11dcd47ea09e8c1efe551e1832c7aeea810dce127f78299fce8d72a638fd9f51

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd82794000000000200000000001066000000010000200000003c02f7fb40e2ee416493fbe1c58fa7bda23aa2a7e05a309fa55f4b42301b0bbb000000000e8000000002000020000000fea18e37c2092362fcfad54a10724bc1f80b0b3257c61b99146c7588d65df4f4900000001fe5d852dc56e36c6540638612dab07e847fcb7bdfe546119400320493ce19c02e4987f75ef1273af3bdbeb585e6775b724e2b604a68b12032b72d4b2c633bcf1ed463042f4529350632c3e9336a3fb8cd6f02129b21c00a8e800187113473aef1ab36041c03834b1d60ce5fc6cef892594b51fc6cf86512f0613a9cb3ce1461ad3065a2a151523ea1ac5d9a089338324000000001c723401ab298559d94a4f312850263d26bd4c9751933425b67bde0767c85f926c97c0cea1442f051bc1bb90312b3c7c09eee3937313cef2d16e3b1675ea107	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395996418"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84C612B1-214A-11EE-ABCA-72E7016CB537} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70efc25957b5d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000a380f1d1c6aa5a8fc20838a8baa31b76003c04f631eec1155d52ca980832243e000000000e80000000020000200000002933a93d2a42aea51fe2c0702195f1520be893db2c340f78167d70edf58bd0582000000097e0774698839f7a304faa2e95998a5387074d6a3c2e820b84f7379409de604040000000803711c82269fd32f31713d7b8017da786aff8d54ed72c9cd264b1a99009a51ce8c85efa28e49540f56fd9be138304075db92912d55cfe1a268fb4949ca16206	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2168	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2168	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2624	2216	MSOXMLED.EXE	28
PID 2216 wrote to memory of 2624	2216	MSOXMLED.EXE	28
PID 2216 wrote to memory of 2624	2216	MSOXMLED.EXE	28
PID 2216 wrote to memory of 2624	2216	MSOXMLED.EXE	28
PID 2624 wrote to memory of 2168	2624	iexplore.exe	29
PID 2624 wrote to memory of 2168	2624	iexplore.exe	29
PID 2624 wrote to memory of 2168	2624	iexplore.exe	29
PID 2624 wrote to memory of 2168	2624	iexplore.exe	29
PID 2168 wrote to memory of 2200	2168	IEXPLORE.EXE	30
PID 2168 wrote to memory of 2200	2168	IEXPLORE.EXE	30
PID 2168 wrote to memory of 2200	2168	IEXPLORE.EXE	30
PID 2168 wrote to memory of 2200	2168	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note-selected.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79e759f77eac1113b239c96c161b8efb

SHA1
7a665311a5447465f65adbe76903226202cae85a

SHA256
bfa41f97c382c5c3554c536f11f187d15d8273e4d64889639e4cf7c6dc24809a

SHA512
9bd1a89e601b82d53826973d85d7880658ae22b6ce7132fd85c0f9d5b56dd2ec7fa7e3368b22fbd8f52cbc856d8102cd5360b105d93a0abdb1239a7b5094dbd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63872179f533834a91d7419d549f7732

SHA1
bf67b3699c3eb9cdb9bbb5b63ce3e37eb8c84f95

SHA256
214d87dc6f042f0d7b58ba883ce111b4dfe8210b342cd94f3f79872cff5c6efd

SHA512
d7195e0a8894cdc3e940f212cc85d0facb99be9caa935163e70e19cafe854b878a46e2fb18a20e978f0d5f31f07764410a715a0f1566246c5d6305d9670a6736

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5bcd757996783d499f085338ac10d0a0

SHA1
9e823953b6a3ec397854f14972d7bdfa1862be5c

SHA256
6413057bd4d8f79c1ab1e08b9133ed27bc037169aea2ead7840e9392460c1a8d

SHA512
7367ada802fbe734e2de424b53a6c7d9a240f789419d70f220f823d2ba39c83eb85dfad077abe1af44c18dc0a47d93c050ef48ce429ae424c7b592a9a7ba7045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc08b29a06abd993fda209bdb1ca9e3b

SHA1
0f452464f603320a049330f6b9e196c6a5cb004b

SHA256
f190ebfdd06ade07cd265fb870b9076c6e5b6fcd6878de9b81d4bc60a9cc31de

SHA512
6689f0c3793083e5318b78daf494608fad5e3be55e2783260bf3a7621e245a03128417433e581f6c23678e791ec782f11a78c2505f13ae7d200ee87932bcda29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92c36146784554157c33d410d6cc31fe

SHA1
5dbd6446c3eddff1fbf80794ed0ab499fa221211

SHA256
a0972c6c05da548dcf0e7779e33a6291b1c57150b66e45960f51b7777b39e061

SHA512
0816b741c1bc50b29b439537e3dcea2e670d8771b974acee8f1c3f4f1f4ed5dc4028b15c5bbdd0f3112e5e5c3cec3a58c4f3d8644db4c863c4a34226d47cb11a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b49da0a5cea0b2ed299469c5c92a379d

SHA1
87713affbbb6244fdb2801245c8429a3c0cd5c17

SHA256
60ae54721e12249ea33876c3916060f94052cbe0a24da265d4ba24f39b662bd3

SHA512
2066b960d442ac98241d5cad083eb1477c1cb17b2d5d50607ce83be5e4156ee47fd1e3af4a66efde22aa271c545ef0231e9d6e846f97c80a16f168aebdbe1b53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac6fd9f6ee1798bddc39541e75b44cd4

SHA1
3b7f735ced37227ef212083613a3d918077d0897

SHA256
95582341ab745e52ea874aeccb3f551edc84e510cfaa638cb654ca75c5c7ecaa

SHA512
d46fab909ec90c4ac87d2f88bd4a8a5f6605a80e8c34125027f9200f926d955f4e861535e861b862401004545e71845ed7f9e7a8e3e839b3ac64415638942b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55f4ee15376baa33940b5b33ef411bee

SHA1
73237f40af33cdf48c219b6662c423cc587b7bad

SHA256
7d3c3fca7def655364d43f6efb6c6eed1bd42d54a8516a58a2a412c5a109c3fe

SHA512
a74bdaa5665085814b2b43f7066b63aaa876f474fb37046c6342f0a29e7a2c107f941f74eefd470376a31f00d8c79e23bdf1cbd2f1f99206b2a3cab4b3035a74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
936fdbdf0ed99b672ef460d7e907b397

SHA1
ddbb020de92af0dbdd2b279331ae5c02951fcedf

SHA256
f0922981d58fcc1cf9fe1d258295b53f62e80ea8a0090163bc199c8f8059f161

SHA512
a35a7e9f777cf0f6de5ff38066ad0b4978ebb80694c04304f60f00c36d7b2d5b451eb3c4b2724e78231e817e5a0b875051da029cadc6c7c941cb7696b8bdd8d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5074da97bfe1830922778ea6ff7a59a3

SHA1
8f2d95ce46a9cb77dc303ba0bcf82c9305e8c2fe

SHA256
bb10565fe45bc0a7c30b86370df315986100c1d456ce3fd383bd95c84a1bea34

SHA512
7be1d9ade2aa6e6b9c788868820dd4b27806bf0d7d9947cbc17e2d735f689213ea0fee7063a7dc4237b49af2057fb58b6346e12862e3207f39341a08a4fcd172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCA24.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCD17.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NSCQCNBH.txt

Filesize
600B

MD5
881827cc34d5ec4360bc11d2ac276ef7

SHA1
ba122cc7f1979664a82812eb19694ceb69c7bb54

SHA256
8a7f6a64c1adf2d6ef3cb4114d59c4cf3d7fb5c1976198378275e6e27bf8e1ca

SHA512
0841ef8ba9d3a6ca86a90988be9114378dc655e93052da2cd74ae71e32a2143256fdc34a742b36122c3eca1b2ec9cae05655c4fd91d08bec67ea451f792ee54e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads