,901 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\Comctl32 (0x84000 bytes).
2019-08-13 18:55:01,042 [root] DEBUG: DLL loaded at 0x72770000: C:\Program Files (x86)\Microsoft Office\Office14\wwlib (0x127b000 bytes).
2019-08-13 18:55:01,042 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-08-13 18:55:01,072 [root] DEBUG: DLL loaded at 0x74390000: C:\Program Files (x86)\Microsoft Office\Office14\gfx (0x1ab000 bytes).
2019-08-13 18:55:01,088 [root] DEBUG: DLL loaded at 0x749C0000: C:\Windows\system32\WTSAPI32 (0xd000 bytes).
2019-08-13 18:55:01,104 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-08-13 18:55:01,151 [root] DEBUG: DLL loaded at 0x713D0000: C:\Program Files (x86)\Microsoft Office\Office14\oart (0x1392000 bytes).
2019-08-13 18:55:01,306 [root] DEBUG: DLL loaded at 0x701E0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso (0x11e4000 bytes).
2019-08-13 18:55:01,338 [root] DEBUG: DLL loaded at 0x74150000: C:\Windows\system32\msi (0x240000 bytes).
2019-08-13 18:55:01,354 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-08-13 18:55:01,680 [root] DEBUG: DLL loaded at 0x73FB0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32 (0x19e000 bytes).
2019-08-13 18:55:01,727 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf (0x40f000 bytes).
2019-08-13 18:55:01,822 [root] DEBUG: DLL loaded at 0x73AD0000: C:\Program Files (x86)\Microsoft Office\Office14\1033\wwintl (0xc9000 bytes).
2019-08-13 18:55:01,930 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-08-13 18:55:01,946 [root] DEBUG: DLL loaded at 0x70120000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSPTLS (0xbc000 bytes).
2019-08-13 18:55:02,023 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-08-13 18:55:02,118 [root] DEBUG: DLL loaded at 0x6FFD0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\riched20 (0x14f000 bytes).
2019-08-13 18:55:02,134 [root] DEBUG: DLL loaded at 0x6BAA0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\MSORES (0x452a000 bytes).
2019-08-13 18:55:02,148 [root] DEBUG: DLL loaded at 0x6B830000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\1033\MSOINTL (0x262000 bytes).
2019-08-13 18:55:02,164 [root] INFO: Announced 32-bit process name:  pid: 27525348
2019-08-13 18:55:02,164 [lib.api.process] WARNING: The process with pid 27525348 is not alive, injection aborted
2019-08-13 18:55:02,164 [root] DEBUG: DLL loaded at 0x6B7E0000: C:\Windows\system32\mscoree (0x4a000 bytes).
2019-08-13 18:55:02,164 [root] DEBUG: set_caller_info: Adding region at 0x00140000 to caller regions list (advapi32::RegQueryInfoKeyW).
2019-08-13 18:55:02,164 [root] DEBUG: set_caller_info: Adding region at 0x00540000 to caller regions list (kernel32::FindFirstFileExW).
2019-08-13 18:55:02,164 [root] DEBUG: DLL loaded at 0x6B760000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-08-13 18:55:02,273 [root] DEBUG: DLL loaded at 0x6B740000: C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC (0x20000 bytes).
2019-08-13 18:55:02,398 [root] DEBUG: DLL loaded at 0x6B720000: C:\Windows\system32\DwmApi (0x13000 bytes).
2019-08-13 18:55:02,492 [root] DEBUG: DLL loaded at 0x6B6C0000: C:\Windows\system32\Winspool.DRV (0x51000 bytes).
2019-08-13 18:55:02,539 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-08-13 18:55:02,555 [root] DEBUG: DLL unloaded from 0x75140000.
2019-08-13 18:55:02,555 [root] DEBUG: DLL loaded at 0x6B690000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2019-08-13 18:55:02,585 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 18:55:02,585 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 18:55:02,585 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 18:55:02,601 [root] DEBUG: DLL unloaded from 0x6B690000.
2019-08-13 18:55:02,742 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-08-13 18:55:02,742 [root] DEBUG: DLL unloaded from 0x2FD10000.
2019-08-13 18:55:02,773 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-08-13 18:55:02,773 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-08-13 18:55:02,773 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-08-13 18:55:02,773 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-08-13 18:55:02,773 [root] DEBUG: DLL loaded at 0x6B5C0000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-08-13 18:55:02,773 [root] DEBUG: DLL unloaded from 0x75E70000.
2019-08-13 18:55:02,789 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-08-13 18:55:02,789 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-08-13 18:55:02,851 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-08-13 18:55:02,867 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-08-13 18:55:02,867 [root] DEBUG: DLL loaded at 0x6B5B0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-08-13 18:55:02,944 [root] DEBUG: DLL loaded at 0x6B450000: C:\Windows\System32\msxml6 (0x158000 bytes).
2019-08-13 18:55:03,085 [root] DEBUG: DLL loaded at 0x6B440000: C:\Windows\system32\profapi (0xb000 bytes).
2019-08-13 18:55:03,349 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-08-13 18:55:03,381 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-08-13 18:55:03,397 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-08-13 18:55:03,413 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-08-13 18:55:03,413 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-08-13 18:55:03,522 [root] WARNING: File at path "C:\Users\user\AppData\Local\Temp\~DF71C26E36A24D8441.TMP" does not exist, skip.
2019-08-13 18:55:03,538 [root] WARNING: File at path "C:\Users\user\AppData\Local\Temp\~DF24CF797E4C786E0A.TMP" does not exist, skip.
2019-08-13 18:55:03,865 [root] DEBUG: DLL loaded at 0x6B3E0000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-08-13 18:55:22,874 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-08-13 18:58:20,694 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-08-13 18:58:20,694 [root] INFO: Created shutdown mutex.
2019-08-13 18:58:21,700 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 420
2019-08-13 18:58:21,700 [root] INFO: Terminate event set for process 420.
2019-08-13 18:58:21,700 [root] INFO: Terminating process 420 before shutdown.
2019-08-13 18:58:21,700 [root] INFO: Waiting for process 420 to exit.
2019-08-13 18:58:21,700 [root] DEBUG: Terminate Event: Attempting to dump process 420
2019-08-13 18:58:21,700 [root] DEBUG: DoProcessDump: Created dump file for full process memory dump: C:\OtenDjDZe\memory\420.dmp.
2019-08-13 18:58:21,851 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x2FD10000.
2019-08-13 18:58:21,851 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x2FD10000.
2019-08-13 18:58:21,851 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010EC.
2019-08-13 18:58:21,901 [root] INFO: Added new CAPE file to list with path: C:\OtenDjDZe\CAPE\420_14548709221581713282019
2019-08-13 18:58:21,901 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x159c00.
2019-08-13 18:58:22,703 [root] INFO: Waiting for process 420 to exit.
2019-08-13 18:58:23,704 [root] INFO: Waiting for process 420 to exit.
2019-08-13 18:58:23,984 [root] DEBUG: DoProcessDump: Full process memory dump saved to file: C:\OtenDjDZe\memory\420.dmp.
2019-08-13 18:58:23,994 [root] DEBUG: DLL loaded at 0x74A70000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2019-08-13 18:58:24,714 [root] INFO: Shutting down package.
2019-08-13 18:58:24,762 [lib.api.process] WARNING: Upload of memory dump for process 420 failed.
2019-08-13 18:58:24,762 [root] INFO: Stopping auxiliary modules.
2019-08-13 18:58:24,762 [root] INFO: Finishing auxiliary modules.
2019-08-13 18:58:24,762 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-08-13 18:58:24,762 [root] WARNING: File at path "C:\OtenDjDZe\debugger" does not exist, skip.
2019-08-13 18:58:24,762 [root] WARNING: Monitor injection attempted but failed for process 27525348.
2019-08-13 18:58:24,762 [root] INFO: Analysis completed.

MalScore

2.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-08-13 17:54:57 2019-08-13 17:58:38

File Details

File Name 394.doc
File Size 40448 bytes
File Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Locale ID: 1033, Author: ofkqu, Subject: kupxxfug
MD5 6fa8f1681d5ef72d1d63f6bc06f27f1b
SHA1 b8bfe4ecad7bc7ac4855525e76412582c4df5a1f
SHA256 03ffdcbf2fd36493926881dd2fd0170f9143e7eb33d57aa604ffff0867e4e4fc
SHA512 9ed2e6ec7b044faa21ef0c6dead68b3e70b22bf6d9ef108c78b8a665569e46e4dbc48286a2b04c5dafd003e67758e11690e1536217f201288dd879f7deb1e36d
CRC32 EE363BD4
Ssdeep 768:FrtcTCiJpsJuaPJwCskJH7knU5/jSZccZ73lDNTO9y:zsNpsJNPZF4q/jSSUVD9O9
TrID
  • 100.0% (.) Generic OLE2 / Multistream Compound File (8000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Dynamic (imported) function loading detected
DynamicLoader: SXS.DLL/SxsOleAut32MapReferenceClsidToConfiguredClsid
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: riched20.dll/REMSOHInst
DynamicLoader: UxTheme.DLL/IsThemeActive
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
The office file contains anomalous features
content: The file appears to have no content.
no_pages: The file appears to have no pages potentially caused by it being malformed or intentionally corrupted
creation_anomaly: The file appears to have an edit time yet has no creation time or last saved time. This can be a sign of an automated document creation kit.

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\394.doc
C:\Users\user\AppData\Local\Temp\~DF35E61CD1957FA2C1.TMP
C:\Users\user\AppData\Local\Temp\~$394.doc
C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv
C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\Wks9Pxy.cnv
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\RECOVR32.CNV
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT632.CNV
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV
C:\Users\user\AppData\Local\Temp\~DF71C26E36A24D8441.TMP
C:\Users\user\AppData\Local\Temp\~DFFDE1D02930DCA54D.TMP
C:\Users\user\AppData\Local\Temp\~DF24CF797E4C786E0A.TMP
C:\Users\user\AppData\Local\Temp\~DF09A5D4B55A315B60.TMP
C:\Users\user\AppData\Local\Temp\394.doc
C:\Users\user\AppData\Local\Temp\~DF35E61CD1957FA2C1.TMP
C:\Users\user\AppData\Local\Temp\~DF71C26E36A24D8441.TMP
C:\Users\user\AppData\Local\Temp\~DFFDE1D02930DCA54D.TMP
C:\Users\user\AppData\Local\Temp\~DF24CF797E4C786E0A.TMP
C:\Users\user\AppData\Local\Temp\~DF09A5D4B55A315B60.TMP
C:\Users\user\AppData\Local\Temp\394.doc
C:\Users\user\AppData\Local\Temp\~DF35E61CD1957FA2C1.TMP
C:\Users\user\AppData\Local\Temp\~$394.doc
C:\Users\user\AppData\Local\Temp\~DF71C26E36A24D8441.TMP
C:\Users\user\AppData\Local\Temp\~DFFDE1D02930DCA54D.TMP
C:\Users\user\AppData\Local\Temp\~DF24CF797E4C786E0A.TMP
C:\Users\user\AppData\Local\Temp\~DF09A5D4B55A315B60.TMP
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\DefaultCPG
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\FixedFormat
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Components\3BB9B602DA94A8B4EA420BA5A73596C5
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Installer\Components\3BB9B602DA94A8B4EA420BA5A73596C5
HKEY_LOCAL_MACHINE\Software\Classes\Installer\Components\3BB9B602DA94A8B4EA420BA5A73596C5
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Components\3BB9B602DA94A8B4EA420BA5A73596C5\EXP_PDF.DLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Features\00004109D30000000000000000F01FEC
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Installer\Features\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Classes\Installer\Features\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\00004109D30000000000000000F01FEC\ProductFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Features
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Features\ProductFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A609E893B628DD84791945C946C9CA5E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A609E893B628DD84791945C946C9CA5E\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E96B8FAE7CEA69C42B5B73BA69B21A71
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E96B8FAE7CEA69C42B5B73BA69B21A71\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F58FB719C858BF4EAF245AC9DA59D1D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F58FB719C858BF4EAF245AC9DA59D1D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D90B8D0738CEDB14593B99ADD26D72C0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D90B8D0738CEDB14593B99ADD26D72C0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29731734CD2333940995A2B963A7E582
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29731734CD2333940995A2B963A7E582\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2D762436AF7B6B543820741456BDAF60
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2D762436AF7B6B543820741456BDAF60\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F2A7E907B078294BBD356DC8840852C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F2A7E907B078294BBD356DC8840852C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\379E92CC2CB71D119A12000A9CE1A22A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\379E92CC2CB71D119A12000A9CE1A22A\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D9C9EE5ED897D1D4BA2F23CE5128B0F2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D9C9EE5ED897D1D4BA2F23CE5128B0F2\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\818AED26EAB038A4BB72C55277E8CE84
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\818AED26EAB038A4BB72C55277E8CE84\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\687330DB272F1A54C967131CC53B826C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\687330DB272F1A54C967131CC53B826C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723C2F65179512E4D80BD2034028D528
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723C2F65179512E4D80BD2034028D528\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D8F5AB6B3B3FBA149A58A12B4A20334C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D8F5AB6B3B3FBA149A58A12B4A20334C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E2338564DA4241F499CB8A1F84247C0E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E2338564DA4241F499CB8A1F84247C0E\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\54077434B37616D4A9EA6F78E98A56BF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\54077434B37616D4A9EA6F78E98A56BF\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723BCECF7B08D0A4F864A2A08963643F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723BCECF7B08D0A4F864A2A08963643F\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D474E7E9FB172E42A102B59039D88B0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D474E7E9FB172E42A102B59039D88B0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4D18DE905BD78FC48A594175D75DF03C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4D18DE905BD78FC48A594175D75DF03C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\85F98C50329537041A94BEA8DB880526
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\85F98C50329537041A94BEA8DB880526\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4E6F86E1FEF077645B1002B7C560B871
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4E6F86E1FEF077645B1002B7C560B871\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E009C76CEC08635368DB50E4DDD1CAA1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E009C76CEC08635368DB50E4DDD1CAA1\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7122F57A45DA6AE3EA412F558F665013
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7122F57A45DA6AE3EA412F558F665013\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A70728DA97715E8389326C667D0C7579
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A70728DA97715E8389326C667D0C7579\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B4CCCEF758F027B37977C1762C52F53C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B4CCCEF758F027B37977C1762C52F53C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3A6D2077B64803E30B7837065053EB74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3A6D2077B64803E30B7837065053EB74\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CCCB6CC6A1A288037B4AA64D8B1B14B2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CCCB6CC6A1A288037B4AA64D8B1B14B2\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACEFFF49077DF5C37898805E60656DBF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACEFFF49077DF5C37898805E60656DBF\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A8CD4AD91379E0F3B85DCF71AC8684DA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A8CD4AD91379E0F3B85DCF71AC8684DA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FFE8E5A39EFFBFB3C91EB0A7344C3917
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FFE8E5A39EFFBFB3C91EB0A7344C3917\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F8B3D16074B2F53B855F7CCCDC83FF6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F8B3D16074B2F53B855F7CCCDC83FF6\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB77723BFCB84D138A19CBBF155CD452
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB77723BFCB84D138A19CBBF155CD452\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C0EE3236E87CE636B08EE9C7403EE19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C0EE3236E87CE636B08EE9C7403EE19\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9FCE2B9622F87F2339EDB74D395D7D09
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9FCE2B9622F87F2339EDB74D395D7D09\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45613AFAE1635B33E95D40A9869823C5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45613AFAE1635B33E95D40A9869823C5\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6BD3219F5F227C1388E4B254ECC53CBA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6BD3219F5F227C1388E4B254ECC53CBA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96EB09331608BA034B79232D764B2973
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96EB09331608BA034B79232D764B2973\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\13A31C284359A9136A90E7B8EFC2DFBB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\13A31C284359A9136A90E7B8EFC2DFBB\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FC271526B8EBA073BB778D86B925A4D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FC271526B8EBA073BB778D86B925A4D6\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45552A042794885318BD5875621A61DA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45552A042794885318BD5875621A61DA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9BB8A76146A1B263E890F48D1B0F01E8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9BB8A76146A1B263E890F48D1B0F01E8\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DBB1C92272110335A0AED12BD0473EB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DBB1C92272110335A0AED12BD0473EB\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\37709EB0F01C4FB319422B4DA2B2135C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\37709EB0F01C4FB319422B4DA2B2135C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E0F2919EC5305C236A7AD687E12EB4D3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E0F2919EC5305C236A7AD687E12EB4D3\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\595273BDEAD50DF3E8E69B1B0681CE84
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\595273BDEAD50DF3E8E69B1B0681CE84\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1BEF2E9B13536084DBE2F1D2C9CCF79B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1BEF2E9B13536084DBE2F1D2C9CCF79B\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9DA7BAFB053D9AE41AE7AAC762F84E26
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9DA7BAFB053D9AE41AE7AAC762F84E26\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\638BAF8FEC5E9F645963D084A26A0B2D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\638BAF8FEC5E9F645963D084A26A0B2D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6C9A6F846E2818A47A408CAF13381C71
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6C9A6F846E2818A47A408CAF13381C71\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Products\00004109D30000000000000000F01FEC
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Installer\Products\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\ProductFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Components\3BB9B602DA94A8B4EA420BA5A73596C5\EXP_XPS.DLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Components\58CE92CC2CB71D119A12000A9CE1A22A
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Installer\Components\58CE92CC2CB71D119A12000A9CE1A22A
HKEY_LOCAL_MACHINE\Software\Classes\Installer\Components\58CE92CC2CB71D119A12000A9CE1A22A
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Components\F8D6C7CAF02FC984BB2485E7966A2055
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Installer\Components\F8D6C7CAF02FC984BB2485E7966A2055
HKEY_LOCAL_MACHINE\Software\Classes\Installer\Components\F8D6C7CAF02FC984BB2485E7966A2055
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Word\Text Converters\Import
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Word\Text Converters\Export
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Text Converters\Import
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MEWord12
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MEWord12\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MEWord12\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MEWord12\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MEWord12\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MSWorksWin9
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MSWorksWin9\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MSWorksWin9\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MSWorksWin9\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MSWorksWin9\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Recover
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Recover\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Recover\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Recover\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Recover\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word12
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word12\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word12\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word12\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word12\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word97
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word97\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word97\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word97\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word97\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WordPerfect6x
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WordPerfect6x\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WordPerfect6x\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WordPerfect6x\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WordPerfect6x\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WrdPrfctDos
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WrdPrfctDos\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WrdPrfctDos\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WrdPrfctDos\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WrdPrfctDos\Address Book Converter
HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Text Converters\Export
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MEWord12
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MEWord12\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MEWord12\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MEWord12\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MEWord12\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MSWorksWin9
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MSWorksWin9\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MSWorksWin9\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MSWorksWin9\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MSWorksWin9\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word12
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word12\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word12\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word12\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word12\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word97
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word97\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word97\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word97\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word97\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Word\Text Converters\OOXML Converters\Import
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Word\Text Converters\OOXML Converters\Export
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Word\Text Converters\Defaults
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General\NoTrack
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General\UseOfficeUIFont
HKEY_CURRENT_USER\Software\Microsoft\Office\Common
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\AssertTimerVerboseLog
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\AssertTimer
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\LBBreakpoint
HKEY_CURRENT_USER\Software\Classes\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{00020906-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{00020907-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\InprocHandler
HKEY_CLASSES_ROOT\Typelib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\0\win32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{000209F0-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209F0-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{000209F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209F1-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{000209F4-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209F4-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{000209F5-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209F5-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{000CDB0D-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000CDB0D-0000-0000-C000-000000000046}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocHandler
HKEY_CURRENT_USER\Control Panel\International
\xef\x88\x90\xc8\xabEY_CURRENT_USER\Control Panel\International\NumShape
HKEY_CURRENT_USER\Control Panel\Desktop
\xef\x88\x90\xc8\xabEY_CURRENT_USER\Control Panel\Desktop\CaretWidth
\xef\x88\x90\xc8\xabEY_CURRENT_USER\Control Panel\Desktop\CursorBlinkRate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\IME
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\MaxTrustedDocuments
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTime
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\PurgeInterval
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\TrustRecords
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\DefaultCPG
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Components\3BB9B602DA94A8B4EA420BA5A73596C5\EXP_PDF.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\00004109D30000000000000000F01FEC\ProductFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Features\ProductFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A609E893B628DD84791945C946C9CA5E\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E96B8FAE7CEA69C42B5B73BA69B21A71\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F58FB719C858BF4EAF245AC9DA59D1D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D90B8D0738CEDB14593B99ADD26D72C0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29731734CD2333940995A2B963A7E582\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2D762436AF7B6B543820741456BDAF60\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F2A7E907B078294BBD356DC8840852C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\379E92CC2CB71D119A12000A9CE1A22A\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D9C9EE5ED897D1D4BA2F23CE5128B0F2\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\818AED26EAB038A4BB72C55277E8CE84\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\687330DB272F1A54C967131CC53B826C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723C2F65179512E4D80BD2034028D528\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D8F5AB6B3B3FBA149A58A12B4A20334C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E2338564DA4241F499CB8A1F84247C0E\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\54077434B37616D4A9EA6F78E98A56BF\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\723BCECF7B08D0A4F864A2A08963643F\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D474E7E9FB172E42A102B59039D88B0\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4D18DE905BD78FC48A594175D75DF03C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\85F98C50329537041A94BEA8DB880526\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4E6F86E1FEF077645B1002B7C560B871\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E009C76CEC08635368DB50E4DDD1CAA1\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7122F57A45DA6AE3EA412F558F665013\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A70728DA97715E8389326C667D0C7579\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B4CCCEF758F027B37977C1762C52F53C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3A6D2077B64803E30B7837065053EB74\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CCCB6CC6A1A288037B4AA64D8B1B14B2\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACEFFF49077DF5C37898805E60656DBF\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A8CD4AD91379E0F3B85DCF71AC8684DA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FFE8E5A39EFFBFB3C91EB0A7344C3917\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0F8B3D16074B2F53B855F7CCCDC83FF6\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB77723BFCB84D138A19CBBF155CD452\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1C0EE3236E87CE636B08EE9C7403EE19\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9FCE2B9622F87F2339EDB74D395D7D09\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45613AFAE1635B33E95D40A9869823C5\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6BD3219F5F227C1388E4B254ECC53CBA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\96EB09331608BA034B79232D764B2973\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\13A31C284359A9136A90E7B8EFC2DFBB\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FC271526B8EBA073BB778D86B925A4D6\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\45552A042794885318BD5875621A61DA\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9BB8A76146A1B263E890F48D1B0F01E8\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DBB1C92272110335A0AED12BD0473EB\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\37709EB0F01C4FB319422B4DA2B2135C\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E0F2919EC5305C236A7AD687E12EB4D3\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\595273BDEAD50DF3E8E69B1B0681CE84\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1BEF2E9B13536084DBE2F1D2C9CCF79B\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9DA7BAFB053D9AE41AE7AAC762F84E26\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\638BAF8FEC5E9F645963D084A26A0B2D\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6C9A6F846E2818A47A408CAF13381C71\00004109D30000000000000000F01FEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\ProductFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Components\3BB9B602DA94A8B4EA420BA5A73596C5\EXP_XPS.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MEWord12\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MEWord12\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MEWord12\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MEWord12\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MSWorksWin9\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MSWorksWin9\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MSWorksWin9\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\MSWorksWin9\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Recover\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Recover\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Recover\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Recover\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word12\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word12\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word12\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word12\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word97\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word97\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word97\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\Word97\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WordPerfect6x\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WordPerfect6x\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WordPerfect6x\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WordPerfect6x\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WrdPrfctDos\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WrdPrfctDos\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WrdPrfctDos\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Import\WrdPrfctDos\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MEWord12\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MEWord12\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MEWord12\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MEWord12\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MSWorksWin9\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MSWorksWin9\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MSWorksWin9\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\MSWorksWin9\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word12\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word12\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word12\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word12\Address Book Converter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word97\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word97\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word97\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared Tools\Text Converters\Export\Word97\Address Book Converter
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General\NoTrack
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General\UseOfficeUIFont
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\AssertTimerVerboseLog
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\LBBreakpoint
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84F66100-FF7C-4FB4-B0C0-02CD7FB668FE}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\ProgID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\InprocHandler32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F1-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000209F5-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000CDB0D-0000-0000-C000-000000000046}\InprocServer32\ThreadingModel
\xef\x88\x90\xc8\xabEY_CURRENT_USER\Control Panel\International\NumShape
\xef\x88\x90\xc8\xabEY_CURRENT_USER\Control Panel\Desktop\CaretWidth
\xef\x88\x90\xc8\xabEY_CURRENT_USER\Control Panel\Desktop\CursorBlinkRate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\MaxTrustedDocuments
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTime
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\PurgeInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage\ProductFiles
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTime
mso.dll.#889
mso.dll.#5117
mso.dll.#3197
mso.dll.#9217
mso.dll.#8776
mso.dll.#3008
mso.dll.#618
mso.dll.#4644
mso.dll.#3276
mso.dll.#3547
mso.dll.#7278
mso.dll.#6115
mso.dll.#1228
mso.dll.#1163
mso.dll.#3463
mso.dll.#8974
mso.dll.#9891
mso.dll.#3832
mso.dll.#5339
mso.dll.#5596
mso.dll.#8594
mso.dll.#2405
kernel32.dll.GetTickCount64
mso.dll.#2797
mso.dll.#4062
mso.dll.#6346
mso.dll.#4838
mso.dll.#7482
sxs.dll.SxsOleAut32MapReferenceClsidToConfiguredClsid
mso.dll.#5115
mso.dll.#6360
mso.dll.#4528
riched20.dll.REMSOHInst
uxtheme.dll.IsThemeActive
mso.dll.#7480
mso.dll.#7952
mso.dll.#6773
mso.dll.#5806
mso.dll.#3094
mso.dll.#1854
mso.dll.#6674
mso.dll.#9330
mso.dll.#10257
mso.dll.#2019
mso.dll.#8039
mso.dll.#2832
mso.dll.#6275
mso.dll.#5971
mso.dll.#2468
mso.dll.#7762
mso.dll.#8022
mso.dll.#1038
mso.dll.#9029
ole32.dll.OleInitialize
ole32.dll.OleUninitialize
ole32.dll.CoCreateInstance
mso.dll.#10007
mso.dll.#2031

Binary Entropy

SummaryInformation Metadata

Creating Application None
Author ofkqu
Last Saved By None
Creation Time None
Last Saved Time None
Total Edit Time None
Document Title None
Document Subject kupxxfug
Amount of Pages None
Amount of Words None
Amount of Characters None

DocumentSummaryInformation Metadata

Company None
Document Version None
Digital Signature None
Language None
Notes None

AES 128
ofkqu
kupxxfug
Root Entry
WordDocument
EncryptionInfo
EncryptedPackage
Microsoft Enhanced RSA and AES Cryptographic Provider
EncryptedPackage2
StrongEncryptionDataSpace
DataSpaces
Version
DataSpaceMap
DataSpaceInfo
StrongEncryptionDataSpace
TransformInfo
StrongEncryptionTransform
Primary
StrongEncryptionTransform
{FF9A3F03-56EF-4613-BDD5-5A41C1D07246}N
Microsoft.Container.EncryptionTransform
SummaryInformation
This file is not on VirusTotal.

Process Tree

  • WINWORD.EXE 420 "C:\Users\user\AppData\Local\Temp\394.doc" /q

WINWORD.EXE, PID: 420, Parent PID: 2480
Full Path: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Command Line: "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\user\AppData\Local\Temp\394.doc" /q

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name CVR710B.tmp.cvr
Associated Filenames
C:\Users\user\AppData\Local\Temp\CVR710B.tmp.cvr
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Normal.dotm
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
File Size 20381 bytes
File Type Microsoft Word 2007+
MD5 23f4c984d111e7c0851f13b5a39e23bf
SHA1 f0b6cf9e53e9b5396275341984cb781ee9c52e80
SHA256 3ade1df494b161cd3616664ccf82d732eea6a648eefe4bfdc285c21be9e51966
CRC32 B554EAE8
Ssdeep 384:Pjl7/J/5ehBcSV+qEPG6yGUTBIOoX4+hD9Qn6eF7y1SFmlEeP:d/JQoG2vX4+hD9IZY
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name ~$Normal.dotm
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
C:\Users\user\AppData\Local\Temp\~$394.doc
File Size 162 bytes
File Type data
MD5 857fb7ae30f099b51cfab71fc088dc68
SHA1 bde98c6401cf8bf4bc894361824a8cd8b1827e55
SHA256 dec1de6a177693e0d5aa1d92295780ce9bda79f8d2d1fa8847d4a03ca6f247cd
CRC32 D91187A0
Ssdeep 3:2H/9lyX/3L7YMlbK7g7lxItOFq1Fj:wVSlxK7ghqOF+N
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 394.doc
Associated Filenames
C:\Users\user\AppData\Local\Temp\394.doc
File Size 40448 bytes
File Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Locale ID: 1033, Author: ofkqu, Subject: kupxxfug
MD5 6fa8f1681d5ef72d1d63f6bc06f27f1b
SHA1 b8bfe4ecad7bc7ac4855525e76412582c4df5a1f
SHA256 03ffdcbf2fd36493926881dd2fd0170f9143e7eb33d57aa604ffff0867e4e4fc
CRC32 EE363BD4
Ssdeep 768:FrtcTCiJpsJuaPJwCskJH7knU5/jSZccZ73lDNTO9y:zsNpsJNPZF4q/jSSUVD9O9
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Word14.customUI
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Office\Word14.customUI
File Size 3513 bytes
File Type Microsoft OOXML
MD5 b022439244ee91625c99a91c666eb0fb
SHA1 84a647b0bc5457c74c631361e8fad1dadd0852c8
SHA256 2a439ab0ccf43f70f80f6b929f9ea29ac6a6666b9abce9921105dc72e7fda8ca
CRC32 CC7E186E
Ssdeep 48:9mV5NrJ54E1SO6xLfUMcZ0BIKoGn5FxwYzZX2ynWM2d8gy7znl:UV5RJ4xFOYtXl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name ~WRS{E9E3073B-F4ED-4CE6-A387-25406AC20F7D}.tmp
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9E3073B-F4ED-4CE6-A387-25406AC20F7D}.tmp
File Size 1024 bytes
File Type data
MD5 5d4d94ee7e06bbb0af9584119797b23a
SHA1 dbb111419c704f116efa8e72471dd83e86e49677
SHA256 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
CRC32 23C03491
Ssdeep 3:ol3lYdn:4Wn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name WINWORD.EXE
PID 420
Dump Size 1416192 bytes
Module Path C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Type PE imageexecutable
MD5 d5f820c20ba870f0dd1e55ad42ec2ed3
SHA1 6cd3623a9a4e367ba3e32299a2f29c7e0a99ef67
SHA256 1e32d2027791a79a5fbe10e6efb2df52148f27719235388e8357778e4cc51e3f
CRC32 E2F259BA
Ssdeep 24576:6LZmQR3caJZLZmvNzc0TDZodoSRsfHMbvmQ6:2ZmQyaJ1ZmFcqi+SRAG+
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 1e32d2027791a79a5fbe10e6efb2df52148f27719235388e8357778e4cc51e3f
Download

Full Dump Information

Process Name WINWORD.EXE
Executable Path C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Yara None matched
Full Dump Download
Process Strings Download

Address Space

Start End Size Protection PE Download
0x00010000 0x00021000 0x00011000 Mixed No Download
0x00010000 0x00020000 0x00010000 RW Download
0x00020000 0x00021000 0x00001000 R Download
0x00030000 0x00031000 0x00001000 RW No Download
0x00040000 0x00041000 0x00001000 R No Download
0x00050000 0x00054000 0x00004000 R No Download
0x00060000 0x00063000 0x00003000 R No Download
0x00070000 0x00071000 0x00001000 RW No Download
0x00080000 0x000e7000 0x00067000 R No Download
0x000f0000 0x000f1000 0x00001000 RW No Download
0x0013c000 0x00140000 0x00004000 RW No Download
0x0021f000 0x00240000 0x00021000 RW No Download
0x00278000 0x00280000 0x00008000 RW No Download
0x0037e000 0x00383000 0x00005000 Mixed No Download
0x0037e000 0x00380000 0x00002000 RW Download
0x00380000 0x00383000 0x00003000 R Download
0x00390000 0x00393000 0x00003000 R No Download
0x003a0000 0x003b7000 0x00017000 RW No Download
0x00420000 0x00423000 0x00003000 R No Download
0x00430000 0x00473000 0x00043000 Mixed No Download
0x00430000 0x00440000 0x00010000 RW Download
0x00440000 0x00470000 0x00030000 RW Download
0x00470000 0x00473000 0x00003000 R Download
0x004bc000 0x004c4000 0x00008000 RW No Download
0x004bc000 0x004c0000 0x00004000 RW Download
0x004c0000 0x004c4000 0x00004000 RW Download
0x004d0000 0x004e8000 0x00018000 RW No Download
0x004f0000 0x00501000 0x00011000 RW No Download
0x004f0000 0x00500000 0x00010000 RW Download
0x00500000 0x00501000 0x00001000 RW Download
0x00510000 0x00512000 0x00002000 RW No Download
0x00520000 0x00532000 0x00012000 Mixed No Download
0x00520000 0x00530000 0x00010000 RW Download
0x00530000 0x00532000 0x00002000 R Download
0x00540000 0x0060b000 0x000cb000 RW No Download
0x00640000 0x00645000 0x00005000 R No Download
0x007c0000 0x007c3000 0x00003000 R No Download
0x007d0000 0x0080a000 0x0003a000 RW No Download
0x007d0000 0x007e0000 0x00010000 RW Download
0x007e0000 0x007f0000 0x00010000 RW Download
0x007f0000 0x00800000 0x00010000 RW Download
0x00800000 0x0080a000 0x0000a000 RW Download
0x00810000 0x00991000 0x00181000 R No Download
0x009a0000 0x009e3000 0x00043000 R No Download
0x01da0000 0x01da1000 0x00001000 RW No Download
0x01db0000 0x01db1000 0x00001000 RW No Download
0x01dc0000 0x01dc1000 0x00001000 RW No Download
0x01dd0000 0x01e40000 0x00070000 RW No Download
0x01dd0000 0x01de0000 0x00010000 RW Download
0x01de0000 0x01df0000 0x00010000 RW Download
0x01df0000 0x01e00000 0x00010000 RW Download
0x01e00000 0x01e10000 0x00010000 RW Download
0x01e10000 0x01e20000 0x00010000 RW Download
0x01e20000 0x01e30000 0x00010000 RW Download
0x01e30000 0x01e40000 0x00010000 RW Download
0x01e7c000 0x01ec1000 0x00045000 RW No Download
0x01e7c000 0x01e80000 0x00004000 RW Download
0x01e80000 0x01e90000 0x00010000 RW Download
0x01e90000 0x01ea0000 0x00010000 RW Download
0x01ea0000 0x01eb0000 0x00010000 RW Download
0x01eb0000 0x01ec0000 0x00010000 RW Download
0x01ec0000 0x01ec1000 0x00001000 RW Download
0x01f28000 0x01f29000 0x00001000 RW No Download
0x01f4f000 0x01fbf000 0x00070000 RW No Download
0x01f4f000 0x01f5c000 0x0000d000 RW Download
0x01f5c000 0x01fbf000 0x00063000 RW Download
0x0213b000 0x0213c000 0x00001000 RWX No Download
0x02249000 0x022c0000 0x00077000 Mixed No Download
0x02249000 0x0224a000 0x00001000 RWX Download
0x0224a000 0x0227d000 0x00033000 RW Download
0x0227d000 0x022a6000 0x00029000 RWX Download
0x022a6000 0x022bc000 0x00016000 RW Download
0x022bc000 0x022bf000 0x00003000 RWX Download
0x022bf000 0x022c0000 0x00001000 RW Download

Comments



No comments posted

Processing ( 3.797 seconds )

  • 0.991 CAPE
  • 0.753 Deduplicate
  • 0.726 ProcessMemory
  • 0.675 ProcDump
  • 0.318 Static
  • 0.129 BehaviorAnalysis
  • 0.086 TrID
  • 0.079 Dropped
  • 0.026 TargetInfo
  • 0.006 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.002 Strings
  • 0.001 Debug

Signatures ( 0.14 seconds )

  • 0.031 antiav_detectreg
  • 0.014 antidbg_windows
  • 0.011 infostealer_ftp
  • 0.007 stealth_file
  • 0.006 api_spamming
  • 0.006 decoy_document
  • 0.006 stealth_timeout
  • 0.006 antianalysis_detectreg
  • 0.006 infostealer_im
  • 0.004 antivm_generic_scsi
  • 0.004 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 antivm_vbox_keys
  • 0.003 ransomware_extensions
  • 0.002 antivm_generic_services
  • 0.002 antivm_vmware_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 betabot_behavior
  • 0.001 mimics_filetime
  • 0.001 kibex_behavior
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 office_martian_children
  • 0.001 recon_fingerprint

Reporting ( 0.121 seconds )

  • 0.119 Compression
  • 0.002 CompressResults
Task ID 87740
Mongo ID 5d52fa56a391c3d188a52f44
Cuckoo release 1.3-CAPE
Delete