amadey | 6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	971d90edea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	971d90edea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	971d90edea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	971d90edea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	971d90edea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	971d90edea.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	remcos_a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	remcos.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	99e6ba4f07.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	737bca89ad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	971d90edea.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	remcos.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	737bca89ad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	remcos_a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	remcos.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	99e6ba4f07.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	99e6ba4f07.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	737bca89ad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	remcos_a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	971d90edea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	971d90edea.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs	pohtent2.exe

Executes dropped EXE 8 IoCs

pid	Process
2740	skotes.exe
776	remcos_a.exe
1724	remcos.exe
1408	buildd.exe
2196	pohtent2.exe
4224	99e6ba4f07.exe
3840	737bca89ad.exe
2980	971d90edea.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	971d90edea.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	remcos_a.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	remcos.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	99e6ba4f07.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	737bca89ad.exe

Loads dropped DLL 18 IoCs

pid	Process
2204	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe
2740	skotes.exe
2740	skotes.exe
776	remcos_a.exe
776	remcos_a.exe
2740	skotes.exe
2740	skotes.exe
4360	WerFault.exe
4360	WerFault.exe
4360	WerFault.exe
4360	WerFault.exe
4360	WerFault.exe
2740	skotes.exe
2740	skotes.exe
2740	skotes.exe
2740	skotes.exe
2740	skotes.exe
2740	skotes.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	971d90edea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	971d90edea.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-A34JIZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos_a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-A34JIZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos_a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-A34JIZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-A34JIZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\99e6ba4f07.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004542001\\99e6ba4f07.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\737bca89ad.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004543001\\737bca89ad.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\971d90edea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004545001\\971d90edea.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2204	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe
2740	skotes.exe
776	remcos_a.exe
1724	remcos.exe
4224	99e6ba4f07.exe
3840	737bca89ad.exe
2980	971d90edea.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4360	2196	WerFault.exe	47

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	971d90edea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pohtent2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99e6ba4f07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	737bca89ad.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1660	cmd.exe
2268	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2440	timeout.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000045a81f5419efd5c87992918d30a95a85b6c2b470ea232471259110216cd4f4e8000000000e80000000020000200000006a153409941487334a32ab5c4701e41d6d5181fd98057d724e1feef18e98ccee10020000280e5bedc7d618148f0b5d3a6f42b31333aa0e312ed9cb62fc677e693b076fcb82cbdd1160124411844f557174a8d1b9da666893038c32ca5782bc22ca90c391477fe21a39cb830ef7335d46faf68454c01f354deda722d4a0cfd60282c639817dcf123036407609350a4cb35eaeb732564c9e640b6fab07c73164f552dd43af409b2acad0de884a27d6d38230974e0fb5e943d7bb41309a43132efa1d31f50c53963b9091ffbd4454281ab8d31010141ec11901d808eaeddeeb71ac06647a287411b945e517c921a0d9459be804c107eb2ee521affcf7559dbaa5914909bdb66a4da724a4e8b6050551eb5c12577cc6ffc2beea7be598661a575a6647efe77d59b60259543f1464493ce41c163a8cb041ad9bd6e5adb96f4324cff6fbe269411e5ea4f98c3de958d7a0ec7a86ba04487a17f412b93e055b96d2ccfecff4f6391601fe064ee381213fbbf83cee6f8dac27392dd5941e899233a5eee4955fa5675e3a6ccdb759d5f88acb21c7efc99679966dc92df6d3dcf157ca28dbb2d82b2c8ca10afa42f02611d12bc62cba70559466b55b02bbd140b176865a08b55761fafad6dc10c4e11be43f073e058740c57a65dfb9b0637dd1d58ad729e28c45c7d7fbc1703454640083da209c2e9517f2d47139ca906abc94e447959699a9808b4cafcdbf8123ebefb592f46165cb131ed89dfe6871f52695a40cb9eef66f481eb8f9eb24a144fcbc5834f5bef9ede0569940000000ab1d4e16e09bfe0174f4c6714efdcef019b1a17195af0b50be1bd8f36592546624781504bf0890aa686e53a66801e40362fff44e4de66dcb592f708aeac37b5d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000061558685213fc9cc4711a31eda79421d8b55235aca86b55ab4bd6b60a10e1105000000000e800000000200002000000022af0bfad1f9c43e5a3e6683711cd67150bad4636c7861b6cf04e6eb7a18034f1002000094faf8e922a725f3c8a0e3c9ee3ac9e588aab7804840a35568930435adaf2e85179cb95cb87ebaa598127c79d671d81b1cf0432e63ae17cf35b3c2c2f0e96875cb5cf7a6c15011a618f1f2b8f70e0feb7e5d074f778ebed06135c34905241a62fb48fd12378cad7fb2c7a433b8aca102a4aea2cf6e36ed5415843719ec2922a60b86c5e19b19bced223d37e76b89215a49e645a81c48b29fae84070797a3f8213160ec465c7e93de1abe2af0bc52b75884c4853cc6f1b058debd9763440a1787b9d2cf1624bcc0cef6eb5ed79b2fc574e927174e94ee9a9939748fdfdfe1786e98216cdb5bcce5d62c5a9b30d59e3ecd75893fe1e23201bc4ca4dc0ae7f211135ad774fde28f46dc70448d455d5c3947b875ccb9aa9dc54c1a4479ffae3110a65152a328abb73758a244ff1f8ea2f3bea7a1c2772738ee8c062dea616f6d57ea55d6af653e4750c432d0a682c36397436714dc2eb00a693797bea164d4c83fc1160e7878d2a6faad393d80fb30bac1ac1f1b0190f559a7467e831e14ec05f10159745d49eb5f58297705d99782f8fdb938f588a552c085bd4b75df9324be39561fd70ca1534e2af3c0cd158f64fef25eb848eef70fb2ec8f06fd892002ec1bd238771655780e0991c82ef05e57cec7d39f6de10e89d7841dbc47d6b3a67c0545864f6275f614efcc62570753e3a2537743864126eafbee68f3495f7d64e7938a40d6c723e6d8ccf5f97c8562871ec28c40000000f655ea42c4ffa99293110adf718fdb5fcfa92540e423216c557dd43028d80cf96c0b01613b34968f062b9bafe1318d1e0ff5d44cc831a0c69b8ad6e503f64ba9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000075fe29f12ad99652cd5c2dcb373ea904e2e0d84bd11a30e1f818779835646fbb000000000e800000000200002000000070dad91d70fa366895b432bc183e61b464acc9f40126d265a2722008a9d880c310020000c82a831f0d16d5a1590ce87dfcd7c6fa65d02ef30c2d9cc97e84f432f641f867f468fd285d0f2af9a659aed3ef47860181272733db63cd37e80681cba9239caf1b994b4e4560c299ec35b97e8b185f4bf7c55c113c3f634921e9786a3ce1d9f2b0c0e0090d129a347253845aa45a0b8969294bcdb7e3eeceac1df50fc744ce44325141ea01c042eb955f00e0066d8350cec69a96016bd4a4438a4b02d0d078122b0ec30d29acefad9ab311fcc66a4b2b5c7ef8dbeb54dfd70d76afce2909dd9c13f308d1015998ac91b30cdbb076ab3f1c99aa0e76688ca4a0ee79beb8658d999fbcc48e8cc47f1b392a95f450632cc241071da521fd7cab0f6e8600a9b4fe859072efc863ddc9aed62a1e1b5fda6ebfd13f609058ab4770fe859840448b45983482652e484e1e58be7a375d2ec904aacc381389c2503e7381177d33e3f7820534ca7d22817aab190da75d52bd8924415f39799a5e11c5325176003554c561a850a58249f2d5f9103a17c8b498f343138c5b785e118bd4e68598da5e96479c9f66a463016bd56a528170c1d0ac73a370af8b019b6c0856f6b96342accd768ec12eebfe521d82b797607ef2f22c93178fa33c09fd96c19447d0d79473e9ab3e74daa4daf64b82d556fbc99e4e33eb050cc297362f94b7790af65d84fcaa4c019e29cc7c4fc93c0b07a0350d456d1e806315e03a9f6b35ee1ecb78b88ec81acadfc25b176ebd93d5947f72a2e2a815aaae40000000528675c856ced154942e0767de4ca6e0c31f8a8048cab638b6a7514a64255c323dfaf07d50ba5cdb884f92b1e7b2442ce8bdc2334a06a35e736d93f9c7df84f3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000034754346d8ec4fb9a759aedcc1fdbab89bcc3ef448c16843c0fb3736a7c9a29a000000000e800000000200002000000067021e31be5d4816c543488104cab67337fd1c3f4e1bf974affce15da8f2a42b10020000bdeb6921f33210ad17f042c29556f4f45a51930ad6af2b8971a147de5904a29d155c4deaba634fd97cc5d6aa150ef6c796bf2b2b3b4e35ba8a7fa991976e8bd76328c090a7230e4a8f89934bbd5710e822cd40d3bb576e80568fd020287a1cda122017078f49b76545f0ea47bf98fecdcca7bc7fb1e8d9275f6c64d98e00da2b8e6374a27b2b6025b68121bb1850085d2a6a113c4ec6b8d911205ce96b16ba4a11ac515c0b8cbacbf0da238881e093633b79f73fb6344ba05f4a6196135ab20abeb83713de2ecc49aa5e5967e4609d1bb162bf5c9cd9ded4f9a2a9ecc6fa9033cbfdffd3f54e91a29c6feb13a605060fac9da0b360e4c96103dca00d71d20404aad64df5a7cbf989c386af973950a25a34f6078c55168d18213335b879ad0fd2e46d6b1ad6a3257698c8f2e685982387e05ea93e23bcdf089801e6634b92d72b71f66bacd037ab2f167bb0033fb60aca3e816955eb45362b61aa43aefb53377f8fc2266795abc9d50f615df548f338802c0aafd7f95373be9ab46a0a7a1bd5778e12b5cb525626f739cb424ab1680241ec1e7bb8982abbbafcfd10af0ef4638bc1bed4bafd7f1ebcd4255385001364ff81db38e194d38faf5336bb8135769f4943dfda8ad9099a69accdd21445dfb846056e5f8ef9cb436c3d353a597b4878bbb5bd4398d8c476b3e8b0e6a507d2af86a079e5b6ad4f94304ef1c5bd82b3fdecf43c4e07ae8347bfd27567c76d1099f640000000cbc0c460f68f85dab8001fee2081a2d84d3ecc632cac92599a954328932eba168014222406368c0d07bc58cc6fe300f4d72350b25f3b848077dec2449dfd0a73	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000006491ad31d53f212f90ae6d5c79905c89c7a004bf9654b8588a170f58224a777b000000000e800000000200002000000084d7efb485b98e055057d21fb49296bcbe20f1d1b3f8c6cfd1e6e6848a027996100200001fd0b0362bce191d9a9681071e6daf490a5eda7e0730fd59fbc151c1392b8b1b69165ba98d997161874cba277e6e7c9f7a5f29aca1188d93c941caf3fadca10365c615244cc027587a6412ca89011e6179e899a02315da1bb47dff1c719183f6ce41ffba0c5d675d55e12a660a1408e7105f8fb262cd07d203a5a123b87d07ef04f65d65690e33702f8d7b4ff3cb7aaaf604dcdfa0737736bb473e3bea9dfa7532b2f8a3f583551d71851eaac8dc5987368860b08b67cb488bc1cc751b6e25ad007947fc26026ea3e22af2a8c0f7b335cea6474f95a1e458b6f9ff5aa365a51f29d587190efeb5946939d7fb8c6c6ac12de9e51ba3f1a9ffe10c62f278bb13236d013834fdb802d4f2485f7dd341de5879e0c803688e1e247e1c8064fcc3e890384e8526a0f4df49dfe0e8e78755a579b4927723e59ef8dd7bfa36be7062e9e1ed3be9bc6ea83a3af5b27827de3bb2ace65400665a01386f62afa89b43d87c1bf61ba819f12812addaab816cc06d8e16c8ceecd23c4302314117620f33c690d2cd01c34afb27a51c251f1f74afe64a4cdd5666f1485d0f5a741e3501307572959ab3083bc66d95fd7ff4e7d974dc2176782a030dad00a8312915f3f7f2f6ff93f0375300b7fa9eeb988266ff1ba4a0b70f742fca1eaa2c04fc3b00e05f428cd3ecbbe8001ae06a2f5eca8ea20c1b8ad1bf138c81fdc37c3d46cbacc817df4cd7d9c624b8687d1ef30e9dcc8550fb263b40000000bbc490dc1e756dd6ea342080d49e8308fa421fc9203fb54cca12bb72b40b304e3d2b0117a8ecca7fe2843c66d431d983387a5b39a581011f4aebc3c9ec5c78f5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{55E73051-9CCD-11EF-B984-5A85C185DB3E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000d04f1bda52ec6ccf2b252a44a69f56115b04967536bf1dd56fb05422f4138cf8000000000e8000000002000020000000adbb61a1edaa8f29351699e51652436b11fdf2797949c664c3cdae67444e889010020000c74fe7463c6cab48c9fb567c28589632ef6b4e1e6a99531f4687001b1156cc0b9f7633f07c97f78fcb3bf3c0b0a47958c0b3008c5174df793e697b4ffac85d121b2ab7f8fdbbee52f4e0a1f65222929b4369f649b67256124a7542f978bb9e1275de05b388279244b1ab5ab15895d7d027defcfc629823355cb21b8bc5e4d6fb0ab3c7e32dd80c44b82e5cdf37eb51d71ef40cfe117b0661800a6540c290859908555241c332e1f57a53a92a51db0d1f2dc8446db76d888734389c51994a687833c50e4d50e02de16c75a33bb1a03528d42292f8127bb20e797893496edeabeee9778ea00fe087b526027c0aa851a410ed2427c9999783ad675479f7f65398cb9d6272594ad5cd1041fece202625285587a927c03432416d1c184da803d640563b9801bcd440b53e84f84e67fe45c3469873357b8b52b4ed627e1f52e1e4fcaab5c24e25090da9abb8e7f7ecf85e57f9eab595f1d32d4c468efe52dbc51c9a54687aee9d47e86a19f7387f0dfbb07d35871e479853373bc82b92a376777a84e6bd2f85b4c2ba1c88fa71719073b90e7438299885155b5dc6ccfc4ca31b081d2c7886c9136e331a985c158e3a35428bfbe89946fc781e255be1831a2fc43626582b2a5450b2859b9335518dff5782ea798e0467035a5fcfd25d5c5dcaa1f557f2e014c536d4d98bc707d4695e5d946a40f4b1b4e47f7b1bfd8a2994eee2b916545fa7cd223bcfb3cc05a110b5f161921140000000a77ad6b6c34a20af7d0ba5a9c9587f61db15c0bb1b89aededdbb17a597f65ea6bab8e0c59cda2a37619f9769a92b225cf63af1d0768a1d69055007c210e3d853	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000aa05aa65991d88ca18be4d14c1a655a40e44a93c85f14e8e0e1529616b0ae2b2000000000e8000000002000020000000c7cee00954c10713831ea2e072e3fc20ea6ddaeb2b3efb748b7db915d072c5f5100200007a6521eb8856852fb01d26bc2737216150dc551f3d6415b991362c362768defbc95b0e98dbafcfc7419d62209b3c9cb021bdaacba93e65e7f1a329873fdbaffffbd29ceb1b770a08b0b61d4873f4d8b3016f611b814694126508c5cf62fa81bc038b1b0281c930b6f6740db13271f7226c071951642d5765d15523a39a34e8757c01ded5a6206df33813c213776b0401f41520e5f417ae53dfd8be135d9775e5ae7cb8b33385481930488c0a792f9b6c5e5690f730a210d681cf6f0fabb2e7472c435cd23633985cb0cce06be527fd9adb7911592fe19846619a629516e6bc7d690baa55fcb66cef2d3824b732e91fb517bd4e5df33e941f2253fdbe780da108bf7947b61ba8027c7a87d48a33d123e9160e3e5dcaf3aa99394493704ebc9daa7d5d2eb14f576dd2db3c10a3a273931eb8157568641a911a89fb99239fc19211b2b20b0567d8965a82a73df3e120f82e6fd88fe3b20f75ddc463eb608f3717a9b20a19265c8ee4c1460af031fc371542c4d7bec48e517b8e765cc4ecfc26b9fc5086f861fdcd5adbf626dbfcd20ba3633aa1d7155c85a851ea85bc32fd782a49ce13dffaf5004d97527bdaa3e8d06df1dbb5b21de3fe2e3c6285d0d3d403bbb86df61c256a02b34d6f39468ce456c61203faaa6e1df19e987b0d88153dea685ea1164556ddbeb09186ba0ee8db99a1c80ff29bf8e0e81802732127d2ca790598ab69023b31caefc851354649c67e0811400000004e91594ed3fd2ae0d9ea3b2bdde80703ad31576f74a83d00bcd16f865b51c4083d3863338325add1e8c63e252ed5761c838a65ccba5b2f58fe392aaec92893a5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000911994dda5b8db3cadf428addc0b67104cc3fe8eb6d1849b6f56f600e6ef22bd000000000e800000000200002000000077bd88170b1e3df4b3d3e80c5de3bf0cd896acae5e4e87d7ce6788cc773d3fca1002000065f7933729cd6910df51cf790b7cb168d6289b1dbe322a0966804c773e5802585c7061c95e5b01ec3f3dc4e77a45eb51c5feeb2e23b43a7f751bd5ed67bc425c6d4fb1b898fb8bd3c004a5417f090fcd7caf62b0226717ec5498a27ff4118937c5c8d645c40858edf41e83a4b3baaf569cbdc2a2b9f1651f03da6f86f5104e0f4f21425855b2e348a346207bb0b813a50b5006306bdb595d7dce2e5e5ca9fda9693f294d80ab1e7e2b498464a1d443b757858e7edef9ca5c921ef3d31eedf1cda90e173f225e4ff13366342e5dba26f30915a56e87f7f8a310b8ca4b4c0349e943051ddee3eded49dc0a4765de2e65966fd336ca60f94ef83f536f8c0d2f1abe0565a4a4dd99e05df69d8f7412506de3177675ec440fecd6c258d31cc055a6155c3bf3ebf705b76a2a8a61359f59ee2c6ce37a19e43552485cf2976703c790f965117d1e5836196759c49b6d02c4579910a2a68ad20c92a849abc6d943cdb9e642d7edb3c0848a1b670d780589ad3edfb3884f4bbe6d63fec7a059ca347e9a337f28783ce7f8afc132e5f09ea13a0e2c28d95d8bda26902474e096ce1c0ebabe2bbe5fcca32f8ce3481304d3206bea3312504fb6e575767437c0147c7c2d4ed0a95294631b1facbfee6c4d85dcd90b7412464c1d178d86f1c5157705914e38a1ef48c3778d57c7ac598a3851ce31cab0e3cca0df93afea9b235102ed4eb6f36c8162365fc2d701970b29e5d8215717b340000000a3b192e2c9c7891639fd764bb8b06baf92bc52e5e2a6538c80f21e092a48510bcfcfadbb10b2f12696054e1a9bbace36a5d84eac77395e132f3b84eaa82d1db4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000005003656e03246312fb0815fa15d9a56136059e63a7484e24fc6b430e8f64c839000000000e80000000020000200000007dfccf3868fc1870f8bb42e2d3c8b9c1b3efdb1b6037ca402de3bd6ba77214fa10020000eb1377f23733ec2452c34d162f8cbeaf41bd42d8612895e9dc7776cd53793061d5d8ad66a31179e7b19f6ce7b409631e2e395a13ad0a5808af63d19cb5fd461d0d202027aa5d0a85568e9414a6948aeb23b6868dd2bb3a8ba8c84e4c2084934c18c8f3eff49627b506482e9e68e364012bebbaf9813675640e16cce8a3d68920d4ab3cd580a786cc036e4630fadc128b956178a1bac8528977aad8da4aa7ec9ee4354b996fe3a7020fdf3045ca4b20f9571b4c16f100366b8382ed95655a0098c88d0475d632754556bce6a7592c15297102f36eddfc3644dfcea4316dc53e3b648c32550a19f20f6d0dc1b3f895da90ed87db213a19cd1edf28876a7d389548ab79c1c8402f0dd99a59b6c859482ba1047d4882bf81f28e65a1ffcdb15c54391124c453497a9f0aea27477917e9942a01af63e194fbb9dc34d3d4250994d85070c667908da476b03c6600e01ae2f6c75c3d97247b9296bc2f550ed9a78397bbf256b16dad25898c96106c747d94edf0b0b2f775e21eae1361eb5879fec05dabf1d3d237b2bfc14bf9354efe895839ed1a736286acb236087fa72d20a4923793fcfee1a4f46bc72fed2d1d0dad66765585d6938ddc697651d4dba1c09ba69bb377093721f3a3fabdbaa44ce2216ca94442b2c81ce1423a44e7027f5603736bed8bcdb712cf7b2e5390a8cc147a88e820a4dadd0e9ee5dec6027935613d8bb87c42c250d220a366e58f126e4217fdaeaa40000000ae15e62d35cab75450fa9270dda98a5e151adecfba85a139f604d5b394af930e8d041e9ca2bb46644de477ddb7b788ef05f261fae60740e35fa472e3dcae03ab	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000403ced276d319a21a2b3b0690f854e67ad05eebc921e78f7cecf82a8ddbbfa1a000000000e80000000020000200000000905d275db2ab2ea2dc41b8e00c2c7d1491fde0977790c15b9582879398057541002000001ef9f138b0127d6dbe12616802073b06bedcbbc70d63ee6586244ccbb8f0b81af583ebbab6e1eb7adefa3a42d0fe6b90c009a368125190b0e1e279a1348fb94f71c7917b069d22a3df4bea58642164656dc4dbc379054c4864bb64e37b9f46a3d21ef4946e0acb44792a9d6e871416525f3aa13b8dbe00ccadaabdf27e4191b06f9a6c5681237a87e06a477e0c70504139f51e3daedcc72bbd73b6d332f5429ad174f35166b26776e7269a44ffc6220798cd5f8e73fd8e21499711e744f83bef105b668a2e9598fb886e9da327fbc9e8b37e9aa81a27dd8d6ce1d17a15a67b231cb74d3b8f38e7cae70aec2e96c339803439c6028e68687d343405431f7f589cd9cd6739962d05322792e9b3e6608dbec31ff24dbb2630bbe1b89827fe3796aba58b550f57891a3e113ed6626d452fba5508dca68ded5663438fa641211cd394469dc7a0c4c5fdf71dc1bd77f1b4f0d2c7c74fc1b7e0b3087a0ac2485a7422555006e6ad2656ce14f60908b00945ed9aacea8315d747b3236c2607f1cf5d6f5df60e3c9d08e85bc6bd33328b90fc1fb63b33652818a94df64f1c3e62f40aad7b2b43e44845ea0a4ec4fe5485302d409d738227c6ab20f5beb34f13c60b3d3ec26cc71774e8937a1ce0b3801d4867a7ab63a873f7beb02c3a1a13af9f5b40706ae0f71f8b52863613ba69a5badc18f0d246618737d73e8be80095506de04ed93f213222da0635a3ebb4c58c150f5abcd400000000993c932f41aab06db3e89e221350e8a901d727c8a5d5fb096648be6715d9f9687f190255ae802c50b6619c2cd72fb87a51a864374711bca5aaac3692f2c8f75	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000b62578cb2857a0b813ae4a49b560b37c44eb1db3b0fc4d237e6ecf5c28d3ed81000000000e80000000020000200000002677f748887a91e609f6be65e0322fffa379f76bb885bf5aa75f58b296ff63581002000077a01765172aa6484f765868c470fd250549c7622c55d6cec168e3f6106ca0d92ab9388e5d570b896569da2abe851664442eae34f141d9e27079ff27579b329416d91e00cce206e88b8f1d265b8359e43c0fcf7c7d90415aac9ba29c8f8ffa83bfdd97f004ce03156f93ae98d2dfc226f341692ca6a56e7a4d2465a586fe7185f6b16afb3e226a605a3be90b33b1e9bd9324381426db362dd6b2801d90ff79bf9c9ebc9db12d9aee4bb51b323163aa0edae503b22d78fd3fa086c98f7c8e8b0249fa8ae18cdec366d48e7d460240b1d7905f939490a1886dd4bf5a77ab0c998beb3568ae6b2706540b48c08ce8b52d68cdf35e444d0ab3facb3a66916f58056e3eb2b5a29fb3f8823c3d0211b54ace496c21abfb04b9086ba5b00de849824dd8e3fefab38bee8466fa8358a1809ce27b7940fc3c1d7e6f316fba9396d73bc5488202d67be3cbc37e3f3ffe87744889fd847636e205676d258538835cb4d530334d1024ee320e01a7804428428fe9059ad73512246c4f84fdf0f83529f647988b56e597ee357a9fd4d4941a8ef644f77adb76bbff452b9082b7a782bd9799fd3789d5a4f7eb3e74ab475d9b2d9ed14a07c93f810720afbf02206a84e59f828b4af29c70d38faef42cb7c19b42bd2e1e7b510c6f2e9660c7e16947c31a2a91ab7735ca887be6e57c041be1a06cbf6f59bb0194a33bdd2b383da67ef2adfc57fd211c1a3353e55666d16a1459172e549fdb40000000fecf2f905ecbc455ca87fe4acaf5680ece497ac57acccfea5136e22ea1b7c4fcc195c1c219ff950e24e3e3f70215c21dfad82db88916c9e15ca7f345b4d48099	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000000e7a23089564ba37265d0ca9be546de84a34e1e0465d745c6cc4543ad0f89bdb000000000e800000000200002000000001ba5e1ac7a25e5ec74c49ea0215ee5035cbcd2694a6c889192b5570f810c2e1100200006c174f069f7cb5cc9f519ec75707ef253f863ed507028ab6114086b4998590ac4f236dabf3289129711f388f67ecfc515e3d93dab00bc4d6557cf0eb6d312ea02568f8407c0ca4944b84ec37b8c73cb2d2810a874e1facd55f565197db94459c841b3e80fd47e29ebb9b8d66ce778c2f13f231fb653ff29fd3c32955d3e91cab6c754c6e4c01fb0c9d9ef6c96663c17a9096be475badc19f6b00dbabb7497c865a38cf469d3a6c6753073722685ff9e0482d5511fe585e21a3e71dca68ef81f1f29169da2813655061f992c1408dd82901572c01812e66eaa16b60fc9c73a948ec4d5c8ca92c5a823213cdd935634ecdfd920579bd176aff2217e969bc81dc3b6e903dcd5a70c3a48f37f3b405d9cd2825a151b0d619e69fcf40c57c9265696f712130c6a5bb5e1449c15e2ed2da26997fd5582cae62c0d270ac55c0c832e6ded21a81e7c824555140dc9e96c09dd07022791f65037d8f3d1aa401ebe5373c88853edeee06fd9c0095fd1013cb69a56dc5d92178f61faa99c6a0368c59f637129c68812e1961a70068d3a9bda4ef1610c28d8c354062e451678832915f6d142b63dbb6d772a83c01643fa1d3ca24eeb4ea95058fda8cb25d978c8ac8518ace763748a8ac72574e33ba387f31bd5109e13a86748a6327e0b83a4359391a5f7712b86d0865a0c175c2090f64128965b25dd70e7ca72a134c49200fa24e806ef71af60edbb5f8d5b9bec107b624294f753d40000000d17e51d04264397a873f109c02ce5523cb73e8652e5818411fa51d0c565cbeebc00eb38e46454d94c8c2213f78071855ab89ed96fb55faf7fbec4933327d3839	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000c840fa28c611f40099c29ac06f93c69e40b18b88d4e920630dd247f0cb0c4f2b000000000e80000000020000200000004f1d6bcce8eaaadf8323d0ba04efd5981581a91888bc2b62182bea0148f9b2e3100200007c5c57175859852f0f740ef6f8817c8092131837e38fda3060aa07fde5a8966beb0e7fe44d63c6918406bad19ba5a05bc88f0fafd8114f962b8ba1213d9858a099676a6764d6cbd3cb8c51825e1ea118e6a5b369f386c7a68ec0717abcd0b794ac99144a47d462c22329e2a6333648913e55cc6c5302f504d17cabebcdc3971be72b06fca048ddfa798c18786630cb06afc14481af6d56707a6185c06cc2514cd619130ab8ba978f63d92e5183aaedc58f1b5d8e9e8338d4f8611edb599897fa032f2819dd91ba34973481c79917d8ab5214c9e65c6cf906f575b13c69167231a867ba58f64e9ea8a261f4eab59654f6f97af0e28dc9d570f3cc81cc07b202f6f23d9b5b49ce870d2f85fdeaed56f204f730eeb6726fdcb02c84c4dd6d7abd3738a8250c0a0c4cb9f5c22670aa0feae0b1e4ce06601d3c320206ac0bbb1675763b60e94b27ff10206e069128e4aa6165229eebc13c6df1c9e0f8492b1602b220ade4161ff4f57061b47a8816533c47103d6ce01e03afe6c96b65e78bcea57c573e7dd95118d5bdb0fb48dd40e3330704196bf0c2e900ec0b5e4295896504983e17cc231f5d0b20bf9261bfbe5cd6fcc3144b10a8f54639a3e1a2aecca3f9024907d4b78ddc0cdda2fc86ad84a6bd75d15e77390817adf4a5f7ff1d18d1d595a53b0a15dbf2cd2f4a64a28bfdc5edf85b988f602397353bb7099b7fa2b2feb0235dc8bb3bd5f2395f073bcf8b06c6c3384000000089a714b5b6723434b51796dbce8aecce2106e6d66023fc51e0d84c3cb7d604033e1b4af076c76c5df11f13e40ff6a75df7e0383126d362ea50cb462fde17b31e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000002917e41cf2a90fbabdc8d3f36bffad45397b4daa060d86633a67d3c10d64e302000000000e8000000002000020000000d5be8cbc2e8d523633b0300620d636a9458d9cd40ddce9b2867ca2fa27ab5eba10020000c7435c6d3aedc9777c160c207931e3f13cb78aa3065744e1aa797bd80c8f46cee02a400fed2eca04947aa8ba021eab1247b04fbde37e65a581174f139112ba90a2b44ccb8e88f8ffb55f9b9657f768798322208d017e433cb3f3436832c511a11a67850f3a01015d0db5d1b377773f974e1e36b202a1d15239181114204977caa90f22963c9df5b4febe39508bafb6bb3ca765b389a0daef08465db7b60758dfe35099ab9e2307331dc09f2251c89d448876243f10decf3b8bdfb6031c3b207e83c5b5c91cb05866a6e7e7383ec70702cf8ac391296635c4867dbb9093d0e6ba9ff7cb0b24d7ce0cffab0113805a2118f75bd9fea8241ef610db5f9a671f5355789316187c6bedb698a5a160aef47d44eb346160767319082b5e3335a2c8c4f81d901d1ac77b8e9230c62f43eb92926ba82f066d652d8f89a5a9c04b726d68e39663699f9fd1e0c7f8d0be4f3f8d0eb4e9f24b0ada3129a3263e1aead324239fac4c11c8216b45da328a567d1288d3e0a6d39e6ea0aa520d1f5b840e74d9275026f45ee319d498b92c06f5849fbc90694414a8262134a9eab2ef7820ebdff84d9584a5005c9b5e4337742e1e48b0bfc56074e3f93c5da1ec415833dfd535f84e5b43be73effeb75d1e7fccf9a5b5049813d141dfe67c21ec8b94f469d557e9ecd5a04c3f358ca1c1ff04808169bdfc0db24895ecbfa35063a00794445262cd52f8f43d91481492d3826b2f86f830e8ee40000000c94c4e1cb3341cd6eb7f979f80310a687b3f475498a395a235843e1c1cd35a78f3f4138859feda88cf6f2351639cd78d67090955ae43b6b6e08893a13e1d2d21	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000a25074498a7ced999f3cdad7535e21fbc48a3796bee7c05d619481a863662394000000000e800000000200002000000091b093b4ad46ff86b0b8e128cd698169483f6161d605754d9dd8b2bba6b6e0551002000097b877b7953e7ac011717664adbb4b0758571ac2858b92c1b16e0887e2e664b697ae5e99d4e9bce3d60070f4d53df2f8845ba4893bf903dba0427e8d468f2c70944d755e23ee980d02952544ca94e80ab57fb4d50a70161ad8dd34fea7c1f2937fbee4fcfecceadffd8a95cec1b65b82b453100c6901aa72b77fe08da7dbc6e22bb275d9c59629faf189af9e46a6b5378ef64074ff587da099c20fdafc5d55818f2b7da55dc39db33b7216382f30088be5c8807cba59ae470e07022e5c562b03fc42556777fdfda7cca84697d0ad65c45b06654f86df305e70b49a63b4f81c3a1a922b9605ef41f739226b50021885cd97b20402bc6e1bf277932ac5eec99e015556a0a615422315a9e7800200fa9347bc97140a624c02fdaab5c7c0885ce27af441a8000318f15d7dfd9ff4e3dabf94231cad83192e75fb3c956ddccbacde5e7937ea789aee12f8ec86256911e129ffed63ab3b5a79a68aaf5176184d52e93fdd7316d90d60b8b5c88d0ce8ae9a4279c03dd6248cbf3f00419ebf582b06bb0dfd14552cf61330dc2e55933d3d94656c6f2b97b388da1c9aaa8381233b518df8276f87857c308b588dfc378f1c626d6f96804be6c4f0512f98cec052d1e469e9c6dc44f7ba787d5baebcbb1f573f7b64370c87f44caa9628e089507d35ee164a0985d8fee74be82ec5769b9542575762d02a60d60518cddea242be483c0c46440909381d32142b42a598ad55fe34d7c1400000000948e49ae219ffb69698f8b6c9b86acd2a96f9503b65a347f78be998ba5beecfc2071d436c277ffc4f68f335af9b19aacfca28a36b04e138043702c4f70c06c7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000001ecb50411c33bf287899fbc4e37104cd29d77434930efe7a622f68311a30b412000000000e80000000020000200000000fd1c31faaa0a83f95fa18650475332499f2450cff901e2912304ee93c7e0e36100200004d2f78e131e185c84bbcaadd4185caf704e1c4645a0314de6087926a0492bf305ebf0ebd783b30251e89b7529e0e8fbe80324430e766e3c90ce5386aa6674367191640adf57a9a3ec5897f2ddd391e269701412bc16e096e53e5b21f3c135607dd485f39b015be75b6a66bffba5e5a4df34e4db3b48fe8c02220843b418e5a8934b640dca0bdaefe5ef62bafc614424617e6e6d9ba16cc4669740d0480abec4411e42a419e9b840ae1696f01b454dad016dcc0cff533139180f50554834f46fb626f20e483c16a3ef0928126b60f8a3dee1295c1cfc7eb966fcc06f3ddc6b86187e994d650d142ae9f2129b2a27961e171ebca0ecd5de3b158168633631d575a1d748a1d5b2d4b2f7f6a461df0880fcea2b57e75161fe0d9363e6d181b199bc3907cde2dc562ea9818535778b2633d82dea437e1e2859f87cc72a86f4fad9d932d3a1a30bb35640a86dc24c4ab77e7d870aeac89fc68af07e5fe08663fed93763acc88fee9daf959ae57c46ae39a7d5a46d1e52936b25ae89e8634c52e1f3cada0a5c3be8be407f52bc91c229ae2bbfd06c1bce6973edc81d2704ac2285f12a2f35f3dbcbd9f2bc1acb9c31c43dab58662be7f4a9ea102a71fa6b065c581c64013cc2c6edfc2b88cf8242244e3bc592486ef1358a1b24ee3091323641c4c17d114580c26160d170689cc365ae6552e328a68d4aea82aaaa44c750f0aedfe3d826a0a95899b07a9ee61d83a482dbc01af400000006d8b03d74bd1ab4fa868abcc87c0e59127c1d0a4adecf6a6c5a164eb40414edf701e028205074c4edf5b88f385c64a68b56dee9b42192c93683c6fb91d871a9f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000099e7d3bc126db693cbbc7bc9e3329e88c676c8009ddc459af8727d1b40b73622000000000e80000000020000200000005a6cdd15cd220151558ee6dc9f2df63085fd17cca74722659f9970fd507e13eb10020000dcbaf2325dd948f52844fb5b3c66ef6801275009fd206af382d4ac3efe04438993584d174215188e993585e4a592b2c914b7da526ef500a285a60a0371a8b9e4cce0dbe29c5bb8d75fd54f89124348f9c8861de0ba90e3550d8eca424405b54a8b98e04e72f4238901e811ed7ca5828b53d0c43a303261c29efb2d07b92f303cb2a9a20e2b7290e5f08aa4318f7859686dd9e7c4c8814795a7f0d88942d6e0c456fd1ca2d47bccf86ae91c27951d90039406abbe40dc968fb6f68bcb3eebbfb7f26672ae3b308496c6cade458d34e91620378c055266bc80248ae21f2f2f784509e3d2b09cb383445ec2a834ee8334a107e3bb988eca54e4bb0ff41b952159df2f55a5d050b3c93bd3519b65173976cfd0120fdf7c2c7dd797fea8262ffcaeb9e2a1ddf05eb444b5f35cb383f06f4ac0130739ce613620d73eb637b81149fd80628d863d36965029834b6a5d79e7897c765d155b421f766fac5d8e8a82e613e4b67aaa508410f25fb5b67a5c4dab783b340c303da8d7c3f8309c24547e5b479bce2f0549c66d59e495027861bd93556fd7187f29e7a9a296e522cfad85b8a5413f867c55119dc4e3250297174a0d16e810ab5fc60630dc829b58a9528eb56577e1cb3de79886d10117b89b74d0a3f080bc1788a67fe6a7657cd80c24a86665ae1c5a37b16063a6426d11732b28aa64516f59caff88d3f8347d49044ce3c163d6f18f699a54f57bc26dfaea95c59cda4540000000392fdaf57e67dffc639e9bd4bff06e62b1764124416f5e47c3b54f2b5f4287e910dd152bd46b60d0a4d961785ba6842403679950a26b8b557bc27a665c512fd4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000624d01c9e554beb45e681c1555fa69e19f9d75443146e61f9d00186a3952be08000000000e8000000002000020000000dbccb515a05a4d03fe73cb17e6838cbfbcc23bf0845402375d7a6abb7d2aec0610020000b243c314fe13e55e8cbb0ae7ac985c733f954cbcaa28266e99feb7bf9be52c81cfb528981d183aa8ea323852f3382c3c258453c1d506a80d919303eea6383201173c549dc20eb4912be91891fae1ea29751011a572adbe27ee29d33acba9231960ed3368c281a307c25e0e46911cfb03f12f25bab066fbde93b05fd98d6696f0ecde5360f73193116a8f6b27a7970223f84547cffae2acc2853ba345f654bb652968367108b21516b8349a716cf4be47055e3b71c7e6345e1b6c5d06785c500e428842631413df4d37b98c503d300273232d2b5c2b608e055ce9f745cb18424e2ccce64f10e53462081bba5ff91c192b81c4d07398d6f302abc3d63a436bc319215fe3f69b4e79aed6b89789ba1f474e3711a1d3e20bfc1e2839f6300a6e4972ff95da786c94bc0ea045cd9a4a9676a579ffe4f199a655b4204016eaeb3af7af5c775d7fc6ccd7c6583ab52717ed5032bc5607304c5d13b51c34a3f6c55bba3ea5f21ef114fe9be518047c222a7578810140274e2f6102d0c931e88f93d49bfaa9e1337d9b3c71b2fb7ea802fa6726a48158dfab5b43bfcf8a7f1e15b6ad2db2ac76b30b7bd2cb6f8b239a356a8259cfa52ee3b66323485572fa579867f98a40c5e0f9885125144859821c4e340c58e153b2b5e0e0b3fc33c190508dd0b357561bb1baf47a82fafa6568200f5a1b648a7bc2c3056292cc3ee3df17737b619b427ec47aed9e6216a7ad0f796cbf5a36ab4000000029e4773ab9c8d1cc3e5b5b042e70651950dda126d99bca391ec7ef6618367488d4f24ca8712c25f0198db8a4578682a5c134d276d6dc1cae43bcc24dcdd6ce32	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000008f8ba23ca4ba8dfa89f94b123cfa74c7c5706c5adaa4c0ddc593e077cdf75e4d000000000e8000000002000020000000d4f0c292c532cf6d07a667fb6b122f78fec25dffb0a0fbdfea23a991368dc96d1002000055e089f39177b6902637e95d628b611eb7fe80b4960df995f697800919ffc53301bdf8376fb21a146cfca8dd215a9447d5a6d18e3f4486385a7d9c04aee100bc3a7dd2613137aab8e1bddb7a06fa397a71b7624449d47f91ae8cbb7302155bab10376b9b091183cc4bc70d6e848df6e23c12826a6e4044667206f52dca9493b1225346349fc161e93e40467ae2e1fef9025865449e734f51bcc609ad35e8e03354051b5e8d6f578bdc3e6e74e258e7a29ff16d1222b36f74c663d7b037dd70e7c805bdf7f8bab7bcd945a0bef2ff6a16a1d4ab122b02bfe92fa2523b478fcc4a76460c4b69db1f4e7097ac476a24f3401ff84e4835a340aa7a4aba597ee60b2984ca8cf790614a5866150a433f39873188b7ab854707272851ef5c2e84ea44338cb503be53316ad087e566e64b4fc7741d8f2a5e5986d677175a3e1c6bc4cd47cb6688f6afde119991218f4e83ec80e6368c3e00a90003e002ce2b6ec1d34c445b235299f134b6cbe76aafc8154d2b91ae995331dfb937ef54058aa9ed399385091d18ed43a8a46a701d03ce509fb0b62514a43e6ba9ccbe82e3d33c62e1badd4111d83a66d6ef9fe52b7f3d01203a23013c2389289f5e8e3dc6688eb1332d2b873d90a4a11e27f637754259cc3bf04038379a5cbcfde7cb580a449f3c532f4059b1b5c446828b88523bc4a66c33cf1f1a143a0675718d147c966e9b28d7a63977460d70cf0360ee2e8573efd5ce43dd40000000f1f5f9e9ba1e8ce0e0453bb9bf9efdd1af629b520291fbcdd2e6cdb8c2c790aa425b7423771bc66de9e3ac40e1aa780b1c44e7448a9bd7b836dc1c12a971bdb3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000037e30a60ea39ef730249af9f1d821a9a2d5b8472610ae9a71a60f578e3f30e30000000000e8000000002000020000000fc205d1bf65906f113c6610cec98fa008faa29b74970d8c2dca3c718df65bbaa10020000d96fed7d807bed700c1a994cf37e46cf45b17bbce955d8e2266f1e951981d7131f6756f68393daf022ec043aa973131163aa0fa73bda79d9a056a601aa6b32863ed663d3ee57f53f831a0cd980800da41db07c101d4be8995ece2acf336c95fced513d959a9ab7dd7e8c81d20b21f310aa8133be94eef5ed59c91b448a6a9f89998fd8e2a4c47dbc82fe1d7c25200540cec600474953e3836c45c53c3099f4fb73420adb7f92a64316564877a10c61f674485a6454d0f266d012999071d9f4139372ff692252f8355783e55cfbb2ed1e6048c90b7f0f04004fddade592641f63a741e48cedaa76a08b6ea4dfb7cd7c74d1ede295e2c4d13c50a9f0be9e4becd1a7d37ff40fd8995567a8cac4ad138f8398f7c54c5f628fea48102bbda740c12cb6bf86aefaa565da44dc8090c4affe003f3d3bf9d8f4ee6185a3c3f585e99cafba3fcbbc8fe2aebed4470a7550a527d428e496c86370fe771ecb859c20f119f8910eec215fdc69eb6e1b9410b38d3a58958ca4974303fb5e703b59a1cdd60fb6ebe3fa66ad33aede7dfa741a6b50944ec197e3c35925b16219c688f6517f3dafe8d54bc7339c728301ce2c09f88d566524f001c3c2aa78d8507eb25796efbe3f2fd9c5f4f444e9f723a3b66d81bb48005982301f9ae9e78fcd010ed15cff3682090e8793432b7ca7242f2453cc41957a379a825e1618d2266799543841dbac6ec350f0059c2f8e6eb311aa257c02f738400000001f0f330a7cb0ab10f54807a3ca7a8b995065d2bd4db80dc3a01b53778a5b65fe0c7e058a2f1ce170c003781d114df0b05254e35b779880d221f259de36b86a05	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000008616be0e7382be6af6679ca472346afaf99b7d1751e3cb5e7210cfbae6c4c74a000000000e80000000020000200000005ead8cdfbb222285d9026fb4b0dfdb4eb33c958142b45bb7ca9304689692cd6210020000d4606d8f44be9e7ae51176ff2ae82dbce88e5e77c57db52105ded3bc6cb7aad331c503420a51d7178f29f001a1ff485e32126c5f14d93dcc7070ea87ef417b94b90ba448d77ddfb9b8c2a81cdf3d2bff357f3f296a89506f68e4ee4704808160c111226472b20545e81fd1bec9e07b7681ec0eac6ad97fffb379efabdca8eb0401781426ac57961f23240cb9f3a681baedd1d8788c857e2335fb6a1f6b0cd54d05b93cc6accd39d5a8506beb2f5d18b7111eb2cf26b10b2a1fe5b1b3badc9e0ab34966990e4fcffa4f4c41f371c411fef296f834ff2c4e2f0535a76cd3bc2a4e66b4e7ad98fa535239c29b36267571e53a70edfd2a8ec2be47d6a20983c5bb3ac83b12fea9f02a8f55b6d6799c5591b08e726b75966c53a9a0a6bde0ce7b637cb25ec80beb4392d6e5e71bc89e2c3e41f6e076f2dccde54be58819d0cc2782925c9b14d48ce77e04ba6dbc04610cf7b7c0ef75d050e73f59ac46da6d2d3d7b57dab252a63cbb6314da0fa007a951383422ae97c1dd3aa76f05e5e870996013b2243fb496f561cdc6be22b53537b0a5f2cc0c132c6183898c69d0b091e2804215f2064b3772abd701baa9abd97b180f4cbf0e759c62aee350ad142010a38226423590eb51f43ebb50ebb03a0a7c8603fa52b9a1959fd9e300b1c491bd0b62bb15b44703fae8d5d52d5fe6e4e061eb20a297f427476e9d1c5321cd552923cbd44b5499c4d7d9e6948c998cd5eceb01eaf840000000d812886a158fd432e43fb8d3f384ddefb532dec47c5e2cf9accb7d5226e8a520dfeb86e538101247e84f15c1a57d03cbf88eb30f38c39392b330f2144d25798a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000001594101c6054795e5975717fb6efdcd0b14e0c1343b152deec246757263b111e000000000e80000000020000200000005b6369d1cf9ae5afdfa7a5a4e186de2ecb1264c204dd52a793931723216d08d710020000c7d90fdfab8b5cf1513fe8d4e33dc9878fc2fc28921e94872cdf4d221575867834c1ba960e9abd1677e4b7dc2ec80b3f2f278f28d65f8a181c8a42c8e7c135ac329c5a9c77d9351222197052832332b3aab8ec40070a38122f300a93217e838a6ad4296c9cabb2a9832b9f054f0ef795e6dc43d93ccff402a309e3fc9d19552e5f8480d9a818f540a14c30a4665c73f1fa380409b0b6ef506790ee380e05c7ab22b884cffff382a1cf2010dd64308b45683a61748066fcdc07e3a3345163f622e301153bad70dfbb2aa786dbf7fcb06785d910dfc17bf43365cdf14d48abf3bc697519fc4ebf6b051ef962393d2f5698d9936be5a1012dba6154dfd357bd7ab1b7203b19e1f39f273b5fb471cfe2360fca51e392bd8921cdff5acf51d1fa4c00a5c40ff0d67005dbaed960f633797803ef6cf9d4a3b7153bd56b802a2dc74906aa2adfcdabda5abea7a3f89103b0ca3ce470609486f46be3d112c87fb7aa1be1a4ce153c97e64b5ffd9aa595278c49b2bc29049cf97341eb74f062079c38dc6eaa70a987276afc79f7cf0239614f0efcc136c02b121909df88f1655773bc4d56f1cd488e5d589a1882bcb35abd3292b1a5f4a0928c2a536d68d3da9a9b744f83cb475a023f10d0dc45659a2182e77ed0d33c48c58e650889db04a1951d371d68e15631a04f8603c4b60c8b409f54ce428e8b64505371ae60ef41a47d6aca64d540b2ea3a3f3017cb32e7bbef767abdaa40000000160ab0f8ba0879a23846536fd95dbf9ba24ac9a1c6b5e5b4c7d17012933d45b82b93b9e16fcb09baa753efe0d65e549aede60ab9a4fb922fc23a6c96927b9d41	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000726354c18b76f40ae8328a0d6c7cfdf8c314b09d79b67a7e0403885b8c646b84000000000e8000000002000020000000ea90270223981b27dea2938662d268e38a257f7408cdd0170478c0ef5db20d5c100200008a67fa3624a0f6f723eb7540e0ee733ae1a9bd7a22e895b954450bcc5cb855bf83dcf3c3010e68f052649d463a56370d17b0635ed35d79438f69f1811554900d248405b4c171404bb2e467e507342ff0e4b532466627726e1e7b7180e3afcf950e78a25b13e57e6c3089bb3b522d0c15d161415195ed07930ea5ff35283c1f4702ce5c65da42cd900e3169eb4d01398a851ef911b48fbae7063d9c6a85177bd13048030669a94595a6c3c2fb8539a5fc0f09aca6fad72d6a2fc8206456b3ad4b12ffd26d25390f60b25f180438d2c52018d01e5806519b181a35be7f937f889271d59c2cbe1d0ea804df3a7874162fa16798301c84a13723a7e339f2fb0f3f54a932326741876d4340aa209f5e806c9c4234557a957bea7b7a74b1e25e0c82703f3cc8f0441fb0e911b2a451bf3585d46dd353facb9d0043aaad54c75bf992c942826c559fe77083a591037e44c6c12e9e9b6f4e228632bf04fb75c56b399c1a2a31bf1141d5fbff91d5ce3d543d40f3fcac97c7d2032484d39366275219fa6116765a33eda6895c90d8aff161822d57ecc0918cb77917e5d8885df763578eb642761d7d569f3be48e712cdc8f5fcb068ef96f43e206e217ce8f4285a68830bed12e845e1ba14c5bbfb0fc3bc7e9c43ce7063e854653d89941ea9d3624951bb6ef6cbb5e86e050e9c24516b9ac03c4cebb0de04ce7fc625f947f1fb0796a22585dc13bbd99ee4433d855f2e6deb4ecb7400000007d90a3916b6d67724d8f485f89450a637e1be4d31e51375dafa86d13c285c4879aaf4d149f71c1e9fecbb96b354e9f34a6818bcd7720d06f7dda20b6256e83c0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000917a011cd27d4830753c39e1ceabfbd90c1cf53be61a365d605cd9c6993939d9000000000e80000000020000200000009884b3ed8b9dd1380eac6702c7930534854687cd2756ce7446bba862399a6a95100200007a4e97a3ab220fe21c52b73400057c3af34ba41cdbe03dfce335bc55b5adde957948fb94f0d0ff6a26e884d63acb1db52898f285f8132c472194dcfd3a71599acf3e42878a2e49c36464661b71179fddaf9ae457b1d870dedd04e2f9656758a95dafe12e7f065da21004354e6d0e26d0faa6d14608916c77210d7b3e0605492070b1ce92e1cd64f41e19e2054f9064019f0e35a4088ce1eb3ce5c1cc5540a1654286a4d0d730a1a851435ae2f0ff6ff6bc20d73f911af16ef3433e2655c3850075178a8584f12628591672c57748b17c354afd479a3995a52e14cd72cbf50de1aa8034d87510c1d7a4e27028f11f5a5da99e178ecca3888b10205ba52a24400747d3ab2bea076287aa9bb381867d73197134c2692c2db6b169281e5e13fbae581a320f015de78e7826e95f45acd8e616722e3db9441dfe69506fa144185558988ed0b42d8daa39349c5476167961dff1bd8d3ff7f8c680f6a94335dd862a716880fef5465887710f0e1bf1432cb1cbca7f9addb50660cab4f7808f7c3b94c1aeb0d1989d9c3b2b4c2c85968d1b50681b1783bf3b8c7a39ad4a1c25a0dfddfe01c58b415641a83d22167d3f86ecb59c2029996c7cf539dc0bb8986312dbcf9f656a83a9b5084b80dc3a0ac9e252d2b8e30d53092e27aaa120cdb587291856db8aee37249d7f14a2485e615879b31236fdabcd7e4c67df8d1bc65147ff4d0bb602cb3105d74bbdae976cc4b67564bcb1f3400000006ca6a7b2861920fd839a887d6c16c45d28944f1c5317a407c39a936438899fb9488ccdb3f9399e920d0c99abc7cebddeb6859a06e9f2821ab7dad562e8b67cd1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000064809caa0c97c400dda79a5be06b716f18106a3a5f75e77755dfb388f96b94b0000000000e8000000002000020000000ee456a8a4d193fa79f0a82bba5023b09377aae1983623e0c619fc2845d90ef6c1002000061ad8c8b60c6422ad351854576b517e6eb3041e07750ad60b00908b0d9136f49cdea5c999db5b0f79394c6b5cee2abf48ff100633829945907c2db0113efa81c291d308cbe3c787be2a3489febe7df85c94c39c3e984638e7d60d907c5afec0c39935a4baaf9d7d2c9927b47cac1ef168e54f42a2bf058f4973070da256a42c78797e1fa9b02bae1c988402c590117451fcfac2fde126f3e6461b927acd6caeedca2cb2851bd0d5167f270a60d92e607e47091878549868c6759c0b2b4530db947a8d33052880eceee6b9821cdc38990d8924392d9887f7e1c2aa927a3e13f54064f08f0259eb6761a0ae12c28724c7a1d2c12e4115d5cbd5398dc7f1b1a2266a1ee85fe2df7f440606185b8777532a205ab236b6a0351bdec71fe894b1f8a12aefc459c4b76f940ce067b94adf461b7d860006511dfe02df45240a63573e54d66e6a48bfc58c99ad38ef0c81b0a8d2fa8659d1b996bcffaa06046316530f9954f1628f091f767cfcaace5adb6b2fe0f0716e28cd6dbf69e2486f7eaddc2575aac57ff056f7b89126ba3ce5d433889b9072978b0fcd09403f9d5e35f82558171ab7cff8da364617dc52c25f203e3be19f54fe5834f98eef5209c73b15b2942fc1e804f4f05c80cff8ec513526752f755a5e9de45f213cb753610fa882f177acadd75725cb5057115b0093d7aaa0718ab5ffb6e0eb61aef8f02517b4c297114e76c72f43fd8b1420c66db74f025152f8d40000000b79cb6eddf774a7095a2be8cfa0e0126b5e861b464e9eb13a998ed0eac2e1ab7c53b0e49551cbcb77e8f68caf5871b24821d75fa7b96a84e96e5c87e201facd0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000004e4bdd62c838c7293cc105d5873361c5382bcb4694591cf9748d02e5a8396364000000000e8000000002000020000000757a960734106d69a03974910892172b72fb5f6051fe14005ffb07b869732ef91002000047d2ff88a8cf73be68be0ef40b0dac82917b5d57f6e6e1542f1514c1b9c2ebb4fef23f7aed78e508d3f37e9f94a87f65469c75949ddde3cc172f09fb1cb792b3a0a96ce2bea08f7d8473119ba28e23ff80ddbba0f7dc3a16bcf355b777e1407aa8724f304cec6f2a8cd3b493f9fda2a21adfec78af287ffd4f2fa8474a02613671cc74d500ad3f4bb3ec3ae20e7d651938b4fb9e29a6551745b4a8c11a37f88f53dbda648436e036767c24746af4b94046112105237f08e150ebad5f069d6dccdbb8fc447f413f2e9f94a8905e240dee8687324a38a82b9a560604ada15483a962c8a69f968e189275fbc8ddb0589b34fe8c752eba8e020cf538bb2f4ae172acc025ca6031444b891ef7fb29b43c372935203cca1ad85e7330178c998e1b689f40dbcf52e926d0e17d659dcd70a4739d277791995cfde8e85dbdc1385d9b8c0cf759f48c01c794ebe323e83a602691cf5c934ba26110aea1e9e4c0aa0f77ae9f4c7623fe9280199c0077a5cdfea5c197bbc96cdd19640441bbea834c4860537228ccbfc447cc8edd0d45ed61ce5134470e77dcf1b59598886446a794f75dbf650e307f9c94679c71ba4d7f8154d747b688311726aa9796e339c4965242cf55e2392bfcdbbfc0a8321c9c466bf3bc7f6e93d117f1ab827bdaca1f55cf55b6411f7f82e8f26abc52487e979dcd65da38514910877fc550dbae2edd6760abcfa71be4ba58b5f5cbefbe5131ba179043bb6940000000176368ffd910f58193d420e0213000c6ea35b8b451e9394643f9a17cc9190cf626b0edfca00ef9679cc1a2c71101782d09ef3761cf37bb0d68eddd82f74d9806	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000006492798f0c99ca20b7755500d649aa598f074866340ff0fedfb1deae19e20f18000000000e8000000002000020000000f9b8a4288cfca2b67ca7a7f50ffcb5bf444415575a75e78498e44dc8be44012310020000cb1e065579e71aabcb24612d5cdd16fdfc76f3b7174e404110d7d54e5f9d7d07cfb6a06d2f6fa1485c041eee2ef3cfbf4de43f76330ef85617d684fcefc9428f9e0cab4251da15af4427a750fc9f019a2dfabfd304320069ff1718ad66188b9ceb6c0c7fd5b27e1bc04e9024c426034e1d443fb898d4520f567c83fd4bf5ce0a6b33eef48075165dbd5fae09fb69996b401337b989d37326bc697e0989145fbdccfa774ed8172543a1f3add58c70b39899af0ef2ee0fcb4a1e368cd028c4012331ebcf85b4cd1b442b7be6775c5fb9c7b369ca8d73785e262d66a2bf87a0fd87ebf053e0e072357ad5d75ec83659522f9030f611f21353d722f9dc7125316ddcd8e8505fa897c599e43b735ba33cae2af051c0817b23207a503e8acd9a32aa96cf1c6c68bf542f5717b4f038352119e62460da1f4ad1a0d94049fcea7b220f03c8bbffd4657038013fd5667dd5a3ac74ca79f0dc49a67f7b114fcfeef4f7a498ba1027f537821fd2efd1a5ba0be475fe69205b83c36c40d83311840e2e74e689b83757380fef5cfa70f274a10694911114a51de166669283326fac66d97b1065fbdb18c51af3b3cb114399fc92a4bde829b2ffaee0316e11877ef497113d11c5af1e6950b22946e2dbe0ecf58252306191a804342af115bcd190eb54dada5a59317e417f75fe83d3133a0a5604e8582b3084b29021fa5596e2c2badf03f467954cc70f5d42f01dd2ece1a209bacba52d40000000acf83bba870203e030e417ef0b4d857303f2e842afdeadc781ad90a6e6f5f72e754f552cb1d40536cf3a445fb3cfe6c68dee5a0fed5ce3cae3dcfb3dca953657	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000fbcc9d1f5d61487930baa1b83a3604dd98d57c5d9921ba6b9987423448267b76000000000e800000000200002000000002430be89546b1c1153c5f513d97b7b8677c62d089fd9216521d8b5e503876d9100200009f2a64b3b01ac447128ce5fbe33a622bd3ebb97461c9999f9d54333aeca31eaefc0e5ecc253239c31db6fc1d58ac7f9d670ffc45a8f5c70dca1f915fc452c8e1cf1474b91a468d645d5f8db1c17e3243cfd5d72fb8827d196e0afd02ff3ad261161f82043bd775871de212eeba716631d9d8b12b9aee4ad0ff5b614b7860497bfef5611bdadf07e1bb85f29f15636f76395a01dcb2a0c6c31113f8ff321bb906f5039e5760e48ea3231869c8d60b93846e1b2299423cbed00f34941e572ef36b041b8eed0f6ac6eea0db59a93f492bfbc826c2860292295cb62fb927c0ada6ae4135b0aa6d8474e7c1b6d149d5eed399552502cc8de1b60e0ed2bfb7ff1450024dc8c7e46e72c910f0fb23ebefc45a25fe82bfa6e5114bdd36050c0ea3a8d370521835cc293c86ea3787c3abbe3df9c8c46d159c06a27667c48d373fd33503cd8079cccdd3c3cece54486aa2a7a7f8ebc30d69683342e2ed37e1a47ce063afe40d76c6f2e73c4030e82a822dd75ffc0c0679f04c95195b17e28c9c525ee2716cc401d72d9b3dcbfbc5054ea5bbebc3b84e23eae19c3cd20163d67117cbe9fd6d3d84eeb5d220659271903ca5acef06db09a5b535414768494e5d6c4c32baffe0da58cc3322236299c94dacb7a8e9b0d4303f39f369b5c4846db22a7b0995df2c036316839760ceaba07a3fd4d6bb3729eea5fef590f9e3a3abbf95d8241c3c733ebea3170e51970b742e1cd29f3ecd1e40000000cbcb21fea66f0bafd50589aebbd2c8b3e450af0b1198e0b0dc50f379993b3dc38c0d4a7b36509a2fb58f5173dcf8780e7e970168cd6c5aecf5ff9e70ba3d9d39	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000ed1d6aa9001a46379ff0038ad5c566be365adca4a07f024e822dd24195abb9b5000000000e8000000002000020000000e0f677f52b38028cf3496c3c0b5d01346e9fc1c561ae13f93f955fdeeb43644c100200009d9a1e046a1acd84812e65a46dc749e36f2e685c1f4b21009abde8e05c10235d704ba84f722497de4769fac2cbf7fcfb2f3cc629a260125bb38a0e32b61fb7275300315aee57b1ff4036f5cbb191f6b804282748faeba37e5af53a86ed4e5ee14e3caa64bee922bb854ca13ac1db76ffdd0080993f6b90c7160297a2452d479eefa08c76bd1679ebe8ef11639b43c5a0eea4db2fe762865fe482fb14d658f2e3ceb5d41ab3735dd0e64ef5722d2642f1215dee4b0f5b6928067daa2b8ca7dfdfa2ae59024a3043a04a5a7a2e66bc698a4914637d8d6f62a047d3e25fe2c2c4c42f6826339d7a8c0b012ce65e4aab48faa6f9f625297709384d14b646fcdbf0c44925f6d31e1408b2fff9ad42b8ddca79f6d85742e589055d8fa031f5c82133c1ebbad040c2029b724b5f4a084427428e9be5dcd42ac4d3fb7ab2e97a6d2897902355e6c86e02753f9c0af925ec683bb8725a7f061cbadb990f7c8d801c1b3e84414e518a44ed0db11c21fde8cc89651248796f27c4fad905db59d1688e9913605d230a0afef80ab26242b8a4515328da4df776af121ecd5478cce73e09f621f5c7ec1b32e2546404eef93eb63a6a587667de632df7df715e0a3c9b52746be5144a97890178cc7bbec9c701c952d48e906bda5d55f7b158c3812013b4f7c48d09acc2850b06ba8309b82d46583497d4581b508804213630dc089f970f5de638cbdb13cc31cbdcd1364469557aab70fd16400000003f821f64c06d887d764c033cdf3bb59316816924aeb49d0c27d81440e85dd064d3824954222666798b8f47fc1829b998ef9ea99b1bc2cacacda03f890cde146d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2204	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe
2740	skotes.exe
776	remcos_a.exe
1724	remcos.exe
1408	buildd.exe
1408	buildd.exe
1408	buildd.exe
1408	buildd.exe
1408	buildd.exe
2196	pohtent2.exe
4224	99e6ba4f07.exe
4224	99e6ba4f07.exe
4224	99e6ba4f07.exe
4224	99e6ba4f07.exe
3840	737bca89ad.exe
3840	737bca89ad.exe
3840	737bca89ad.exe
3840	737bca89ad.exe
3840	737bca89ad.exe
2980	971d90edea.exe
2980	971d90edea.exe
2980	971d90edea.exe
2980	971d90edea.exe
2980	971d90edea.exe
2980	971d90edea.exe
2980	971d90edea.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	buildd.exe
Token: SeCreateTokenPrivilege	1408	buildd.exe
Token: SeAssignPrimaryTokenPrivilege	1408	buildd.exe
Token: SeIncreaseQuotaPrivilege	1408	buildd.exe
Token: SeSecurityPrivilege	1408	buildd.exe
Token: SeTakeOwnershipPrivilege	1408	buildd.exe
Token: SeLoadDriverPrivilege	1408	buildd.exe
Token: SeSystemtimePrivilege	1408	buildd.exe
Token: SeBackupPrivilege	1408	buildd.exe
Token: SeRestorePrivilege	1408	buildd.exe
Token: SeShutdownPrivilege	1408	buildd.exe
Token: SeSystemEnvironmentPrivilege	1408	buildd.exe
Token: SeUndockPrivilege	1408	buildd.exe
Token: SeManageVolumePrivilege	1408	buildd.exe
Token: 31	1408	buildd.exe
Token: 32	1408	buildd.exe
Token: SeDebugPrivilege	2196	pohtent2.exe
Token: SeDebugPrivilege	2196	pohtent2.exe
Token: SeDebugPrivilege	2980	971d90edea.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
2204	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe
3460	iexplore.exe
4048	iexplore.exe
3520	iexplore.exe
2416	iexplore.exe
4684	iexplore.exe
2204	iexplore.exe
1676	iexplore.exe
4344	iexplore.exe
716	iexplore.exe
3080	iexplore.exe
2276	iexplore.exe
1720	iexplore.exe
3820	iexplore.exe
3600	iexplore.exe
4448	iexplore.exe
3808	iexplore.exe
2516	iexplore.exe
4664	iexplore.exe
4772	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1724	remcos.exe
3460	iexplore.exe
3460	iexplore.exe
4048	iexplore.exe
4048	iexplore.exe
4684	iexplore.exe
4684	iexplore.exe
1676	iexplore.exe
1676	iexplore.exe
3520	iexplore.exe
3520	iexplore.exe
2416	iexplore.exe
2416	iexplore.exe
4344	iexplore.exe
1720	iexplore.exe
1720	iexplore.exe
4344	iexplore.exe
2204	iexplore.exe
2204	iexplore.exe
3808	iexplore.exe
716	iexplore.exe
3080	iexplore.exe
3808	iexplore.exe
716	iexplore.exe
3080	iexplore.exe
2516	iexplore.exe
2276	iexplore.exe
2516	iexplore.exe
2276	iexplore.exe
3600	iexplore.exe
4448	iexplore.exe
3820	iexplore.exe
3600	iexplore.exe
4448	iexplore.exe
3820	iexplore.exe
4664	iexplore.exe
4664	iexplore.exe
4064	IEXPLORE.EXE
4064	IEXPLORE.EXE
4772	iexplore.exe
4772	iexplore.exe
4016	IEXPLORE.EXE
4016	IEXPLORE.EXE
4372	IEXPLORE.EXE
4372	IEXPLORE.EXE
4548	IEXPLORE.EXE
4548	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
4572	IEXPLORE.EXE
4572	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
3320	IEXPLORE.EXE
3320	IEXPLORE.EXE
3300	IEXPLORE.EXE
3300	IEXPLORE.EXE
5032	IEXPLORE.EXE
1748	IEXPLORE.EXE
5032	IEXPLORE.EXE
1748	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2240	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2740	2204	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe	31
PID 2204 wrote to memory of 2740	2204	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe	31
PID 2204 wrote to memory of 2740	2204	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe	31
PID 2204 wrote to memory of 2740	2204	6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe	31
PID 2740 wrote to memory of 776	2740	skotes.exe	33
PID 2740 wrote to memory of 776	2740	skotes.exe	33
PID 2740 wrote to memory of 776	2740	skotes.exe	33
PID 2740 wrote to memory of 776	2740	skotes.exe	33
PID 776 wrote to memory of 1724	776	remcos_a.exe	34
PID 776 wrote to memory of 1724	776	remcos_a.exe	34
PID 776 wrote to memory of 1724	776	remcos_a.exe	34
PID 776 wrote to memory of 1724	776	remcos_a.exe	34
PID 2740 wrote to memory of 1408	2740	skotes.exe	35
PID 2740 wrote to memory of 1408	2740	skotes.exe	35
PID 2740 wrote to memory of 1408	2740	skotes.exe	35
PID 2740 wrote to memory of 1408	2740	skotes.exe	35
PID 1408 wrote to memory of 1660	1408	buildd.exe	36
PID 1408 wrote to memory of 1660	1408	buildd.exe	36
PID 1408 wrote to memory of 1660	1408	buildd.exe	36
PID 1660 wrote to memory of 1572	1660	cmd.exe	38
PID 1660 wrote to memory of 1572	1660	cmd.exe	38
PID 1660 wrote to memory of 1572	1660	cmd.exe	38
PID 1660 wrote to memory of 2268	1660	cmd.exe	39
PID 1660 wrote to memory of 2268	1660	cmd.exe	39
PID 1660 wrote to memory of 2268	1660	cmd.exe	39
PID 1660 wrote to memory of 1704	1660	cmd.exe	40
PID 1660 wrote to memory of 1704	1660	cmd.exe	40
PID 1660 wrote to memory of 1704	1660	cmd.exe	40
PID 1408 wrote to memory of 2372	1408	buildd.exe	41
PID 1408 wrote to memory of 2372	1408	buildd.exe	41
PID 1408 wrote to memory of 2372	1408	buildd.exe	41
PID 2372 wrote to memory of 2420	2372	cmd.exe	43
PID 2372 wrote to memory of 2420	2372	cmd.exe	43
PID 2372 wrote to memory of 2420	2372	cmd.exe	43
PID 2372 wrote to memory of 2868	2372	cmd.exe	44
PID 2372 wrote to memory of 2868	2372	cmd.exe	44
PID 2372 wrote to memory of 2868	2372	cmd.exe	44
PID 2372 wrote to memory of 1804	2372	cmd.exe	45
PID 2372 wrote to memory of 1804	2372	cmd.exe	45
PID 2372 wrote to memory of 1804	2372	cmd.exe	45
PID 2740 wrote to memory of 2196	2740	skotes.exe	47
PID 2740 wrote to memory of 2196	2740	skotes.exe	47
PID 2740 wrote to memory of 2196	2740	skotes.exe	47
PID 2740 wrote to memory of 2196	2740	skotes.exe	47
PID 1408 wrote to memory of 2948	1408	buildd.exe	48
PID 1408 wrote to memory of 2948	1408	buildd.exe	48
PID 1408 wrote to memory of 2948	1408	buildd.exe	48
PID 2948 wrote to memory of 2312	2948	cmd.exe	50
PID 2948 wrote to memory of 2312	2948	cmd.exe	50
PID 2948 wrote to memory of 2312	2948	cmd.exe	50
PID 2948 wrote to memory of 2440	2948	cmd.exe	51
PID 2948 wrote to memory of 2440	2948	cmd.exe	51
PID 2948 wrote to memory of 2440	2948	cmd.exe	51
PID 2196 wrote to memory of 5100	2196	pohtent2.exe	52
PID 2196 wrote to memory of 5100	2196	pohtent2.exe	52
PID 2196 wrote to memory of 5100	2196	pohtent2.exe	52
PID 2196 wrote to memory of 5100	2196	pohtent2.exe	52
PID 5100 wrote to memory of 2416	5100	cmd.exe	54
PID 5100 wrote to memory of 2416	5100	cmd.exe	54
PID 5100 wrote to memory of 2416	5100	cmd.exe	54
PID 5100 wrote to memory of 2416	5100	cmd.exe	54
PID 5100 wrote to memory of 1676	5100	cmd.exe	55
PID 5100 wrote to memory of 1676	5100	cmd.exe	55
PID 5100 wrote to memory of 1676	5100	cmd.exe	55

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	buildd.exe

C:\Users\Admin\AppData\Local\Temp\6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe
"C:\Users\Admin\AppData\Local\Temp\6a8fdc6fe6573c95448c77a8a0496fca06588e575306c948c3d199dd9b324526.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\1004494001\remcos_a.exe
    "C:\Users\Admin\AppData\Local\Temp\1004494001\remcos_a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1724
- - C:\Users\Admin\AppData\Local\Temp\1004506001\buildd.exe
    "C:\Users\Admin\AppData\Local\Temp\1004506001\buildd.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:1408
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1572
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2268
    - - C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        5⤵
        
        PID:1704
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2420
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2868
    - - C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        5⤵
        
        PID:1804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1004506001\buildd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2312
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2440
- - C:\Users\Admin\AppData\Local\Temp\1004537001\pohtent2.exe
    "C:\Users\Admin\AppData\Local\Temp\1004537001\pohtent2.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\runner.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2416
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2032
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1676
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4548
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3080
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3080 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2240
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3460
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3460 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4064
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3808
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3808 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5032
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4048
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4048 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4016
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4344
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4344 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1748
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4684
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4684 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4572
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2276
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3520
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3520 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4372
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1720
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:716
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:716 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2884
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2516
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2204
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3600
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3600 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3600 CREDAT:2110467 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3820
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3820 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3320
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4664
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4664 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3332
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4448
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4448 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3300
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://trashycontinuousbubbly.com/nuy7khqk?key=dfdceae1749487fe3ee94c1a351e9103
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4772
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:5846020 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6752
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:15545348 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6816
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:15610882 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6824
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:15938561 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6864
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:107033605 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9336
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:107361285 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9412
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:107492357 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9460
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:107623429 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9468
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:107754501 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9476
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:107820038 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9484
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:108803076 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9492
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:149828612 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:9128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 980
      4⤵
      Loads dropped DLL
      Program crash
      PID:4360
- - C:\Users\Admin\AppData\Local\Temp\1004542001\99e6ba4f07.exe
    "C:\Users\Admin\AppData\Local\Temp\1004542001\99e6ba4f07.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4224
- - C:\Users\Admin\AppData\Local\Temp\1004543001\737bca89ad.exe
    "C:\Users\Admin\AppData\Local\Temp\1004543001\737bca89ad.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3840
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    PID:4300
- - C:\Users\Admin\AppData\Local\Temp\1004545001\971d90edea.exe
    "C:\Users\Admin\AppData\Local\Temp\1004545001\971d90edea.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion