API tools faq
paste
Advertisement
paladin316

rat_80addc811af0d796748ece51d22393cd_doc_2019-08-18_14_40.txt

paladin316
Aug 18th, 2019
1,336
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 60.47 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Obfuse"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "rat_80addc811af0d796748ece51d22393cd.doc"
  7. * File Size: 1406374
  8. * File Type: "Rich Text Format data, version 1, unknown character set"
  9. * SHA256: "3822e819b09ae79b8c5b4d2a9cca6456807d69ff6ead6a03cc4395a6da30b573"
  10. * MD5: "80addc811af0d796748ece51d22393cd"
  11. * SHA1: "8680cf7e49aa0037f006fc1382fb6edeabe87e85"
  12. * SHA512: "22080c02686beee2c011e031565b357c86b9587711330ade21aea152792b68de772c9283a7f69ee3858d0f8bbc2a0396545564e4b098d4c5d92f87694feeddd9"
  13. * CRC32: "D88C0E21"
  14. * SSDEEP: "3072:oHtRdNlflRRdNlflRRdNlflRRdNlflRRdNlflnS:kdPflDdPflDdPflDdPflDdPflnS"
  15.  
  16. * Process Execution:
  17. "WINWORD.EXE",
  18. "splwow64.exe",
  19. "explorer.exe"
  20.  
  21.  
  22. * Executed Commands:
  23. "C:\\Windows\\splwow64.exe 12288"
  24.  
  25.  
  26. * Signatures Detected:
  27.  
  28. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  29. "Details":
  30.  
  31.  
  32. "Description": "Attempts to connect to a dead IP:Port (4 unique times)",
  33. "Details":
  34.  
  35. "IP": "52.109.20.1:443"
  36.  
  37.  
  38. "IP": "52.109.20.4:443"
  39.  
  40.  
  41. "IP": "104.18.25.243:80"
  42.  
  43.  
  44. "IP": "72.21.91.29:80"
  45.  
  46.  
  47.  
  48.  
  49. "Description": "The RTF file contains embedded content",
  50. "Details":
  51.  
  52. "embedded content": "Object 2 index 00002438h contains embedded object Excel.Sheet.8 with size 134656 bytes"
  53.  
  54.  
  55. "embedded content": "Object 2 index 000445DDh contains embedded object Excel.Sheet.8 with size 134656 bytes"
  56.  
  57.  
  58. "embedded content": "Object 2 index 00086782h contains embedded object Excel.Sheet.8 with size 134656 bytes"
  59.  
  60.  
  61. "embedded content": "Object 2 index 000C8927h contains embedded object Excel.Sheet.8 with size 134656 bytes"
  62.  
  63.  
  64. "embedded content": "Object 2 index 0010AACCh contains embedded object Excel.Sheet.8 with size 134656 bytes"
  65.  
  66.  
  67. "embedded content": "Object 2 index 0014D3F8h contains embedded object with size 6148 bytes"
  68.  
  69.  
  70.  
  71.  
  72. "Description": "Anomalous file deletion behavior detected (10+)",
  73. "Details":
  74.  
  75. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CabE108.tmp"
  76.  
  77.  
  78. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\TarE109.tmp"
  79.  
  80.  
  81. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\~DF31E96A02D83D77CF.TMP"
  82.  
  83.  
  84. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\~DF117ADF50157D9259.TMP"
  85.  
  86.  
  87. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\~DFF95208BC33EB27A3.TMP"
  88.  
  89.  
  90. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\~DFDD30D3B5FBA051B1.TMP"
  91.  
  92.  
  93. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\~DF1C3736253C4748A5.TMP"
  94.  
  95.  
  96. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Schemas\\MS Word_restart.xml"
  97.  
  98.  
  99. "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Templates\\~$Normal.dotm"
  100.  
  101.  
  102. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRSA7B4D2ED-15C9-4F7A-AD67-90A731BDDC7E.tmp"
  103.  
  104.  
  105. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRSF358CA33-AC87-4143-828B-EEF904262CAD.tmp"
  106.  
  107.  
  108. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\F1A7C9F5.wmf"
  109.  
  110.  
  111. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\710A48C4.emf"
  112.  
  113.  
  114. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\AA8D060F.emf"
  115.  
  116.  
  117. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\E8DA78C6.emf"
  118.  
  119.  
  120. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\6C02A799.emf"
  121.  
  122.  
  123. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\7CA737F8.emf"
  124.  
  125.  
  126. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\7CA737F8.emf"
  127.  
  128.  
  129. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\6C02A799.emf"
  130.  
  131.  
  132. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\E8DA78C6.emf"
  133.  
  134.  
  135. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\AA8D060F.emf"
  136.  
  137.  
  138. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\710A48C4.emf"
  139.  
  140.  
  141. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\CVRD251.tmp.cvr"
  142.  
  143.  
  144. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF82D4E20E-C0B1-4DB6-8C74-EF21972CDEBB.tmp"
  145.  
  146.  
  147.  
  148.  
  149. "Description": "The RTF file has an unknown character set",
  150. "Details":
  151.  
  152.  
  153. "Description": "Sniffs keystrokes",
  154. "Details":
  155.  
  156. "SetWindowsHookExW": "Process: explorer.exe(2044)"
  157.  
  158.  
  159.  
  160.  
  161. "Description": "A document file initiated network communications indicative of a potential exploit or payload download",
  162. "Details":
  163.  
  164. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x90\\xb9\\x95\\xdd\\x07\\x90\\xcf\\x83\\x81\\xda\\x9d\\xe8\\x97 \\x03f\\xfceo3a\\x15c\np\\x92eo\\xf5g\\xea\\\\xcc\\xf5\\xd1\\x06\\xa3\\xd96s\\xfek\"\\xee4\\xf8\\x1e\\xf1\\xd8\\x15\\x1d\\xe8:\\xdfy\\x934\\xd0\\xb2\\xb6\\xc4\\x9b\\xc4\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000p\\xddm\\xcb:\\xad\\xd7\\xe7s1n$\\x14\\x9a\\xa8\\x96 fls\\x14\\xf1\\xd0\\xc8.@y\\xb8\\xfa%\\xcez\\xab\\xdfa,h\\xb8\\x147h\\xc9\\x1d6\\x13i"
  165.  
  166.  
  167. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\x94i+a\\xed\\x10&\\xa4=\\x1bu\\xec\n\\xd4\\xc7\\x0b\\x114g\\xdc\\x83\\x92\\xff\\x14z\\xcdj\\xfb$r\\xc2\\xc9\\x98c\\xf6 p:\\x1b\\xacu\\xd6:;\\xe0\\x90\\x00xt\\x16\\x14ov<(t\\x94\\x83\\xb8\\xd0\\xc9\\xcc\\xe6e\\xb0\\x89\\x8e\\x8e\\xbca\\xbb\\xe1\\xb9\\xb6\\xf8\\xd8\\xfby\\xf7^\\x89\\x81\\x86\\x1dg\\xc4l\\xe9\\x06@o|k\\x0f\\xd1\\xd5p\\xe5\\xd0\\xf3&\\xbc\\xa2v`\\x08\\x8c\\x97\\xda\\xf3\\x1a\\x97\\xdbn\\xe4\\xb5\\xe6mw\\xb3\\xd3vofw\\x80\\xcaq\\x8bz.\\xf8(.\\x11\\xf2 a\\x04\\x96\\x02k\\x83\\x88#\\xf7s\"\\xea\"xm-wi\\xfcwk\\xf8r\\xfd\\x93\\xe7b\\x8b\\x82/\\x0b1\\xd5\\x95\\xb8\\xebb\t#\\xce\\x9a\\x10\\xd9>\\xc6\\xdd\r\\xd5yf\\x94\\x13\\xc3\\xc7\\xfa\\xeb\\x7f\"\\x9cg\\x82<\\x8d\\xa9\\xeb\\xbbv3g\\x9e\\x83o\\x9a\\xb5\\xa45d\\x0ft\\x01\\xab\\xa7\\xf0\\x1e\\x7f\\xde\\xe0\\xaemi\\x83\\x8d\r\\xc0\\xbag`3si\\xa7\\xce\\xf0\\xf7\\x8d\\xc30\\xf5\\xd5\\x8a+"
  168.  
  169.  
  170. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00~\\x01\\x00\\x00z\\x03\\x01xi\\x8e\\xac\\xdf\\xeb\\xbb\\x8cc\\xefcg\\x94%p\\xa0\\xdb\\x95d\\xd3\\xe1\\x9f\\x0b6\\xb6\\x0e\\xffp\\x1d\\x1f\\x1c\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x009\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00 \\x00\\x1e\\x00\\x00\\x1broaming.officeapps.live.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
  171.  
  172.  
  173. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xeal\\xfey\\x07\\xd9\\x8af\\xfc\\xb9b\\xfbk\\xe6\\xdbv\\xd7\\xe6\\xfb\\xf2\\xa2n\\xb0\\x18\\xb5\\x7fyuh,\\x84\\xb9\\x11>\\x8f\\xaa\\x83\\xfc\\x80\\x01\\xd6(\\x15\\xddn\\xc1v\\xcf\\x99e\\xcc\\x92\\x16\\xa3\\xbe\\\\xd7\\x929\\xdd\\xa1\\xa0\\xcb\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000.\\xa5y\\x89-\\x97\\xfc\\xf7\\x90\\xd2\\xfd'\\xb7_\\x19(\n%i\\xc9'\\xef!\\x0e\\xa9r\\x1b\\xbd\\xc9\\xbd\\xe7\\\\x7f\\x993c\\xc8\\xc3l\\x00(\\xba\\xf5\\xc9\\xbfc\\x86$"
  174.  
  175.  
  176. "http_request": "winword.exe_WSASend_get /mfewtzbnmeswstajbgurdgmcgguabbtbl0v27rvz7lbduom%2fnyb45spuewqu5z1zmijhwmys%2bghunoz7oruetfaceai4elabvpzalrznpjlrv1u%3d http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nuser-agent: microsoft-cryptoapi/6.1\r\nhost: ocsp.digicert.com\r\n\r\n"
  177.  
  178.  
  179. "http_request": "winword.exe_WSASend_get /mfqwujbqme4wtdajbgurdgmcgguabbrpc1vzt9qvn7bzy3iidtbhla4mkqquwiif1tycsck3fd7%2fhijo5ox%2f%2bn0ce3saagyvv14%2fmepdgh0aaaaabk8%3d http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nif-modified-since: sat, 23 mar 2019 17:46:18 gmt\r\nif-none-match: \"dd54d75d468"
  180.  
  181.  
  182. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\xda\\xcf\\xdbh\\x06\\xf8d\\x81\\xf66h\\xa0\\xed\\xc1\\x08\\x01q\\xab\\x85$\\x93s\\xcd\\xcel\\x0b?o;\\xda\\xd4\\x1b\\xf2\\xdc\\x1b\\xe2\\xb0\\xdc\\xa1h.h\\xb6/\\xd4;\\x1e\\xfa\\xda\\xcavz\\x81\\xb3\\x11\\xfd\\xce\\x1a\\x86%\\xaecz\\x1e\\xf3\\xcedk\\xda\\x1e\\x1b\\xe0\\x82\\xd8g\\xd0\\xf2\\xc0\\xe5\\xe6w\\xdb\\xc4\\xd7\\x93\\xbfe\\x89a\\x1b\\xbb\\xbf\\xf53k\\x87\\x01\\x08\\xca\\xc3a\\x92\\x9a7v\\x90\\x82\\xe4\\x8cq|\\xbamad\\xcbb1\\xd6\\x96\\xb6\\x13\\x94\\xf0vl/+\\xc29\\xdb\\xc84y\\xb0\\xaf\\xdddl/\\xa1\\xa3l\\x9b\\xdd\\xc4\\xb7\\x03\\xb3\\xde\\x03ku\\xb2f\\\\xeca\r\\x16\\xd3\\xd1\\xd7\\xa8\\x90\\x16d\\xfd\\xe4\\x15\\xdba\n\\xe3\\xc4\\x01*u\\xc2\\x7f8yf\\xc8\\x1a\\xba\\x03\r\\xb9\\xfe\\x9d,,\\xe8\\x94\\xc0\\xc0\\x07\\xab\\x08i&\\x95>\\xef=\\\\xec\\xb1\\x0f\\x8e\\xdb\\x8a\\xc6\\xd3*lq\\xc9\\xea\\xc792>\\xc1\\xe1\\x99\\xe7\\xbb\\xb1k\\xd3$vw5i\\xa6t/\\x1f\\xd7\\xd6\\xa1\\\r\\x9a1\\xa2"
  183.  
  184.  
  185. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x02 \\x16\\xdc\\x95\\xfe\\xb7\\xd4\\xb7&\\xee\\xf1\\x86\\;\\xd89\\xe0\\xbc\\x80\\xc3\\xbd\\xe1\\xa1\\xce^\\x12lv?n\\xd0\\x1a\\x9c\\xe6\\xa1.\\x00\\xb3\\xf0ec3vc\\x12\\xfe\\xf4\\xba\\xce\\x98\\xd7\\xddl\\xd5\\xfb\\xed\\x804\\x111\\xb3\\xd4\\x1f#\\xdcw$\\x04\\xe0\\x8ct1\\xa3i\\x1bl\\x01|\\xcb\\xac\\x9b\\x9a#>e\\xcf\\xc3d\\xff\\xbe\\x83c&\\xbf\\xd1\\xc0l\\xa7\\xcd\\xebi\\x93z\\xb4\\xf0\\x91s\\x00\\xb4\\x90\\xb1\\x8cst\\xe3\\xb92\\x7fp\\xb5@\\xc0\\xe9\\xf8\\xd0l\\xc1\\xddh6\\x81\\x9cw\\xb0|\\xdc\\xe5u\\x94\\xb2\\xfe\"\\x15\\xc7k\\x01\\x9b\\x11\\x06(\\x83\\x85\\xc1/;\\xd47\\x81\\xe4\\xfb\\xa1\\xbd\\xbf\\xb3\\xd5\\x91\\xc1\\x1a\\xc2\r\\x9d\\x12f\\xd9p\\x19\\x9a\\x14\\xcd\\x03\\xf8\\xb5\\x9bhw\\xa4i\r\\x93\\xa2\\x8a\\x06z\\x81pcz\\x03\\x07d\\xb8h*\\xdd\\xb5`\\x18b\\xd7\\xdd$v\\x85\\xecp\\x02em\\xd9\\x8e\\xfa\\xe8\\xe3\\xfcj\\x12\\xb2\\xdeu\\xfbno\\x9a\\x89p\\x10\\xe8\\xe9\\x1ew\\xab\\xab\\x9b>i\\xac\\x82"
  186.  
  187.  
  188. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00z\\x01\\x00\\x00v\\x03\\x01xi\\x9f\\x7f\\x92$\\xce4\\xce\\xa5g7\\xca\\x02\\x08u?\\x9e\\x1dt\\x9e\\xf7\\xe0<\\x17\\xa2mk\\x84\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x005\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x1c\\x00\\x1a\\x00\\x00\\x17odc.officeapps.live.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
  189.  
  190.  
  191. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04a\\xd8z&q\\x9aw\\x7f\\xbe\\xb6\\xf1\\xee\\x99\\xeagp\\xa3q#\\xe78!4\\x98e2\\xb1\\xafjt\\xb7\\xa4m\\x9cq\\xa7$\\xe5\\xd6\\xab\\x11\\x7fx\\xb5\\xd65\\xe43\\xb2sct\\xd4\\xf4\\x99\\xbfv\\x82\\x82\\xffd\\xf0\\xb2\\xfe\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000%s\\x13\\xc2|\\xa0w\\xc8=l\\\\x10\\x00\\xe6!\\xd8\\xf6`\\x92\\x05o\\x8dy\\xb1\\x0f\\x0e\\xcb\\xdagv\\xaa\\xeckm\\xc0\\xb8pk\\xaa\\xcdyj\\xef\\xe1\\xad\\x96\\xa3|"
  192.  
  193.  
  194. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\xb7d\\xc9\\xff't\\xbb\\xcdku\\xe0\\xcf<\\xc1\\x8dr\\xac\\xf79k\\xb2\\x91b\\xaet\\x15(\\xa8~\\x9a\\xfd\n\\xc2xt~\\xb4e\\xb8\\x9b\\xbe\\xc4\\xf9\\x8a\\xfd^\\xb6\\xe4\\xb7\\x11\\x1e\\xf2r\\xfax'\\xb4\\xa8\\xa1+bo\\x06v\\xac,\\xe7\\xaf\\xc3=\\x9e\\xc1\\xea\\x84*\\xf8\\x80?\\x80\\x0e'\\xf4\\xb7\\xe4\\xb1\\x90\\xc6\\xef\nmy\\x98\\xac\\x95\\xcf\\xc7\\x92so\\xd4\\x93v\\x86\\x02^:v\\x9f\\xb0\\xc2x\\xa6\\xdc\\xea\\xd9\\xf4g\\xc1\\xa8\\xe9\\xb0\\x18\\xc7\\x056\\xed\\x04r\\xe6\\xe3\\xafsf\\x9dw\\x8a\\x1b\\x82\\xbew\\x9e\\x81\\xf2p5\\xb3\\xbdw \\xc0\\x011\\x91\\xeb\\x1e\\x95:\\xff\\x04\\xcb\\xe7\\xc1-w\\x95%\\x05\\xcex\\xcb\\xdb g\\xb3\\x8c\\xe3\\x15\\xaf\\xb6\\xb3h3!*t\\xa0\\xe9\"\\xfb\\xad\\xfa\\x0c\\x1a2\\x00\\xbf\\x00\\xc92\\xe3\\xf1u\\x80b:\\xd4\\x00cn\\x16\\x84\\xd0t\\x81^\\xb0=\\x1e\\xbeb.b\\x10\\xb2\\xcd`'\\xa3\\x86\\xdfk\\xee\\xa8\\xf8<0\\x8af\\xa1:\\x95sr\\xf2\\x81\\xf9\\xacq\\xf7"
  195.  
  196.  
  197.  
  198.  
  199. "Description": "Stack pivoting was detected when using a critical API",
  200. "Details":
  201.  
  202. "process": "splwow64.exe:1672"
  203.  
  204.  
  205.  
  206.  
  207. "Description": "Creates a hidden or system file",
  208. "Details":
  209.  
  210. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\~$JMDKU2d.doc"
  211.  
  212.  
  213.  
  214.  
  215. "Description": "File has been identified by 20 Antiviruses on VirusTotal as malicious",
  216. "Details":
  217.  
  218. "Symantec": "Trojan.Gen.NPE"
  219.  
  220.  
  221. "ESET-NOD32": "VBA/TrojanDownloader.Agent.PAH"
  222.  
  223.  
  224. "TrendMicro-HouseCall": "Trojan.W97M.POWLOAD.THHAFAI"
  225.  
  226.  
  227. "Avast": "Other:Malware-gen Trj"
  228.  
  229.  
  230. "Kaspersky": "HEUR:Trojan.MSOffice.SAgent.gen"
  231.  
  232.  
  233. "NANO-Antivirus": "Trojan.Ole2.Vbs-heuristic.druvzi"
  234.  
  235.  
  236. "AegisLab": "Trojan.MSOffice.SAgent.4!c"
  237.  
  238.  
  239. "DrWeb": "Exploit.Siggen.26447"
  240.  
  241.  
  242. "TrendMicro": "Trojan.W97M.POWLOAD.THHAFAI"
  243.  
  244.  
  245. "Cyren": "CVE1711882"
  246.  
  247.  
  248. "Microsoft": "TrojanDownloader:O97M/Obfuse.HX!MTB"
  249.  
  250.  
  251. "ZoneAlarm": "HEUR:Trojan.RTF.SAgent.gen"
  252.  
  253.  
  254. "GData": "Script.Trojan.Agent.QXQDYD"
  255.  
  256.  
  257. "TACHYON": "Suspicious/RTF.Obfus.Gen.2"
  258.  
  259.  
  260. "Zoner": "Probably W97DownloaderA"
  261.  
  262.  
  263. "Rising": "Downloader.Obfuse!8.105AD (TOPIS:E0:7qXQR4bd08C)"
  264.  
  265.  
  266. "Ikarus": "Trojan.Office.Doc"
  267.  
  268.  
  269. "Fortinet": "VBA/Agent.23E1!tr"
  270.  
  271.  
  272. "AVG": "Other:Malware-gen Trj"
  273.  
  274.  
  275. "Qihoo-360": "susp.rtf.objupdate.gen"
  276.  
  277.  
  278.  
  279.  
  280.  
  281. * Started Service:
  282.  
  283. * Mutexes:
  284. "Local\\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office15",
  285. "Local\\WinSpl64To32Mutex_1d3fb_0_3000",
  286. "Global\\MTX_MSO_Formal1_S-1-5-21-0000000000-0000000000-0000000000-1000",
  287. "Global\\MTX_MSO_AdHoc1_S-1-5-21-0000000000-0000000000-0000000000-1000",
  288. "5CAC3FAB-87F0-4750-984D-D50144543427-VER15",
  289. "CicLoadWinStaWinSta0",
  290. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  291. "Local\\F99C425F-9135-43ed-BD7D-396DE488DC53",
  292. "Global\\MsoShellExtRegAccess_S-1-5-21-0000000000-0000000000-0000000000-1000"
  293.  
  294.  
  295. * Modified Files:
  296. "C:\\Users\\user\\AppData\\Local\\Temp\\YLJMDKU2d.doc",
  297. "C:\\Users\\user\\AppData\\Local\\Temp\\~$JMDKU2d.doc",
  298. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Office\\15.0\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=10",
  299. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF82D4E20E-C0B1-4DB6-8C74-EF21972CDEBB.tmp",
  300. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4",
  301. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4",
  302. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\37D958F0157C4E87D39A5E7FAB3AECCC_090773D7F9DBE1D85BCB60985361F32E",
  303. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\37D958F0157C4E87D39A5E7FAB3AECCC_090773D7F9DBE1D85BCB60985361F32E",
  304. "C:\\Users\\user\\AppData\\Local\\Temp\\CabE108.tmp",
  305. "C:\\Users\\user\\AppData\\Local\\Temp\\TarE109.tmp",
  306. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRSF358CA33-AC87-4143-828B-EEF904262CAD.tmp",
  307. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\7CA737F8.emf",
  308. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\6C02A799.emf",
  309. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\E8DA78C6.emf",
  310. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\AA8D060F.emf",
  311. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\710A48C4.emf",
  312. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\F1A7C9F5.wmf",
  313. "C:\\Users\\user\\AppData\\Local\\Temp\\.DS_Store",
  314. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF31E96A02D83D77CF.TMP",
  315. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF117ADF50157D9259.TMP",
  316. "C:\\Users\\user\\AppData\\Local\\Temp\\~DFF95208BC33EB27A3.TMP",
  317. "C:\\Users\\user\\AppData\\Local\\Temp\\~DFDD30D3B5FBA051B1.TMP",
  318. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF1C3736253C4748A5.TMP",
  319. "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
  320. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Templates\\~$Normal.dotm",
  321. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRSA7B4D2ED-15C9-4F7A-AD67-90A731BDDC7E.tmp"
  322.  
  323.  
  324. * Deleted Files:
  325. "C:\\Users\\user\\AppData\\Local\\Temp\\CabE108.tmp",
  326. "C:\\Users\\user\\AppData\\Local\\Temp\\TarE109.tmp",
  327. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF31E96A02D83D77CF.TMP",
  328. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF117ADF50157D9259.TMP",
  329. "C:\\Users\\user\\AppData\\Local\\Temp\\~DFF95208BC33EB27A3.TMP",
  330. "C:\\Users\\user\\AppData\\Local\\Temp\\~DFDD30D3B5FBA051B1.TMP",
  331. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF1C3736253C4748A5.TMP",
  332. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Schemas\\MS Word_restart.xml",
  333. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Templates\\~$Normal.dotm",
  334. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRSA7B4D2ED-15C9-4F7A-AD67-90A731BDDC7E.tmp",
  335. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRSF358CA33-AC87-4143-828B-EEF904262CAD.tmp",
  336. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\F1A7C9F5.wmf",
  337. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\710A48C4.emf",
  338. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\AA8D060F.emf",
  339. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\E8DA78C6.emf",
  340. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\6C02A799.emf",
  341. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\7CA737F8.emf",
  342. "C:\\Users\\user\\AppData\\Local\\Temp\\CVRD251.tmp.cvr",
  343. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF82D4E20E-C0B1-4DB6-8C74-EF21972CDEBB.tmp"
  344.  
  345.  
  346. * Modified Registry Keys:
  347. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\i0h",
  348. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
  349. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache",
  350. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\RemoteClearDate",
  351. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1",
  352. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\Last",
  353. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0",
  354. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\FilePath",
  355. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\StartDate",
  356. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\EndDate",
  357. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\Properties",
  358. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\AllUsers\\office15client.microsoft.com\\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4569&crev=1\\0\\Url",
  359. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Internet\\WebServiceCache\\LastClean",
  360. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\Trusted Documents\\LastPurgeTime",
  361. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingConfigurableSettings",
  362. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastSyncTime",
  363. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastWriteTime",
  364. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\@%SystemRoot%\\system32\\packager.dll,-2000",
  365. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle",
  366. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle\\ReviewToken",
  367. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\CacheReady",
  368. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastRequest",
  369. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery",
  370. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\E779FA",
  371. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\E779FA\\E779FA",
  372. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\OUTLOOKFiles",
  373. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Common\\Cloud Storage",
  374. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ForceCacheRefresh",
  375. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OnceSucceeded",
  376. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastUpdate",
  377. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\NextUpdate",
  378. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT",
  379. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Capabilities",
  380. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ConnectMechanism",
  381. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\IsManaged",
  382. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\IsRemovable",
  383. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceOwner",
  384. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\SortOrder",
  385. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\SupportsMultiple",
  386. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\CapabilitiesMetadata",
  387. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Description",
  388. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Name",
  389. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceId",
  390. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceUrl",
  391. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata",
  392. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata\\KeyTip",
  393. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata\\Type",
  394. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails",
  395. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url16x16",
  396. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url32x32",
  397. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url48x48",
  398. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP",
  399. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Capabilities",
  400. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ConnectMechanism",
  401. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\IsManaged",
  402. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\IsRemovable",
  403. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceOwner",
  404. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\SortOrder",
  405. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\SupportsMultiple",
  406. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\CapabilitiesMetadata",
  407. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Description",
  408. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Name",
  409. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceId",
  410. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceUrl",
  411. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata",
  412. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata\\KeyTip",
  413. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata\\Type",
  414. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails",
  415. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
  416. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
  417. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
  418. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT",
  419. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Capabilities",
  420. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ConnectMechanism",
  421. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\IsManaged",
  422. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\IsRemovable",
  423. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceOwner",
  424. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\SortOrder",
  425. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\SupportsMultiple",
  426. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\CapabilitiesMetadata",
  427. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Description",
  428. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Name",
  429. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceId",
  430. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceUrl",
  431. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata",
  432. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata\\KeyTip",
  433. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata\\Type",
  434. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails",
  435. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url16x16",
  436. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url32x32",
  437. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url48x48",
  438. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP",
  439. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Capabilities",
  440. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ConnectMechanism",
  441. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\IsManaged",
  442. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\IsRemovable",
  443. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceOwner",
  444. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\SortOrder",
  445. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\SupportsMultiple",
  446. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\CapabilitiesMetadata",
  447. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Description",
  448. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Name",
  449. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceId",
  450. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceUrl",
  451. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata",
  452. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata\\KeyTip",
  453. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata\\Type",
  454. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails",
  455. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
  456. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
  457. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
  458. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED",
  459. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Capabilities",
  460. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ConnectMechanism",
  461. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\IsManaged",
  462. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\IsRemovable",
  463. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceOwner",
  464. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\SortOrder",
  465. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\SupportsMultiple",
  466. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\CapabilitiesMetadata",
  467. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Description",
  468. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Name",
  469. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceId",
  470. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceUrl",
  471. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata",
  472. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata\\KeyTip",
  473. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata\\Type",
  474. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT",
  475. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Capabilities",
  476. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ConnectMechanism",
  477. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\IsManaged",
  478. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\IsRemovable",
  479. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceOwner",
  480. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\SortOrder",
  481. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\SupportsMultiple",
  482. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\CapabilitiesMetadata",
  483. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Description",
  484. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Name",
  485. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceId",
  486. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceUrl",
  487. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata",
  488. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\DefaultFolderRelativePath",
  489. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\KeyTip",
  490. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\Type",
  491. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails",
  492. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url16x16",
  493. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url32x32",
  494. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url48x48",
  495. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP",
  496. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Capabilities",
  497. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ConnectMechanism",
  498. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\IsManaged",
  499. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\IsRemovable",
  500. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceOwner",
  501. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\SortOrder",
  502. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\SupportsMultiple",
  503. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\CapabilitiesMetadata",
  504. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Description",
  505. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Name",
  506. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceId",
  507. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceUrl",
  508. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata",
  509. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata\\KeyTip",
  510. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata\\Type",
  511. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails",
  512. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
  513. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
  514. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
  515. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER",
  516. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Capabilities",
  517. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ConnectMechanism",
  518. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\IsManaged",
  519. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\IsRemovable",
  520. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceOwner",
  521. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\SortOrder",
  522. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\SupportsMultiple",
  523. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\CapabilitiesMetadata",
  524. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Description",
  525. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Name",
  526. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceId",
  527. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceUrl",
  528. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata",
  529. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\HideIfEmpty",
  530. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\KeyTip",
  531. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\Type",
  532. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails",
  533. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url16x16",
  534. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url32x32",
  535. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url48x48",
  536. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE",
  537. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Capabilities",
  538. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ConnectMechanism",
  539. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\IsManaged",
  540. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\IsRemovable",
  541. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceOwner",
  542. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\SortOrder",
  543. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\SupportsMultiple",
  544. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\CapabilitiesMetadata",
  545. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Description",
  546. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Name",
  547. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceId",
  548. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceUrl",
  549. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata",
  550. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\DefaultCreateRelativePath",
  551. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\DefaultFolderRelativePath",
  552. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\KeyTip",
  553. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\RegularExpression",
  554. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\Type",
  555. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails",
  556. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url16x16",
  557. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url32x32",
  558. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url48x48",
  559. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT",
  560. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Capabilities",
  561. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ConnectMechanism",
  562. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\IsManaged",
  563. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\IsRemovable",
  564. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceOwner",
  565. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\SortOrder",
  566. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\SupportsMultiple",
  567. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Description",
  568. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Name",
  569. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceId",
  570. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceUrl",
  571. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails",
  572. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url16x16",
  573. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url32x32",
  574. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url48x48",
  575. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE",
  576. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Capabilities",
  577. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ConnectMechanism",
  578. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\IsManaged",
  579. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\IsRemovable",
  580. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceOwner",
  581. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\SortOrder",
  582. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\SupportsMultiple",
  583. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Description",
  584. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Name",
  585. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceId",
  586. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceUrl",
  587. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails",
  588. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url16x16",
  589. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url32x32",
  590. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url48x48",
  591. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE",
  592. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Capabilities",
  593. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ConnectMechanism",
  594. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\IsManaged",
  595. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\IsRemovable",
  596. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceOwner",
  597. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\SortOrder",
  598. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\SupportsMultiple",
  599. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\CapabilitiesMetadata",
  600. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Description",
  601. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Name",
  602. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceId",
  603. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceUrl",
  604. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata",
  605. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\DefaultCreateRelativePath",
  606. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\DefaultFolderRelativePath",
  607. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\KeyTip",
  608. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\RegularExpression",
  609. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\Type",
  610. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails",
  611. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url16x16",
  612. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url32x32",
  613. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url48x48",
  614. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Toolbars\\Settings\\Microsoft Word",
  615. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Data\\Settings",
  616. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Options\\BackgroundOpen",
  617. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\ProductFiles",
  618. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\MTTF",
  619. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\MTTA",
  620. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Feedback\\AppUsageData_1",
  621. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.doc\\OpenWithList\\MRUList",
  622. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R\\Zvpebfbsg Bssvpr\\Bssvpr15\\JVAJBEQ.RKR",
  623. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
  624. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\S38OS404-1Q43-42S2-9305-67QR0O28SP23\\rkcybere.rkr",
  625. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7\\pzq.rkr",
  626. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting"
  627.  
  628.  
  629. * Deleted Registry Keys:
  630. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\i0h",
  631. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\qtf",
  632. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\CacheReady",
  633. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastRequest",
  634. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastUpdate",
  635. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\NextUpdate",
  636. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\MTTT"
  637.  
  638.  
  639. * DNS Communications:
  640.  
  641. * Domains:
  642.  
  643. * Network Communication - ICMP:
  644.  
  645. * Network Communication - HTTP:
  646.  
  647. * Network Communication - SMTP:
  648.  
  649. * Network Communication - Hosts:
  650.  
  651. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!