11dcd47ea09e8c1efe551e1832c7aeea810dce127f78299fce8d72a638fd9f51

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395996417"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 809c835957b5d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84BB25D1-214A-11EE-9996-66AFBA4EB959} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000545c5a2e8bed3722e5ce8bbef4a32204f05e1cc753dac893f6b47f0560de7512000000000e80000000020000200000008d769c1a5571ae2b3956474a9b5ac2d91cb293dc332f19d100ff7bd9041adc5a2000000050bd8100d891e0102fb79e6fa494d970f1595cf55f1d5e74c8be235c1d215a3340000000be197c20c53966bfbe82fe4462230155d8765a11a08df4cff4d4e06b26f94a80d38d602e9b8407f2391a14ac4ff6a9efff074e9a51fc8f6f766a6d07c53e0954	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000dda184237af92b0e5493f3399f2cc4fc1bc929027989f6e97bb5e73b5fb0104a000000000e8000000002000020000000f4e4133898285ffa375879917af4cde822572fa95bc0a40a44e641bd044362b8900000007f2433587de14a5b275f2a0b41d87c5adac4aee87ebc6881b472490c5c246e89a9c624efc9564d9596b9f9a138fc40f77b0adb3b70700671fd8943921e8aefe885d8324a848b5daca2b0ea67027cc92a95c1f0b821ec18bab1eafec50ace493300a5253a9ab3e31df9fd906ba036b5b297926dd37bb8265e06e466d5d955155327b8a010288840e3e3ce0eed501cb6d640000000d86a2f732ac9076bd0690b4c487c4bae71924bb44722df177cca25559e8ec9b0616c7bddbd110584c4c7add75395cca9d8174f663318ca4e507d1827bb50abe8	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1536	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1536	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1284	2476	MSOXMLED.EXE	28
PID 2476 wrote to memory of 1284	2476	MSOXMLED.EXE	28
PID 2476 wrote to memory of 1284	2476	MSOXMLED.EXE	28
PID 2476 wrote to memory of 1284	2476	MSOXMLED.EXE	28
PID 1284 wrote to memory of 1536	1284	iexplore.exe	29
PID 1284 wrote to memory of 1536	1284	iexplore.exe	29
PID 1284 wrote to memory of 1536	1284	iexplore.exe	29
PID 1284 wrote to memory of 1536	1284	iexplore.exe	29
PID 1536 wrote to memory of 2448	1536	IEXPLORE.EXE	30
PID 1536 wrote to memory of 2448	1536	IEXPLORE.EXE	30
PID 1536 wrote to memory of 2448	1536	IEXPLORE.EXE	30
PID 1536 wrote to memory of 2448	1536	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a37baf82e8b1a3f79a3eb0b38bba622

SHA1
df7eca4fc0e25dd1f72abded2c0db82b2a083984

SHA256
83d8e8fd094feeaf04fbe2525051556ba5572a79061fce4d05daf2203a225323

SHA512
d31bbd78e89775a133e0783c26263bae16d1f60301ef684e6cd1afe0cc4c70ad2cc632d1faecea9207d7cf4a38448c69d5671bb1b00506d32ca0d02ee27973fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02daa988bb6905c07ee9f5a055c2c624

SHA1
9a5e8805c66da71611d2506e4cf3bc7827f2c709

SHA256
7bfa0773ea35d690a356d343f45e87bc2134e68b7a8661626bb9cf77447197d0

SHA512
4f234703c7dde2b3656b71b77aed7692c1a2cb3f3ccfc99393697f116da685b0e0fbf49e9109887ea2f38122d5fe126007ef7ba931c0ac9b35a4c26eb27bbad5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca4c9f8d7263f5b4921f121d3a46ec6c

SHA1
1804b653c94d2fb4ec5396688b90e7c0196ee0af

SHA256
7d479506d99d36e4691ae3251dcff3b3abaa65b7e7844490ad96b009f94157f2

SHA512
f76a67d6fd46de674d939d0f35b070e4e5d7da006ae54aaae6e3dc445788f119e1db8cf3eb41b5726e8fd6b45d16c43c385290b0de135cc88ffe91328444a8a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e162997d73c1abcd2e231efb3e44a077

SHA1
a09236bf26c2f38e7ec9d6d4cd37faa605550956

SHA256
e87f949317ee60c415d9db177b5fc80dd2f0b89aff8c1ee09429ec1366925e3c

SHA512
e9c4854bfe4bdccc8cbd5a262b25f9d9859854ce3a0bad5ef00f3d4ec1eeb0ab688d0b2f778ef0316e851ab97746526c4536a2180e2a4bc9e5c5f98034226a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a653928c8ee1dc973268cfd3b16b53f4

SHA1
6a090f93d7355fc028f6a9ee27174dc549c39221

SHA256
37c3331391c7ffae861da265772b4f36d9e25aafee433ec2e9a54260579982de

SHA512
a7ad83d2dec9d5e6588bdf2cfce370fb6cd24ce4e1596ce0d4be3ca91deed85161c9d9c2abaa57f7eca433209a1eb14ee692f9099736d7bfb398ed7f37627956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ecb6987f3f856bdcd59b96216974723

SHA1
a325a286ffed4dd70db277cbf30c2c03c6cea272

SHA256
ef190a3f52a185b12e3cd8a58907b88ac8f8c384df7dd2cd562af25b6d841de6

SHA512
c1322571e9860aeab495276fc8d74254bae10d7ab07f647aa3b48390b4783771f651a750c88867144e2a4c9656c838a1a4b9c9733121f8ab66a1740aa4cd4427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a74c6346e602623102cb8d158f0f720

SHA1
1940ff733a7d1cdaf3ecf37e100d1b76d46e7ed8

SHA256
c200f23a08e27a03d82195d99d81f4132496926e36a7d1e01a16dada7aefc161

SHA512
6e43ea53820efdcbe2b86da5fed3bd44f43c9c53ae57f31b28021a270f8d2392fc2bb3af7de99e56b50a4c2430c553dbbc012e998a2da3e767c9cdd9c53be29e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0a4544d0da805efb8f9ea5117221537

SHA1
47f77fbc8f898f3676983302f895728cffb38b1a

SHA256
b229de6bbd080faea7bdfeb3178a5d5ba862ac1f6253ceffffc90709b83b915d

SHA512
45ee0fd0f3bbc5614db6fea656a1ddcbaf360d4f8a8d19db944714794a68bf41482e11d1f07c887c7a824f229003878fd401e9af469b94c2ddd8e9dabd4da350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF74D.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF79E.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7ZYZT6F0.txt

Filesize
600B

MD5
963213e6b7e75cc418a7d6779e87a5f9

SHA1
8011dcfab82cbefa130390167d6d3489ce286569

SHA256
e8c0f2bc7697efbf98e740709b654061a202dff8dcedb8c6a09e53f27c0106eb

SHA512
2f864a78b11d9e631b36423ab7b6795de8ae2055efbd1685ba12eb641c33ccae6aa16b9fe44b823f6fd30b35b3d32b911441dd904419bed157f55f007d1b04b1

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads