Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3260
Target ID:	0
Parent PID:	564
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Size:	1423704
MD5:	9EE74859D22DAE61F1750B3A1BACB6F5
Time:	10:00:13
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f0c0000
Modulesize:	1437696
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Office Outbound Connections	System Summary
Sigma detected: Modification of IE Registry Settings	System Summary
Sigma detected: Office Macro File Creation	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3772
Target ID:	9
Parent PID:	564
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	10:00:35
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Office Equation Editor has been started	Exploits
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\millitingacy20306.exe

"C:\Users\user\AppData\Roaming\millitingacy20306.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3832
Target ID:	10
Parent PID:	3772
Name:	millitingacy20306.exe
Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Commandline:	"C:\Users\user\AppData\Roaming\millitingacy20306.exe"
Size:	673280
MD5:	016DBBC401CC2BE3E4ACC1E716E94D47
Time:	10:00:38
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd00000
Modulesize:	696320
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected VIP Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\millitingacy20306.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3944
Target ID:	12
Parent PID:	3832
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\millitingacy20306.exe"
Size:	427008
MD5:	EB32C070E658937AA9FA9F3AE629B2B8
Time:	10:00:39
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x10d0000
Modulesize:	438272
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Sigma detected: PowerShell Script Dropped Via PowerShell.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\millitingacy20306.exe

"C:\Users\user\AppData\Roaming\millitingacy20306.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3952
Target ID:	13
Parent PID:	3832
Name:	millitingacy20306.exe
Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Commandline:	"C:\Users\user\AppData\Roaming\millitingacy20306.exe"
Size:	673280
MD5:	016DBBC401CC2BE3E4ACC1E716E94D47
Time:	10:00:40
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd00000
Modulesize:	696320
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected VIP Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://66.63.187.123/txt/H363BpKqz0MdVd7.exe

66.63.187.123

http://66.63.187.123/txt/millizxc.doc

66.63.187.123

http://aborters.duckdns.org:8081

unknown

http://66.63.187.123/txt/

unknown

http://anotherarmy.dns.army:8081

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf

unknown

https://api.telegram.org

unknown

http://66.63.187.123/txt/H363BpKqz0MdVd7.exeC:

unknown

https://api.telegram.org/bot

unknown

http://ocsp.entrust.net03

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20a

unknown

https://reallyfreegeoip.org/xml/8.46.123.334

unknown

http://varders.kozow.com:8081

unknown

http://checkip.dyndns.org/

158.101.44.242

https://www.google.com/search?q=wmf

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

http://checkip.dyndns.com

unknown

http://ocsp.entrust.net0D

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://reallyfreegeoip.org/xml/

unknown

http://crl.entrust.net/server1.crl0

unknown

https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i

unknown

http://66.63.187.123/txt/H363BpKqz0MdVd7.exettC:

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://checkip.dyndns.org

unknown

https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://api.telegram.org/bot/sendMessage?chat_id=&text=

unknown

https://www.google.com/favicon.ico

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724471%0D%0ADate%20and%20Time:%209/27/2024%20/%2011:31:56%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724471%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

149.154.167.220

http://66.63.187.123/txt/H363BpKqz0MdVd7.exej

unknown

https://www.google.com/sorry/index

unknown

https://reallyfreegeoip.org

unknown

https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a

unknown

https://www.google.com/search?q=net

unknown

https://www.google.com/sorry/indextest

unknown

http://api.telegram.org

unknown

https://secure.comodo.com/CPS0

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://crl.entrust.net/2048ca.crl0

unknown

https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded

unknown

There are 39 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

158.101.44.242

Details

Name:	checkip.dyndns.com
IP:	158.101.44.242
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking

66.63.187.123

unknown

United States

Details

IP:	66.63.187.123
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Country:	United States
Countrycode:	USA
ASN number:	8100
ASN name:	ASN-QUADRANET-GLOBALUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Microsoft Office launches external ms-search protocol handler (WebDAV)	Persistence and Installation Behavior
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Suricata IDS alerts for network traffic	Networking
Contains an external reference to another file	Persistence and Installation Behavior
Microsoft Office drops suspicious files	System Summary
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

188.114.97.3

unknown

European Union

Details

IP:	188.114.97.3
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking

193.122.6.168

unknown

United States

Details

IP:	193.122.6.168
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution

193.122.130.0

unknown

United States

Details

IP:	193.122.130.0
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking

158.101.44.242

checkip.dyndns.com

United States

Details

IP:	158.101.44.242
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking

132.226.247.73

unknown

United States

Details

IP:	132.226.247.73
TargetID:	13
Current Path:	C:\Users\user\AppData\Roaming\millitingacy20306.exe
Country:	United States
Countrycode:	USA
ASN number:	16989
ASN name:	UTMEMUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

be/

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Word

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

ds/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

i|/

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP5FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

TCWP6FilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos

Extensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x

Extensions

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache

Version

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache

Count

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://66.63.187.123/txt/

Type

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://66.63.187.123/txt/

Protocol

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://66.63.187.123/txt/

Version

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://66.63.187.123/txt/

Flags

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://66.63.187.123/txt/

CobaltMajorVersion

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://66.63.187.123/txt/

CobaltMinorVersion

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://66.63.187.123/txt/

MsDavExt

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://66.63.187.123/txt/

Expiration

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\http://66.63.187.123/txt/

EnableBHO

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

.6/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\308F6

308F6