404keylogger | 3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

Resubmissions

14-06-2024 17:55

240614-whnzas1ara 10

14-06-2024 17:12

240614-vqvldazapd 10

14-06-2024 17:11

240614-vp9c5stanq 10

12-06-2024 23:53

240612-3xrgaswcpa 10

Analysis

max time kernel
332s
max time network
333s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
06-06-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
Size

747KB
MD5

3cd2595e3d20f8200d3ddf84b81932de
SHA1

c05f5a5fd2e0da7be16621a5482541f3d492891c
SHA256

3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c
SHA512

fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670
SSDEEP

12288:H7nYP1+rSlwFON6zXeEt+f2VtTwfyfyp4P7r9r/+ppppppppppppppppppppppp0:HDYP1+rDOkKderNqS1qU

Score

10^/10

404keylogger formbook cix collection evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

cix

Decoy

stephaniperold.com

sorairo12.com

palumasteknik.com

marketing4proptech.com

iwanttoheargod.com

structured-waters.com

sunvalleyvacations.net

sanketweb.com

tmasco.com

d-valentine.com

engmousavi.com

lithiumtolashes.com

texastramper.com

shoemall.store

beginningguitarbook.com

wonderlustnfairytales.com

bizinabox.store

kmacg.net

cashgold4cash.com

smtpguide.com

Signatures

404 Keylogger
Information stealer and keylogger first seen in 2019.
stealer keylogger 404keylogger

404 Keylogger Main Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000002a9c2-21.dat	family_404keylogger
behavioral1/memory/2672-49-0x0000000000520000-0x000000000053E000-memory.dmp	family_404keylogger

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Explorer.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Explorer.EXE

Formbook payload 10 IoCs

rat

resource	yara_rule
behavioral1/memory/3664-60-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook
behavioral1/memory/3664-66-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook
behavioral1/memory/4224-140-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook
behavioral1/memory/4224-156-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook
behavioral1/memory/4912-187-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook
behavioral1/memory/3132-211-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook
behavioral1/memory/4912-215-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook
behavioral1/memory/3132-221-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook
behavioral1/memory/3112-244-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook
behavioral1/memory/3112-251-0x0000000000400000-0x00000000004BE000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ipconfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\-ZOTQ2UP = "C:\\Program Files (x86)\\Wfrxl26gp\\bvptw8a.exe"	ipconfig.exe

Executes dropped EXE 17 IoCs

pid	Process
2564	Coseismic.scr
2672	Payment receipt.exe
3664	Coseismic.scr
2944	bvptw8a.exe
2328	bvptw8a.exe
4744	Coseismic.scr
2080	Payment receipt.exe
4224	Coseismic.scr
4248	Coseismic.scr
1104	Payment receipt.exe
4912	Coseismic.scr
3788	Coseismic.scr
3144	Payment receipt.exe
3132	Coseismic.scr
4608	Coseismic.scr
2460	Payment receipt.exe
3112	Coseismic.scr

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\plymouthism = "wscript \"C:\\Users\\Admin\\Pinatype\\Coseismic.vbs\""	Coseismic.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\plymouthism = "wscript \"C:\\Users\\Admin\\Pinatype\\Coseismic.vbs\""	Coseismic.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\plymouthism = "wscript \"C:\\Users\\Admin\\Pinatype\\Coseismic.vbs\""	Coseismic.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\plymouthism = "wscript \"C:\\Users\\Admin\\Pinatype\\Coseismic.vbs\""	Coseismic.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\plymouthism = "wscript \"C:\\Users\\Admin\\Pinatype\\Coseismic.vbs\""	Coseismic.scr

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	checkip.dyndns.org

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3664 set thread context of 3176	3664	Coseismic.scr	53
PID 2064 set thread context of 3176	2064	ipconfig.exe	53
PID 4224 set thread context of 3176	4224	Coseismic.scr	53
PID 4224 set thread context of 3176	4224	Coseismic.scr	53
PID 4912 set thread context of 3176	4912	Coseismic.scr	53
PID 4912 set thread context of 3176	4912	Coseismic.scr	53
PID 3132 set thread context of 3176	3132	Coseismic.scr	53
PID 3112 set thread context of 3176	3112	Coseismic.scr	53
PID 3112 set thread context of 3176	3112	Coseismic.scr	53

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Wfrxl26gp	Explorer.EXE
File created	C:\Program Files (x86)\Wfrxl26gp\bvptw8a.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Wfrxl26gp\bvptw8a.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Wfrxl26gp\bvptw8a.exe	ipconfig.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	Coseismic.scr
File opened for modification	C:\Windows\win.ini	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
File opened for modification	C:\Windows\win.ini	Coseismic.scr
File opened for modification	C:\Windows\win.ini	bvptw8a.exe
File opened for modification	C:\Windows\win.ini	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
File opened for modification	C:\Windows\win.ini	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
File opened for modification	C:\Windows\win.ini	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
File opened for modification	C:\Windows\win.ini	Coseismic.scr
File opened for modification	C:\Windows\win.ini	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
File opened for modification	C:\Windows\win.ini	Coseismic.scr
File opened for modification	C:\Windows\win.ini	Coseismic.scr
File opened for modification	C:\Windows\win.ini	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
File opened for modification	C:\Windows\win.ini	Coseismic.scr
File opened for modification	C:\Windows\win.ini	Coseismic.scr
File opened for modification	C:\Windows\win.ini	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
File opened for modification	C:\Windows\win.ini	bvptw8a.exe
File opened for modification	C:\Windows\win.ini	Coseismic.scr
File opened for modification	C:\Windows\win.ini	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
File opened for modification	C:\Windows\win.ini	Coseismic.scr
File opened for modification	C:\Windows\win.ini	Coseismic.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2064	ipconfig.exe
3124	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\Registry\User\S-1-5-21-1672260578-815027929-964132517-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\NodeSlot = "7"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7800310000000000a85856771100557365727300640009000400efbec5522d60c65822b12e0000006c0500000000010000000000000000003a000000000019b3940055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\Registry\User\S-1-5-21-1672260578-815027929-964132517-1000_Classes\NotificationData	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3176	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3664	Coseismic.scr
3664	Coseismic.scr
2672	Payment receipt.exe
3664	Coseismic.scr
3664	Coseismic.scr
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
2064	ipconfig.exe
4224	Coseismic.scr
4224	Coseismic.scr
4224	Coseismic.scr
4224	Coseismic.scr
2080	Payment receipt.exe
2064	ipconfig.exe
2064	ipconfig.exe
4224	Coseismic.scr
4224	Coseismic.scr
1868	wscript.exe
1868	wscript.exe
2064	ipconfig.exe
2064	ipconfig.exe
4912	Coseismic.scr
4912	Coseismic.scr

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3176	Explorer.EXE

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
3664	Coseismic.scr
3664	Coseismic.scr
3664	Coseismic.scr
2064	ipconfig.exe
2064	ipconfig.exe
4224	Coseismic.scr
4224	Coseismic.scr
4224	Coseismic.scr
4224	Coseismic.scr
4912	Coseismic.scr
4912	Coseismic.scr
3132	Coseismic.scr
4912	Coseismic.scr
4912	Coseismic.scr
3132	Coseismic.scr
3132	Coseismic.scr
3112	Coseismic.scr
3112	Coseismic.scr
3112	Coseismic.scr
3112	Coseismic.scr

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3176	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	Payment receipt.exe
Token: SeDebugPrivilege	3664	Coseismic.scr
Token: SeDebugPrivilege	2064	ipconfig.exe
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
552	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
3772	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
2564	Coseismic.scr
3664	Coseismic.scr
2672	Payment receipt.exe
2956	MiniSearchHost.exe
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
2944	bvptw8a.exe
2328	bvptw8a.exe
4744	Coseismic.scr
4224	Coseismic.scr
2080	Payment receipt.exe
3176	Explorer.EXE
3060	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
4872	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
4248	Coseismic.scr
4912	Coseismic.scr
1104	Payment receipt.exe
3320	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
2820	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
3788	Coseismic.scr
3132	Coseismic.scr
3144	Payment receipt.exe
4800	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
2436	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
4608	Coseismic.scr
3112	Coseismic.scr
2460	Payment receipt.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3176	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 3772	552	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	77
PID 552 wrote to memory of 3772	552	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	77
PID 552 wrote to memory of 3772	552	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	77
PID 3772 wrote to memory of 2564	3772	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	78
PID 3772 wrote to memory of 2564	3772	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	78
PID 3772 wrote to memory of 2564	3772	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	78
PID 3772 wrote to memory of 2672	3772	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	79
PID 3772 wrote to memory of 2672	3772	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	79
PID 3772 wrote to memory of 2672	3772	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	79
PID 2564 wrote to memory of 3664	2564	Coseismic.scr	80
PID 2564 wrote to memory of 3664	2564	Coseismic.scr	80
PID 2564 wrote to memory of 3664	2564	Coseismic.scr	80
PID 3176 wrote to memory of 2064	3176	Explorer.EXE	82
PID 3176 wrote to memory of 2064	3176	Explorer.EXE	82
PID 3176 wrote to memory of 2064	3176	Explorer.EXE	82
PID 2064 wrote to memory of 2388	2064	ipconfig.exe	83
PID 2064 wrote to memory of 2388	2064	ipconfig.exe	83
PID 2064 wrote to memory of 2388	2064	ipconfig.exe	83
PID 2064 wrote to memory of 72	2064	ipconfig.exe	90
PID 2064 wrote to memory of 72	2064	ipconfig.exe	90
PID 2064 wrote to memory of 72	2064	ipconfig.exe	90
PID 3176 wrote to memory of 2944	3176	Explorer.EXE	92
PID 3176 wrote to memory of 2944	3176	Explorer.EXE	92
PID 3176 wrote to memory of 2944	3176	Explorer.EXE	92
PID 2944 wrote to memory of 2328	2944	bvptw8a.exe	93
PID 2944 wrote to memory of 2328	2944	bvptw8a.exe	93
PID 2944 wrote to memory of 2328	2944	bvptw8a.exe	93
PID 2328 wrote to memory of 4744	2328	bvptw8a.exe	94
PID 2328 wrote to memory of 4744	2328	bvptw8a.exe	94
PID 2328 wrote to memory of 4744	2328	bvptw8a.exe	94
PID 2328 wrote to memory of 2080	2328	bvptw8a.exe	95
PID 2328 wrote to memory of 2080	2328	bvptw8a.exe	95
PID 2328 wrote to memory of 2080	2328	bvptw8a.exe	95
PID 4744 wrote to memory of 4224	4744	Coseismic.scr	96
PID 4744 wrote to memory of 4224	4744	Coseismic.scr	96
PID 4744 wrote to memory of 4224	4744	Coseismic.scr	96
PID 3176 wrote to memory of 1868	3176	Explorer.EXE	98
PID 3176 wrote to memory of 1868	3176	Explorer.EXE	98
PID 3176 wrote to memory of 1868	3176	Explorer.EXE	98
PID 3176 wrote to memory of 3060	3176	Explorer.EXE	99
PID 3176 wrote to memory of 3060	3176	Explorer.EXE	99
PID 3176 wrote to memory of 3060	3176	Explorer.EXE	99
PID 3060 wrote to memory of 4872	3060	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	102
PID 3060 wrote to memory of 4872	3060	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	102
PID 3060 wrote to memory of 4872	3060	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	102
PID 4872 wrote to memory of 4248	4872	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	103
PID 4872 wrote to memory of 4248	4872	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	103
PID 4872 wrote to memory of 4248	4872	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	103
PID 4872 wrote to memory of 1104	4872	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	104
PID 4872 wrote to memory of 1104	4872	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	104
PID 4872 wrote to memory of 1104	4872	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	104
PID 4248 wrote to memory of 4912	4248	Coseismic.scr	105
PID 4248 wrote to memory of 4912	4248	Coseismic.scr	105
PID 4248 wrote to memory of 4912	4248	Coseismic.scr	105
PID 3176 wrote to memory of 3320	3176	Explorer.EXE	106
PID 3176 wrote to memory of 3320	3176	Explorer.EXE	106
PID 3176 wrote to memory of 3320	3176	Explorer.EXE	106
PID 3320 wrote to memory of 2820	3320	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	107
PID 3320 wrote to memory of 2820	3320	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	107
PID 3320 wrote to memory of 2820	3320	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	107
PID 3176 wrote to memory of 3124	3176	Explorer.EXE	108
PID 3176 wrote to memory of 3124	3176	Explorer.EXE	108
PID 3176 wrote to memory of 3124	3176	Explorer.EXE	108
PID 2820 wrote to memory of 3788	2820	3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Payment receipt.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
  "C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
    "C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Users\Admin\Pinatype\Coseismic.scr
      "C:\Users\Admin\Pinatype\Coseismic.scr" /S
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Users\Admin\Pinatype\Coseismic.scr
        
        "C:\Users\Admin\Pinatype\Coseismic.scr" /S
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3664
  - - C:\Users\Admin\Payment receipt.exe
      "C:\Users\Admin\Payment receipt.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2672
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\Pinatype\Coseismic.scr"
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:72
- C:\Program Files (x86)\Wfrxl26gp\bvptw8a.exe
  "C:\Program Files (x86)\Wfrxl26gp\bvptw8a.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Program Files (x86)\Wfrxl26gp\bvptw8a.exe
    "C:\Program Files (x86)\Wfrxl26gp\bvptw8a.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Users\Admin\Pinatype\Coseismic.scr
      "C:\Users\Admin\Pinatype\Coseismic.scr" /S
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Users\Admin\Pinatype\Coseismic.scr
        
        "C:\Users\Admin\Pinatype\Coseismic.scr" /S
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:4224
  - - C:\Users\Admin\Payment receipt.exe
      "C:\Users\Admin\Payment receipt.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2080
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
  "C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
    "C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Users\Admin\Pinatype\Coseismic.scr
      "C:\Users\Admin\Pinatype\Coseismic.scr" /S
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Users\Admin\Pinatype\Coseismic.scr
        
        "C:\Users\Admin\Pinatype\Coseismic.scr" /S
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:4912
  - - C:\Users\Admin\Payment receipt.exe
      "C:\Users\Admin\Payment receipt.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of SetWindowsHookEx
      PID:1104
- C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
  "C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
    "C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\Pinatype\Coseismic.scr
      "C:\Users\Admin\Pinatype\Coseismic.scr" /S
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3788
    - - C:\Users\Admin\Pinatype\Coseismic.scr
        
        "C:\Users\Admin\Pinatype\Coseismic.scr" /S
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:3132
  - - C:\Users\Admin\Payment receipt.exe
      "C:\Users\Admin\Payment receipt.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of SetWindowsHookEx
      PID:3144
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:3124
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2076
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1756
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:768
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:5024
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4892
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1152
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  PID:2304
- C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
  "C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4800
- - C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
    "C:\Users\Admin\Desktop\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2436
  - - C:\Users\Admin\Pinatype\Coseismic.scr
      "C:\Users\Admin\Pinatype\Coseismic.scr" /S
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4608
    - - C:\Users\Admin\Pinatype\Coseismic.scr
        
        "C:\Users\Admin\Pinatype\Coseismic.scr" /S
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:3112
  - - C:\Users\Admin\Payment receipt.exe
      "C:\Users\Admin\Payment receipt.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:2460
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4980

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
5d18cf9e6fb60868a48d56e7b7d1fe37

SHA1
6bc2ffa084f0678b366f01c265a5485732d900c0

SHA256
cc0dc1714b43c851191b0c9f44a563b76f3db3fe4c67aa36e468bfe5c7aec164

SHA512
645eb7a905dcb7da87b5159862af3c2e40204bf02c6ac477bfa77bf51f197d5165c0efe89fb4c4877da32a67eb1820abbe55fea2a83fc16e3840cbba152f874a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
9KB

MD5
87c22b75e7023e7bc5b980336932379d

SHA1
744fa48c40337272007a2fcce3bbcb77f8ca2c95

SHA256
96ea6afd5c26de6473c3174118169df4011a4999eaaced70e782d20787ce19c6

SHA512
1fd7fd17ec28a1844e5a95e3bf724f512a4deafa888c59048b3a70b3784112a795ceb495066d867db933dd55e68ab2e470f17f92e18552dbc47d224318f3bf18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
9KB

MD5
110d8a6223bda8c240c43d74b9a1f21d

SHA1
c9802209a8a9996d3653d5b258d4cdab636f277f

SHA256
4dcf1c60d8dfa56837cb91903fb599ee7ca16305ae64227452415a16bc9e5de4

SHA512
db08046193fa29936bc683a88623b1e8df0f804243f14cc6bebcefb1d94ea6a5abaecf622364784d0ca41b1b02e758e168a06f8992bbc72f805423ed8deaa632

Download Submit
C:\Users\Admin\AppData\Roaming\NN42N073\NN4logim.jpeg

Filesize
98KB

MD5
f1b52f7679f296b1e8585af841bfeaaf

SHA1
b4ab50c6bce554e83f8ffa750e4c57a6857588ee

SHA256
694baab759b9bc7dca6a921d70c31816014f94e3c5fe6b32ea3a9623456b8cf5

SHA512
cd6704ff821a68d53437d8de6414fd584730bc7837ce693a06eb2133f0d94a7aba59d1ae71b0b6e867be704fef223bfff91b70a98c8a930ddd34a8085f936312

Download Submit
C:\Users\Admin\AppData\Roaming\NN42N073\NN4logrg.ini

Filesize
38B

MD5
4aadf49fed30e4c9b3fe4a3dd6445ebe

SHA1
1e332822167c6f351b99615eada2c30a538ff037

SHA256
75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

SHA512
eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

Download Submit
C:\Users\Admin\AppData\Roaming\NN42N073\NN4logri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\NN42N073\NN4logrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
C:\Users\Admin\Payment receipt.exe

Filesize
98KB

MD5
f064015d967ac5fbedbe21c01689f388

SHA1
4f2044ea34938b045c5e62c389f3c62c44cb5392

SHA256
980563afc8a4af6029ef7266392765e4ed9cf23eb242078701b65f5d9078b0af

SHA512
2bf694bbada5bc84ec2e68b4b8e4a6c3b747c14e5e4f5aae0d25c5c94a44ed3df16b2384a966da9ce1d405441eb2727af22868204cca0a2b157a7ae0efedd67f

Download Submit
C:\Users\Admin\Pinatype\Coseismic.scr

Filesize
747KB

MD5
3cd2595e3d20f8200d3ddf84b81932de

SHA1
c05f5a5fd2e0da7be16621a5482541f3d492891c

SHA256
3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

SHA512
fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/552-12-0x00007FFD33300000-0x00007FFD33509000-memory.dmp

Filesize
2.0MB

Download
memory/552-3-0x0000000002B10000-0x0000000002B1A000-memory.dmp

Filesize
40KB

Download
memory/552-5-0x00007FFD33300000-0x00007FFD33509000-memory.dmp

Filesize
2.0MB

Download
memory/552-4-0x00007FFD33301000-0x00007FFD3342A000-memory.dmp

Filesize
1.2MB

Download
memory/1868-155-0x0000000000A10000-0x0000000000A35000-memory.dmp

Filesize
148KB

Download
memory/2064-67-0x0000000000760000-0x000000000076B000-memory.dmp

Filesize
44KB

Download
memory/2304-222-0x00000000007A0000-0x00000000007AE000-memory.dmp

Filesize
56KB

Download
memory/2304-220-0x00000000007A0000-0x00000000007AE000-memory.dmp

Filesize
56KB

Download
memory/2672-51-0x0000000004FE0000-0x000000000507C000-memory.dmp

Filesize
624KB

Download
memory/2672-57-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/2672-49-0x0000000000520000-0x000000000053E000-memory.dmp

Filesize
120KB

Download
memory/2672-64-0x00000000065E0000-0x00000000065EA000-memory.dmp

Filesize
40KB

Download
memory/2672-63-0x0000000006870000-0x0000000006A32000-memory.dmp

Filesize
1.8MB

Download
memory/2672-62-0x0000000006600000-0x0000000006692000-memory.dmp

Filesize
584KB

Download
memory/2672-50-0x0000000005590000-0x0000000005B36000-memory.dmp

Filesize
5.6MB

Download
memory/3112-245-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/3112-251-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3112-244-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3124-216-0x0000000000720000-0x000000000072B000-memory.dmp

Filesize
44KB

Download
memory/3132-221-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3132-211-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3176-246-0x00000000069E0000-0x0000000006B58000-memory.dmp

Filesize
1.5MB

Download
memory/3176-142-0x00000000069E0000-0x0000000006B58000-memory.dmp

Filesize
1.5MB

Download
memory/3176-69-0x00000000069E0000-0x0000000006B58000-memory.dmp

Filesize
1.5MB

Download
memory/3176-189-0x00000000069E0000-0x0000000006B58000-memory.dmp

Filesize
1.5MB

Download
memory/3176-197-0x00000000069E0000-0x0000000006B58000-memory.dmp

Filesize
1.5MB

Download
memory/3176-152-0x00000000069E0000-0x0000000006B58000-memory.dmp

Filesize
1.5MB

Download
memory/3176-213-0x00000000069E0000-0x0000000006B58000-memory.dmp

Filesize
1.5MB

Download
memory/3176-248-0x00000000069E0000-0x0000000006B58000-memory.dmp

Filesize
1.5MB

Download
memory/3664-61-0x0000000002100000-0x000000000210A000-memory.dmp

Filesize
40KB

Download
memory/3664-66-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3664-60-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3772-13-0x00007FFD33300000-0x00007FFD33509000-memory.dmp

Filesize
2.0MB

Download
memory/4224-156-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4224-140-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4224-141-0x0000000002280000-0x000000000228A000-memory.dmp

Filesize
40KB

Download
memory/4912-215-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4912-188-0x00000000021D0000-0x00000000021DA000-memory.dmp

Filesize
40KB

Download
memory/4912-187-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4980-249-0x0000000000CA0000-0x0000000000CC8000-memory.dmp

Filesize
160KB

Download
memory/4980-254-0x0000000000CA0000-0x0000000000CC8000-memory.dmp

Filesize
160KB

Download
memory/4980-252-0x0000000000CA0000-0x0000000000CC8000-memory.dmp

Filesize
160KB

Download