11dcd47ea09e8c1efe551e1832c7aeea810dce127f78299fce8d72a638fd9f51

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc63000000000200000000001066000000010000200000008fdb4d77d27fe10633019c3e36aa660bfa6c4f040d72eb034a7d0510865269cc000000000e80000000020000200000008b81040ab74d315298dbd872efcee44222fc9a93b13c17f61c7bbfe91ea0046e90000000613a65449c41f44b7bb16bf88ac11fcc09b28976aaf35f7c882f1ec02bd36288fe9d20d4aabaa41965817fa25cee3e921912df75fba511b34cebd8e67260c068104d2665f164bdbd68d98dcfa3b5f66e7ad914833c5f5e8d11313ff022dbeefb1ebbf4acb8507dbef421b8b62d13b7fb898288b704d2276824cffeb1238f647712db7f17928b6220ea99785750ae5b544000000002974b4c8e49c38286948c56f6dfa9563c37d363c7c2c93a646404f604a9f233739c91d4d36603f26287aae8b52056c35d371b627eb1493a02102a94d706f6a5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8364CD31-214A-11EE-BBC0-5A7D25F6EB92} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000d1021a0e94fd71242a25b13a18e5f1bb79387445fc3301d7cd873560c4c006c4000000000e80000000020000200000007e071131288ba6feb74de832c0b38bd24f19028851286fd72bc752e6cf50464520000000532035a76c6f29c55c223c48164ec2219d5dbd1c11f735cc7959e43ce4c630b140000000a55677adad930c5699303b5f99f220f0dafd9db9028920c72001224d921b745cd2886d6f133b3b3473eca3c158c091e2347a98270f46b2d82a555c1db67a75de	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 800e775857b5d901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395996415"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
1244	IEXPLORE.EXE
1244	IEXPLORE.EXE
1244	IEXPLORE.EXE
1244	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2376	2784	MSOXMLED.EXE	28
PID 2784 wrote to memory of 2376	2784	MSOXMLED.EXE	28
PID 2784 wrote to memory of 2376	2784	MSOXMLED.EXE	28
PID 2784 wrote to memory of 2376	2784	MSOXMLED.EXE	28
PID 2376 wrote to memory of 2792	2376	iexplore.exe	29
PID 2376 wrote to memory of 2792	2376	iexplore.exe	29
PID 2376 wrote to memory of 2792	2376	iexplore.exe	29
PID 2376 wrote to memory of 2792	2376	iexplore.exe	29
PID 2792 wrote to memory of 1244	2792	IEXPLORE.EXE	30
PID 2792 wrote to memory of 1244	2792	IEXPLORE.EXE	30
PID 2792 wrote to memory of 1244	2792	IEXPLORE.EXE	30
PID 2792 wrote to memory of 1244	2792	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment-selected.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61aab19a166ca48e3aa81b4b647bd246

SHA1
2b7cd2977656619cab03fcfed4ac6bf34cb6a749

SHA256
6215aeefae1076fa542aa47338f32156b1100debf3b15e9ec64e91ca07bdae4a

SHA512
920be9ef0c4c7d4414d0eaf81a0e0e2dce7338fd1cb3c9a6ae7b05e2fca74522152fdf7171f9512873f25698e4cf0131fef2ff967b29591e6ee97abaa3357a1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b7b91093baea4da4e8fdf360369c819

SHA1
9d4b79b9825014ac0413013df350e37967e8c424

SHA256
e030d34c353c5c5cb4d466f7b84bee6d77306945f17ce6433f1ea6323f6018e0

SHA512
7e018595554e91c14454381d43ffed564d103b33a86afa4182253aac49bdcb7c32843c81ccb7d09eec08ca2f0955496f23a48ada3ff11ab1596784a8be66a859

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07e0382c8ad8c13d9188b744fcdb24ed

SHA1
e77608e3f3e2a6cdb6ef39c10c8cad2283ca6369

SHA256
f25598caa451e5847bdbea8e509756a5077f31b164b8ec288800471776ece951

SHA512
55d5735e6506c1a39092122589cec37b9e77884f161cd5f9641b4efd44fbaaa6e6a77468034335f77010a6d801b83690ec67944c0b8fa6ff4455597bd4cab39e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb7d0aeb3a7b12162949a5086443dd73

SHA1
bee8c666bf9c68febe4d1fc93a4824d17bea19a2

SHA256
75b96842fa4badbc367fed7512874f8acbbe5a36f7d02f6589c808c074fb5118

SHA512
5a7fece184caa15a8dec38cb6615f7cd5f6ec489e13d8ac9c9fca943ad4eedf43d258b1a029378bf3c43af375fe25879d104674bf3557388f9ee7bf6f908c1f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
28d7e1dc72bd41fbbb1b4bcca7a5748f

SHA1
bd0e573388cdc5cc709ab4207090c459a026075a

SHA256
9e745c0772c3d872c26fd1223462b27844a5f6f15d32456b4957fa2a3de6884e

SHA512
d1f406626c878c885bb4c88a244b7a98de3e878cda9f43975c7927b32a7f4074e2cb1553f0bab987cee749e4389d14a2e86b986893490434db2f68fb83e6aa38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5124ec754228a7e113087894f0a94c8b

SHA1
3870b2cba07ca25de44abb34a6fda41d881ab534

SHA256
680ab4a1db8899900be70ec4e8599eb030db23ea102aa114e42249bde6baa27f

SHA512
00e45699c96d70463bb25114b957af871bf1e23bbe82dcd058389a0e72e33bb000c9c4c41cc25d2da42f2771d2235131a9418844619e70a5397ff52be304d3d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7487873c746e21af0e5a5a8140618b06

SHA1
ef8ce29d60e3d317e4d8f80de20a20eb76a12be5

SHA256
68c09b79ff010e38e9bf2e6539ed61ed2687401130c69fe2cd5ecd59a29a038d

SHA512
ff7353593eee28c46939047b05109f2c837338562b1a1afca0863f5ae4949c13854efc5cd735acc3050e15ae26ef39860b141007172746880edc22253b772dc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a171dfc53728b440a4f4d6789712e9e

SHA1
acd939145d398d63cf4f8f2d7b2e53bc64500104

SHA256
eed789b1543fdc5c1b1df470808de4cd7aeb7ddbd4becaf1b5046276fb2c537c

SHA512
ee326008c591a823f9f4a6bc2f8d6511b79daf42e04369283c33af5426c31ff5942139fbc13529778ef1f5702d859e4f4f04318ee029a6a6f5cf8818f4bbbab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3VKWFGCX\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9954.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar99E5.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0YHO5VHU.txt

Filesize
600B

MD5
8383043391cbf7d6221d3326da357550

SHA1
409bf25f17b5dfb7e7964ab7da1690f7cd723920

SHA256
daf7a6247008f04fbfaff4385903e5dab61b374885e9f4f0070b9df497a2fc07

SHA512
82e1d6dca55838ecf93b3c1eb0f32978e99d3cb46c2a7609db277a6f0e473138aa3acdaef3547ec44b1ba743bb64bdd32158c6b83f76a5b09beab9368b63a5df

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads