846a04a5a04dad7129abe56d82b0578d4e2af6d6f73cfdf9de364c001d00c24d

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000e3c6676346763b156c1e349de3a7c6ceccefdf9e10730ac638a5d9b924b42a6f000000000e8000000002000020000000fffafe4c30ff3f4025bfd15f6e321c5e7e299d8192121a176d531a3b7f35c1212000000055e0dfbacae576712669dc10b5ef470d1c6f84bc0e347d9901a3e9c610a4224440000000f7ad583c21210bf96dd5a435df57d841ac681c3f5e66dc477ed812491ec99a3fc81363abc79022e364523518bd061ad7d7d73fd5d0eff9b37df0d9af1d3196b7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401833120"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50F1BA81-5BDC-11EE-BF3F-76A8121F2E0E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40a20126e9efd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000000fdd35721f3452441c9d185338244bf6cdd7c4cb380d909575032cdc10916bb1000000000e800000000200002000000020dd0f83d68ca42568f6384a26478ce21266ab98ee434c64a5526380fe23e6fa900000008040adc2ea1d0d1ab5bfd6643252e7c6f7de0579d9cc5ae6fa1f599fcab808c73a993681d8ab229de86886406bcca0aa1a6f6e82a17fd04e7f0790be8eb5b24d063243b5f57cfefa3d84706728acf9f216dd344124a3e86d18413a8ec733a2711ebf9d2f90031be8a626fb3408d10b2cd9a06698907a9f5cdbf0a066193f1bfca2cdac779889d6fec2e20c5fc0dbe8c94000000025c51f4cb7e1f94b8990da74cbe5f99eae253489230bc942e6bc1ae3aa40039dff7b0496e84e1f32fb3a04850413cec280f062a8c369dc027c90c112b90bd190	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1748 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1748 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1748 iexplore.exe
1748 iexplore.exe
1760 IEXPLORE.EXE
1760 IEXPLORE.EXE
1760 IEXPLORE.EXE
1760 IEXPLORE.EXE

pid	process
1748	iexplore.exe

pid	process
1748	iexplore.exe

pid	process
1748	iexplore.exe
1748	iexplore.exe
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1748 wrote to memory of 1760	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 1760	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 1760	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 1760	1748	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fyb_iframe_endcard_tmpl.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82b691367a0b69b96748fe68709fe144

SHA1
d3a8ccac6766416f3326882dcbf10c514955dba4

SHA256
30bcbfe1709bb7e6fcac31ee30b9713f743e4febea4241ca8847d89ecefcd311

SHA512
8f913732137aaff82c1ca89a08de5861a45079310b3b209ff702a3a72217dfb5cab1b9829b20f4559b820f4b2c445f220b37db6c8e322f9b8ba0cf12e574fa05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2b0f53e8cbd70791554131318cdc3e5

SHA1
1adb30b434a22c48860da0a9d086643c0cdc948d

SHA256
7ef05dbc8da192a03e6e796b14615d98526f553be3ce56153c8d32ae8759dde1

SHA512
8ea92f140af61b24a0f270b2ceaf0da0fabbaf6f9975459a85ab92d96d4f12755503dab76a6f0db7b8bf32987374361eef1799d69d5d1c171c01fc0cd3c946b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
936784654225f6fecd8a71c3b62e0fd8

SHA1
acfa3877659d298f0c206773ffd7755b2d6819f4

SHA256
8619fdc31fd90b658b4b4ad3fff53017c5ffe402df4aaa512a5bb982a7e30c10

SHA512
e989b2b5dc4be5650c7c3904f4972c4175f1a00b5d24ebd03eea16c4163f7b61cb352c0ab1a48cd1fb8b038d8cd3b83e0a931c7df5c833dde2de8e8774cec041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e2ebf7456c395a89f8d98a2e4cab5f7

SHA1
b35cc6c881a71a46e66b8f95dd71b4ddf8dfc914

SHA256
dfde81c9d9afd0baa99617dd5f38ba698c5677a53d7126c1e4077b8d2f8718e6

SHA512
00fb04392167da75e5cdb31cb2d70d7c89c5c0ab1e92ff2af4407606ca03dd0a7fa078ee57a5aa171ed58fb7f994caae461725f15965e4fafd815699412336f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05fbfe725dedda6c7386c52b7ebbd6f9

SHA1
a00d09c308fd4f13146310d2c70bf3ad0a598373

SHA256
9e18cf9ea4acfd4d704d8a1a5d30a341791892912abb0a32de0c97e977299af3

SHA512
e5e3fd37262634a6e5c177ad543ebcf1bf5c8c0a01a189f6b36b57365e194762fab9cd776eceb8ded0d36ba2fc0948c4cbadc124007708ef2e96ae0c0b1cf6b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7813f8da9291b9b78c2313f08cc4c62d

SHA1
9e5b7c26812d63c5197edad5b3244a5789fb4864

SHA256
4525f398bc2898d64d79055c95096848af04114387a3874b270722f31e98ee1d

SHA512
23d33fd665b22d241e3ef7d017552e94ce6c16abaeeca66f6708ead577e9399c8fa34a4745997009f0302b46379c50ec3fa2799bf81e7e73a818a76f895b008d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a315f82af1f3734fc1a2969a8a897751

SHA1
cbab46cc00bd98c815b601654d7b2a858bd001c1

SHA256
5f5a581842674f39c4786dcbc7c738cc74274d37b24f6e050bdeb12e45547f51

SHA512
d3d8c839bd1c0721bf307e3b70145ce8687c93e5e5807eddf35606844e639c4c796086d0c07fad1d49f0ef3b6e7129d7556a91c471bcd94f4a4a54463a8fa155

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
647337249d0865484211309ee2d200b4

SHA1
35e41dcd636a8000479f4137dbd8b9b872155257

SHA256
2923fbb302a278ef288b34e1a39489501c9f855dc0b4986a462744afe33b22e1

SHA512
28a21584744c843ea8508b24509988fff2fb81cb85d8dafc346c42cb7873ce4238f5d1efd60a8d53addb0d3303181d4e6b1da32397ae6859d301f2d46180c9b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5de8fb0e7ed32c58b7b26a85e923a07

SHA1
8462615f268ec3bbeeb72727e2b950b47a38d0de

SHA256
b756f8f25dffe01a9dd1d1fb3b8cbb5e14ea15966baf315087402d198cc5341b

SHA512
d88e395a8c2e7a40482c62bdf7d2faf18a6d1d28a199a8277e4a038aab60fdcb3d51172242a06d13a0aaec4530b7478058f228853d3ab4e6c34a9afeb618823c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42ea7493fbc70ade401e7a5969fd71c9

SHA1
c6e0567384123085230e16eb871bf8065362a6a4

SHA256
9bbf87dab8235480cdba75d038d8beff70e4fdf55e246cbb57773662dae18681

SHA512
85291c0421050d6ae2536f9f71d3fe719078c85e44c0f69eb91006665c7fe7776d42ea8989ebec874ac31d4e270cf9c3ee309d740baae7bdc9e21a2451c798af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c6856e8e3076ced08504cd6a47386b84

SHA1
94a63dcb35ced7c0be7833969a78ae0976803e46

SHA256
df3c74c4bbed89964d7021285ab72dbb3840ecde61f270bc7b1ba0d8fc7e9f47

SHA512
cc46990a79922939eba0e85e40d75aaf61672255103e8148f4efc0edc5dc0b6112b87d73f1a4b3ef6dcc7f93ed5e30be90d8db4b791cfc9f449179fa659073f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
47534f24ccf7d1c8f9b401052d4ed2f1

SHA1
6bca70968686d8b28e451706631ddd473120405b

SHA256
d251622db586fb7e10ceabf0ac856a4bdc8a4fd2e19a2868db9afa7c75c9483c

SHA512
eb80ae69bd111ed176807870e1115a947eb7a150780b2b9843adf01071aeb2be73ec56103d3556b2a21d3aa40867d728072603b446b50634f1bf4a11cacc38f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
085a67e21e684eb91b0e49ae9ee84d4b

SHA1
aeb59c0435ef2d8d2b9a42dee6e9707f94a166f9

SHA256
312ec6ec9f59581bd8f06acc3129e56b57fe4b972e91411e1ff353a3470b2dca

SHA512
6f5b403d3627200d2aad6ad8a465746866d2f979ca437072534663d07a22872e5dc9e46055d2bb8ca754b2a208223ef0afa1c35ff8ff5ae5b5581f1098cc4249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4de9842d6dd9944f5740f28b1b3c5a1f

SHA1
b8844fe0bbefcfd3e871b902da95d4145e1c1546

SHA256
1c4101cc53f8a47dc2d2203e2b712e56339457fcf94ef0dd072921801523db42

SHA512
c07fa92ddce90a960c5125eabfa40b208213730b1f8a293bea2dacf4d8eac3cbc345e3d4244c78ecfe04e8f54a93b77cb1aca4ca7e456a285bf04a1f73685957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7fd5513ebcce3330ed839c7a63e310cc

SHA1
da81ae3d799904abe92a222820d3a48922b0a7e6

SHA256
4ba26f70f11a0206a7379726c82ce01269c5e8350fa788e979450d03f80c97d6

SHA512
5448e3932e1e3f03fb8e251291da91b7c46f41433910af4f41833772d77230f150da503e19279a7cb4646c899719bd73ce6984d0eb29b866805c1fad90046394

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
856b69405c7f78541f7f5254288e8169

SHA1
542679de1e2e10ea2a89e0c6e2e341f107bd528b

SHA256
5a8b2516709cf4c461d5b1483fd22666aa46f87a5658a8d4f142b5d207d5b55d

SHA512
a7a4348d1a1588d279edd46a8f4f3c91b53ae5ab3c0f771057fd2069427e279eb1462eeb2893c44a7d26d66e29ef51fd6281030b4e58be6058cdcacb7a9975f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e241a7525a396b79d6593bb6459610b

SHA1
bff601a943ba270844e191f85dabf0750a1d025d

SHA256
85b2bf67b5bd41b812d2d30b6481f66284d02b1114955a11c28de260d8d20062

SHA512
6a5266c94e67ba80c59072784df5f5e2b3eb6dd6bdb8183d6aba5f1c4c96c5e5344bcb4fff93548a05de83d520e9fcef8a2bdc714293bd754eb6d44966164365

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4EBF.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F5E.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit