846a04a5a04dad7129abe56d82b0578d4e2af6d6f73cfdf9de364c001d00c24d

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401833099"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50FDF751-5BDC-11EE-B87C-CE1068F0F1D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000872e2aa4c3a2fb22663aeba984f2b008fb45093c6837b93d43d8982bb39aa4a9000000000e8000000002000020000000ee2fa9c0d9ca937aebc4783f12dd976e81a737dfa84d91aaef15940dc7ac37fd2000000039f0da580e53d4d4b64483e333c0bb7d5fb9c152faa2b7dd1e321a7c289b707e400000000865ebd24139a29f60b57db3a9d3a0f2b066093ca7df4b93096e8c12d48024edf68cee8b53c316ea5140a274fa71c23066b8fa8e9470acf9322acfde597d9779	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2090f725e9efd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000000ac58a8d13b400b1371a0e5ef4d4e51d26f7f2866888fda0100b2326a58694eb000000000e8000000002000020000000244243197f0fdfffb227f9ad035a77b6fa78b9651f29d3d0fb7f292450415ce4900000003779a59593b3f3a1d839fab89efdb0537a4d71fee3586376986904553204e90383b2768ddc3682dd9f21229f3fc5b3ca6a37f714a2116c4bacca34f2398eb1dbdb2e486d6e01f404c0af7073e3e8bb979e08c7d5c311886a3afbd1b9da48c7fd8e8d5d90c62bea79228ec68465632ad9a0eb552ab36a8013f4e7b967eeb6642eabbad407be78bdd676bdd135f9740909400000000e2f521a92e73b15afadabc9e66ff9f25c1eed186600a26db0c7aa31f8004e96ad62eb38cf5aeac9ef157f5d6e68fece6d0ca6a0cc80a4bf4d41f963c93af099	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2208 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2208 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2208 iexplore.exe
2208 iexplore.exe
1196 IEXPLORE.EXE
1196 IEXPLORE.EXE
1196 IEXPLORE.EXE
1196 IEXPLORE.EXE

pid	process
2208	iexplore.exe

pid	process
2208	iexplore.exe

pid	process
2208	iexplore.exe
2208	iexplore.exe
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2208 wrote to memory of 1196	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 1196	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 1196	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 1196	2208	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\assign_labels_local.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04d39c9696a6a36825b09c0f01075cea

SHA1
5da82d9d68f287bafcd33af1dc9cf915825a3f43

SHA256
686f9040d512480841630b88ea7defa5e90888ace72a2ca2b456834bdf4d676e

SHA512
f7743aff48f4fa31279bb5189e685962ef3291e41afe43b366ad1e6deead993a9cb7ff3a7c4854f1c989a7fe908392c6bc57601ada674d8146de032d55527b9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aaed4070ecfedf7132fa4f0c155614f3

SHA1
a90d72a6f9eed2ec747a24a7a5c44514dd97b7cc

SHA256
d7656d51860c3bc995d287c1b2c8fbd397762801766ab0332c6c340cd31c4c94

SHA512
fc398226a33958875bfeb0578e24881565ecc7423c2fdbd258ac9a2bc27ca81dc85540826365c4cd4735898775967f492e3abb5f0c853423079180fe428376a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
883af4e05bd622d9616e4954809998e4

SHA1
58d4f60ce5f1aeb6169a720fd473b9fa1c871cdd

SHA256
ed987ef15b803c75147822f9edda64344d96e445f1776b98cff883261d0ac713

SHA512
a916d8862b4953a113bc6d1f0740a5ec6b951bc3394e91d3529486f29e7e9b58551fdee05616ba787d68d2a6d5f404509dca97c34c529ce1289fb7eb72f21d1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ade7b7a855600b7afe3d611450ccf123

SHA1
1b060cda92a3f7ae42027b98dea59faf3dbc7d16

SHA256
d7e73590cedd8e17c93305a01f8dd174b4495ba0d20b61719836bd085894150c

SHA512
22ce91f573249db687e02e5a5d7bf649f982ae0adf30f3648dc863311a4c5132c999ae1160d9bbebedf33b6f9b2dccc5d4541e64d226ce99e6e27e64e7f06b24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c002a4f742fc0be65cefd74209afad75

SHA1
650f074f496438713a8783637e5537e42c66a3c2

SHA256
e17c0b9508c4007f90a6800375464be4b00618ca268bd6fd5619f36244c8ecc5

SHA512
0c66a2547c27f0bbae1a87b363f106612432c7af6dc00ffeaf10a95032a040991e6f1350e9d6e768740c0069ed6428bd575b18b22f1d667fc654d65e0017ef62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bdca0e99eb57d85ab3e19aed311b8a5

SHA1
930326f3af3ae24f86ff2bf7a6a1c77f896a79cd

SHA256
e8f0ad67d4fed7c3b0783fb9662ba196c0f82804e12de00f80970480cc9dbd8d

SHA512
f0f7f6f857c59ee8bed2cf46468ce48304f91abb8280f7d9a7ddeeeeb45b00e73f554821ac711a77c674c5e9b0898e70c4ef8d1b81f14466528f98c6ac447e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f78f2e0589a64128eb2ffc32954fad6

SHA1
610d14da61d653dcbae25d2867125fa5fe63046b

SHA256
8fe5967051aeca5613e5b553b3dfaeee588075215b5e39327e5f5eb057338f3f

SHA512
f738c31de54018e1ef987ba9702da680f3545a97b3ce966028c56aad080336fc3a4e63b2dcf6f825c1684157ae44304bda5528283625cba986cae73d6c95ee5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5637581df7af03bbf56976a1cb2722b1

SHA1
dc5d75792d692b7d2442680ce17bf9490622b6c6

SHA256
1266340d4cbf0196d6b7762c1aea194c77008ff0ad5a8afafe1312a80bc2cd5c

SHA512
5a7c3e10751ea185d64514d18c417fdb8ce01790ad7826a16890ff6d03690cf6de711a58cdd99233047672381f10a17985258ac8b87c70a54f50f7346dd7042d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8988eb8a48ec785e00d51eb102903ac8

SHA1
2beba5d6001261f937b5fd0b9d4efe4163e6c091

SHA256
5879241c8eaaa06b7e4e29c6e58f0191463c460a5b0d29799309184a434d1afb

SHA512
c5de66282cb0fc783806b33227e031696206e76c494815f0ce07358ef98bb3fb150382b984938a462e586d1272aa72a1e226c1da73a069551acec6d0444e4352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b953c03178bbd2cf3771239045e765e5

SHA1
2c8cb0d982d62c8527bb5c1dd37c29dd0214f154

SHA256
c6b74b50e6ef6e98b0ea993c6393088445cbe31bdb16ef1f9d8641e86484836e

SHA512
c425d872cadfd12e44e81e8cebe4199ab7747327e72a7ec66fd5c2c660830fcdada69144ac40f2f6cb9a80ff68f8f5c1ebeb6fd069a2fdab955eab0e85d40d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5708ccd0a061e8160dab96afd90709f4

SHA1
eefc71e3d06aa1996ffff6b2b00f975b5564beab

SHA256
9422be572c138633e92fc479951afa30c28142c63e9d07bce79402823d385ad9

SHA512
8cff5f6996e71b92ad1d469555d9317e0dcbdceb0b4a4a63150816a0a3389c60d019b9a268972bd8ff4d435d8ed105fa569295979cac5b27e4efdf8d78343690

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2e62062985b5493041ac877078d02c1

SHA1
5f82f37d101cd8963a92f62c0c79ba3d619b072d

SHA256
34857929493b5f0ac93cbc62fdc3f4e49ef60c64092819a429b634bfdeb7aae2

SHA512
bfb443ac184d4c8f9aaa50745139b8c4ee33842b7e0c5dc36dce7d2782d3df3aba4dc9e9b3ed354fb4e75e7e83095fd8e575b7d9508f381ad190b68f4e530fde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3088758a0ead0b1228fe6b7d18a18e04

SHA1
070fa39addcbaac21c5c9ddc2aa34ff8590cfe3b

SHA256
9cc020a6283676160dfab322c167fdc95b9df54f73de283e97fe77d1701873d9

SHA512
44998e6768f624c1a5074d2a41d2222527411bd076c2dcd818489defbc5cc61129b6860ee528194a5f75e3db67740e66d64b362ee82dae2b4948ebee1999cb12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
44c9a070adf5d22021d93a0ef221adf1

SHA1
27122c299bb77e1f1a6040df8078ef5052d6c86a

SHA256
98f3a5911c1f78cd73191cbe0f39a25f15501b78d6f1a713877a45acbbe5dd94

SHA512
11553ed4e3224f0c532816eaf1787af77e0a5132e64bf97a8a62fb22edef4d47b26c3f31e276badf2b85f7bb02207d56139fd25b597fb9f9a4b78d135acf249f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9fe0752921e2a8bf5958d6330350fda

SHA1
6961c8844257e308ac523b85c436bb2a26bae4cc

SHA256
064a9a5dc5debee829b53baaf7d8e0fe733a685cc8a87e9fa7d71e88ffa27e0a

SHA512
37f7ab5162108c1e0856838a5867be0466869f0853efe7d21bdbe0cfee4f7c8c7db49d03d461034726ecdbe33a4078a12a37611508fe4533b9f8cb92160000a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d53c88477865003ff0bd3ece0ccc8dd6

SHA1
ae0f192afaf2a0724a21addedceee280c688d8c4

SHA256
a21a68fd261ea2169bc3dd9e2903496a3ed5da0934e4ddac609e75cd46711290

SHA512
ef983bdb231ecb576603fd75bf74dab1f7df6c507ec704c52139008b8fb342a659c348a5816d843a263a78da51f04637542b12493b5c2030891a8803dadbab6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a14fafca8a8deb2103ea0d759e4a547

SHA1
118e9c09bbc5a0b6b3e2a8ae513957c463ac8ccb

SHA256
b53997afce5f2539bf8ffd1cffc2cb67f7e6be63f205eea562cf142c41dfa63f

SHA512
6acf004122bb4c483b8058c3aaf9f525a9c8b1a6da3565bbe4b344608b910c789f9d2c2d467b5cbbaed88c17025c9b441a47e05a74fcafd3190f2d67603fd2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab600B.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar610A.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit