4ce62b2c6fcd833b8dc4000f79116657a4411f497af73d81fb73ae90bc6d2bb3

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 09:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

41b81c35a7e3845b2e8c00662fd54e24.exe
Size

512KB
MD5

41b81c35a7e3845b2e8c00662fd54e24
SHA1

2b89bb74fac9427cb8aaddff3b923518418888a8
SHA256

4ce62b2c6fcd833b8dc4000f79116657a4411f497af73d81fb73ae90bc6d2bb3
SHA512

23ed88ee3e9bc3fdbe4b7e72fbe436e6c91e8d4d41930dee88889db92a8b24bdb929e424343e92d62799ace7731d697adf8d186cff4f8eb659461b4af75389d3
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6U:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bgqontpatw.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bgqontpatw.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bgqontpatw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bgqontpatw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bgqontpatw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bgqontpatw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bgqontpatw.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bgqontpatw.exe

Executes dropped EXE 5 IoCs

pid	Process
2876	bgqontpatw.exe
2868	djichmnwgeibtds.exe
3024	jwyqottm.exe
2960	exwetikxysptg.exe
2600	jwyqottm.exe

Loads dropped DLL 5 IoCs

pid	Process
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2876	bgqontpatw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bgqontpatw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bgqontpatw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bgqontpatw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bgqontpatw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	bgqontpatw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bgqontpatw.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cnpbnmcb = "djichmnwgeibtds.exe"	djichmnwgeibtds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "exwetikxysptg.exe"	djichmnwgeibtds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\prxmdhds = "bgqontpatw.exe"	djichmnwgeibtds.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	bgqontpatw.exe
File opened (read-only)	\??\h:	jwyqottm.exe
File opened (read-only)	\??\j:	jwyqottm.exe
File opened (read-only)	\??\n:	jwyqottm.exe
File opened (read-only)	\??\r:	jwyqottm.exe
File opened (read-only)	\??\z:	jwyqottm.exe
File opened (read-only)	\??\e:	jwyqottm.exe
File opened (read-only)	\??\k:	jwyqottm.exe
File opened (read-only)	\??\w:	jwyqottm.exe
File opened (read-only)	\??\t:	bgqontpatw.exe
File opened (read-only)	\??\i:	bgqontpatw.exe
File opened (read-only)	\??\j:	bgqontpatw.exe
File opened (read-only)	\??\j:	jwyqottm.exe
File opened (read-only)	\??\k:	jwyqottm.exe
File opened (read-only)	\??\u:	jwyqottm.exe
File opened (read-only)	\??\z:	jwyqottm.exe
File opened (read-only)	\??\n:	bgqontpatw.exe
File opened (read-only)	\??\e:	jwyqottm.exe
File opened (read-only)	\??\b:	bgqontpatw.exe
File opened (read-only)	\??\h:	bgqontpatw.exe
File opened (read-only)	\??\s:	bgqontpatw.exe
File opened (read-only)	\??\y:	bgqontpatw.exe
File opened (read-only)	\??\a:	jwyqottm.exe
File opened (read-only)	\??\a:	jwyqottm.exe
File opened (read-only)	\??\q:	jwyqottm.exe
File opened (read-only)	\??\v:	bgqontpatw.exe
File opened (read-only)	\??\r:	jwyqottm.exe
File opened (read-only)	\??\y:	jwyqottm.exe
File opened (read-only)	\??\m:	jwyqottm.exe
File opened (read-only)	\??\e:	bgqontpatw.exe
File opened (read-only)	\??\n:	jwyqottm.exe
File opened (read-only)	\??\s:	jwyqottm.exe
File opened (read-only)	\??\v:	jwyqottm.exe
File opened (read-only)	\??\o:	bgqontpatw.exe
File opened (read-only)	\??\g:	jwyqottm.exe
File opened (read-only)	\??\i:	jwyqottm.exe
File opened (read-only)	\??\l:	jwyqottm.exe
File opened (read-only)	\??\t:	jwyqottm.exe
File opened (read-only)	\??\w:	bgqontpatw.exe
File opened (read-only)	\??\h:	jwyqottm.exe
File opened (read-only)	\??\l:	jwyqottm.exe
File opened (read-only)	\??\g:	jwyqottm.exe
File opened (read-only)	\??\y:	jwyqottm.exe
File opened (read-only)	\??\v:	jwyqottm.exe
File opened (read-only)	\??\a:	bgqontpatw.exe
File opened (read-only)	\??\q:	jwyqottm.exe
File opened (read-only)	\??\m:	bgqontpatw.exe
File opened (read-only)	\??\t:	jwyqottm.exe
File opened (read-only)	\??\x:	jwyqottm.exe
File opened (read-only)	\??\p:	jwyqottm.exe
File opened (read-only)	\??\g:	bgqontpatw.exe
File opened (read-only)	\??\p:	bgqontpatw.exe
File opened (read-only)	\??\k:	bgqontpatw.exe
File opened (read-only)	\??\l:	bgqontpatw.exe
File opened (read-only)	\??\r:	bgqontpatw.exe
File opened (read-only)	\??\x:	bgqontpatw.exe
File opened (read-only)	\??\o:	jwyqottm.exe
File opened (read-only)	\??\o:	jwyqottm.exe
File opened (read-only)	\??\w:	jwyqottm.exe
File opened (read-only)	\??\b:	jwyqottm.exe
File opened (read-only)	\??\s:	jwyqottm.exe
File opened (read-only)	\??\u:	jwyqottm.exe
File opened (read-only)	\??\q:	bgqontpatw.exe
File opened (read-only)	\??\x:	jwyqottm.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	bgqontpatw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	bgqontpatw.exe

AutoIT Executable 19 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2432-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0009000000012252-17.dat	autoit_exe
behavioral1/files/0x000b0000000155e6-22.dat	autoit_exe
behavioral1/files/0x0006000000018675-38.dat	autoit_exe
behavioral1/files/0x0036000000016e58-40.dat	autoit_exe
behavioral1/files/0x0006000000018675-41.dat	autoit_exe
behavioral1/files/0x0006000000018675-34.dat	autoit_exe
behavioral1/files/0x0036000000016e58-43.dat	autoit_exe
behavioral1/files/0x0036000000016e58-42.dat	autoit_exe
behavioral1/files/0x000b0000000155e6-32.dat	autoit_exe
behavioral1/files/0x0036000000016e58-31.dat	autoit_exe
behavioral1/files/0x0036000000016e58-28.dat	autoit_exe
behavioral1/files/0x000b0000000155e6-26.dat	autoit_exe
behavioral1/files/0x0009000000012252-24.dat	autoit_exe
behavioral1/files/0x0009000000012252-20.dat	autoit_exe
behavioral1/files/0x000b0000000155e6-5.dat	autoit_exe
behavioral1/files/0x000500000001952e-72.dat	autoit_exe
behavioral1/files/0x0005000000019510-66.dat	autoit_exe
behavioral1/files/0x0005000000019576-75.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\exwetikxysptg.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	bgqontpatw.exe
File opened for modification	C:\Windows\SysWOW64\bgqontpatw.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File created	C:\Windows\SysWOW64\djichmnwgeibtds.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File opened for modification	C:\Windows\SysWOW64\djichmnwgeibtds.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File created	C:\Windows\SysWOW64\jwyqottm.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File opened for modification	C:\Windows\SysWOW64\jwyqottm.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File opened for modification	C:\Windows\SysWOW64\exwetikxysptg.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File created	C:\Windows\SysWOW64\bgqontpatw.exe	41b81c35a7e3845b2e8c00662fd54e24.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jwyqottm.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jwyqottm.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jwyqottm.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jwyqottm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jwyqottm.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jwyqottm.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jwyqottm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	jwyqottm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jwyqottm.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jwyqottm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jwyqottm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	jwyqottm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	jwyqottm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jwyqottm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	jwyqottm.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	41b81c35a7e3845b2e8c00662fd54e24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FABEF964F1E383783B3586EE3E96B08802F14361033BE2CA429D09A9"	41b81c35a7e3845b2e8c00662fd54e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	bgqontpatw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	bgqontpatw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C7F9D5783506A3277D477262CDF7CF365DE"	41b81c35a7e3845b2e8c00662fd54e24.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	bgqontpatw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	bgqontpatw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	41b81c35a7e3845b2e8c00662fd54e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F168B7FF6C21ACD20FD0A68A7D9010"	41b81c35a7e3845b2e8c00662fd54e24.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	bgqontpatw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	bgqontpatw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B02D44E738E353B8B9D633EAD7CB"	41b81c35a7e3845b2e8c00662fd54e24.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2664	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2876	bgqontpatw.exe
2876	bgqontpatw.exe
2876	bgqontpatw.exe
2876	bgqontpatw.exe
2876	bgqontpatw.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2868	djichmnwgeibtds.exe
2868	djichmnwgeibtds.exe
2868	djichmnwgeibtds.exe
2868	djichmnwgeibtds.exe
2868	djichmnwgeibtds.exe
3024	jwyqottm.exe
3024	jwyqottm.exe
3024	jwyqottm.exe
3024	jwyqottm.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2600	jwyqottm.exe
2600	jwyqottm.exe
2600	jwyqottm.exe
2600	jwyqottm.exe
2868	djichmnwgeibtds.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2868	djichmnwgeibtds.exe
2868	djichmnwgeibtds.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2868	djichmnwgeibtds.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2868	djichmnwgeibtds.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2868	djichmnwgeibtds.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2868	djichmnwgeibtds.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2868	djichmnwgeibtds.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2868	djichmnwgeibtds.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2868	djichmnwgeibtds.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2868	djichmnwgeibtds.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2868	djichmnwgeibtds.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2876	bgqontpatw.exe
2876	bgqontpatw.exe
2876	bgqontpatw.exe
2868	djichmnwgeibtds.exe
2868	djichmnwgeibtds.exe
2868	djichmnwgeibtds.exe
3024	jwyqottm.exe
3024	jwyqottm.exe
3024	jwyqottm.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2600	jwyqottm.exe
2600	jwyqottm.exe
2600	jwyqottm.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2432	41b81c35a7e3845b2e8c00662fd54e24.exe
2876	bgqontpatw.exe
2876	bgqontpatw.exe
2876	bgqontpatw.exe
2868	djichmnwgeibtds.exe
2868	djichmnwgeibtds.exe
2868	djichmnwgeibtds.exe
3024	jwyqottm.exe
3024	jwyqottm.exe
3024	jwyqottm.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2960	exwetikxysptg.exe
2600	jwyqottm.exe
2600	jwyqottm.exe
2600	jwyqottm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	WINWORD.EXE
2664	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2876	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	18
PID 2432 wrote to memory of 2876	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	18
PID 2432 wrote to memory of 2876	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	18
PID 2432 wrote to memory of 2876	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	18
PID 2432 wrote to memory of 2868	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	23
PID 2432 wrote to memory of 2868	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	23
PID 2432 wrote to memory of 2868	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	23
PID 2432 wrote to memory of 2868	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	23
PID 2432 wrote to memory of 3024	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	19
PID 2432 wrote to memory of 3024	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	19
PID 2432 wrote to memory of 3024	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	19
PID 2432 wrote to memory of 3024	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	19
PID 2432 wrote to memory of 2960	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	22
PID 2432 wrote to memory of 2960	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	22
PID 2432 wrote to memory of 2960	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	22
PID 2432 wrote to memory of 2960	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	22
PID 2876 wrote to memory of 2600	2876	bgqontpatw.exe	20
PID 2876 wrote to memory of 2600	2876	bgqontpatw.exe	20
PID 2876 wrote to memory of 2600	2876	bgqontpatw.exe	20
PID 2876 wrote to memory of 2600	2876	bgqontpatw.exe	20
PID 2432 wrote to memory of 2664	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	21
PID 2432 wrote to memory of 2664	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	21
PID 2432 wrote to memory of 2664	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	21
PID 2432 wrote to memory of 2664	2432	41b81c35a7e3845b2e8c00662fd54e24.exe	21
PID 2664 wrote to memory of 368	2664	WINWORD.EXE	36
PID 2664 wrote to memory of 368	2664	WINWORD.EXE	36
PID 2664 wrote to memory of 368	2664	WINWORD.EXE	36
PID 2664 wrote to memory of 368	2664	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\41b81c35a7e3845b2e8c00662fd54e24.exe
"C:\Users\Admin\AppData\Local\Temp\41b81c35a7e3845b2e8c00662fd54e24.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\bgqontpatw.exe
  bgqontpatw.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\jwyqottm.exe
    C:\Windows\system32\jwyqottm.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2600
- C:\Windows\SysWOW64\jwyqottm.exe
  jwyqottm.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3024
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:368
- C:\Windows\SysWOW64\exwetikxysptg.exe
  exwetikxysptg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2960
- C:\Windows\SysWOW64\djichmnwgeibtds.exe
  djichmnwgeibtds.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
292KB

MD5
ecec42ac75798c72e052194ac689896e

SHA1
2032a3582b24a4fd8dfc563e214f6605ff7d3e23

SHA256
5877b52e8980060458f5a938b7840286cd60b6da9e7adcf95903975048730549

SHA512
7ef21af73eabeba3042e9f10050a42710ad4a0e680e401e9070fcc96d89f176c25fb30598e9a57c6a63cf5738effddfa39f1f14c91308eb767a143b68e8cd162

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
381KB

MD5
78499eca88429e6a63c467ac52d5426b

SHA1
b337e56053d9615a5cb48f5359e69005b8f61bbb

SHA256
fdd4035b352ba7ba1ba1d3d041866c0056da625c726094c01064c8830ea86565

SHA512
a8f56861dcbdb179d4ee7ad1cc2783e71677cf17668837c5dc74145207402cda4576ad2ac24b76c28b0d0e9a245351dac874a354500eecbf0727426b48112b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
76c67464d7db2530551ec8f613f3fb06

SHA1
03ae778d99422acf19ca4fc7b4fd3c399107bb0b

SHA256
dde035aa942b259023b1d7c8f4cc552bd0e161026e8f9122413da003f505e499

SHA512
2dd5bd32bac59c091683b06c1c356770bf1d9f78007e4a64ae8f0c9982440f74fb98b8b5d10db3e4bcbc0196ac8a2b288b33c6425f31e429d305f26d09675e06

Download Submit
C:\Users\Admin\Desktop\WatchDisable.doc.exe

Filesize
484KB

MD5
3c080cb9fd448d2c2a2c552e46c2bcea

SHA1
524359712507653070d106d8a258a929faa3bb9f

SHA256
7a03779a6c9fe0125d4f2652adafe54a3da360028a9e25e829dbca104da4a1f5

SHA512
0c15eba5e942a179ac50b9ff1282fbe460be463b3c95ce6c16acd84c6362f3920bac9eaf85f36c576e8267439764c896688fddbb863d1d110ea3ced6260bb365

Download Submit
C:\Windows\SysWOW64\bgqontpatw.exe

Filesize
453KB

MD5
118cb05a9c42b48b88a3b754056cd246

SHA1
3ab0ff28a7e41abd1718182050a64e12395476c2

SHA256
5c50c0557b4413f238f91863c65341e7b0c40afa995d95ce77188b9d9cedbfb0

SHA512
9d0e089bc203b43f84a39d4b4378720e1c9ffebbe0d0b3917d6b20da7a04008b8d28fbdbef9202163a8aad15b9580048f94e0e75f7e009d1163bb0b89f4e96df

Download Submit
C:\Windows\SysWOW64\bgqontpatw.exe

Filesize
512KB

MD5
7e5826f23216e74395ea2709d73177fb

SHA1
2800e92515eac53a537390004fa477f721ca4bff

SHA256
a9d357153b74e486ed2a8a18b4d0d142f9c3863f0fab56d11e865ed6eb59aba3

SHA512
8b5842d9f9240382f88b1e3d996f5d457b49866b4a502e76fb3fb9747df3abf1be1d2ba6b2ae0aa594d6f16ba41dd8fceeab37c45a936dbbcb756b21749e3628

Download Submit
C:\Windows\SysWOW64\djichmnwgeibtds.exe

Filesize
465KB

MD5
dfd412a4c9e5a28becb7002bab768240

SHA1
1cd993eb3542d8ac756dc4c85a5dec11c906161a

SHA256
b2202071cfe7b25b450ee0713ebd37de5f1cb692776f4128a7f0bff7280eea08

SHA512
fb50adc361ffff9d1589dd581dbbf4afe33fd866db3c1b25b58f533a85578a26e41ee6e71db09f5f880f639dbc316639be59b728637d0d43036227b3a05b856a

Download Submit
C:\Windows\SysWOW64\djichmnwgeibtds.exe

Filesize
445KB

MD5
4553b7277d4e3bcfbc714d373ffff5f1

SHA1
e4ccc3ab9564abf22a4430caf57161041e1129b1

SHA256
c53303ec257955db11530882232b0f666dedcf70544a3327e61025b0f7d66923

SHA512
badc58e2b1e2b63ffc5bcbb868a5c94ea90888a9ef463dd9b0480c4b4106d9b23810a705846a3282dcf3d4e680d2bdf0c803541c93444ab939d124f289f1d18c

Download Submit
C:\Windows\SysWOW64\djichmnwgeibtds.exe

Filesize
512KB

MD5
c5b726ac209dd5f673b29dfcdec36581

SHA1
41a03dcdca08252317a6fcc94cfa8d2978b983ed

SHA256
11f0b23bf7647be37cd1e73ff1b82ca74afaa42c17b200e395e33ac7c3c2a25e

SHA512
383c599e2c041dcb80f8c17dd300bd362354ea297331b7a281e602c159947313d7b91d417f5fabd57e10659ef186950e94bb93cd340ecfd0b7b2495c7f9f12b9

Download Submit
C:\Windows\SysWOW64\exwetikxysptg.exe

Filesize
223KB

MD5
1b91d7ae86786c636f8b6f330372af9a

SHA1
bce57cd2d525343d7db67fe33b6dbf084a4adb44

SHA256
3f647b3465bff6c810fdcf0a3da6b4e791b7309d815d50e91490181fd0fc98e3

SHA512
f4a3d42852c8189cbea3d58341e2ab4a4a1f464ac7b63ee03f1b3771d32676694c9d3addb3bdb11718d6769ab4275f2e4df1bea049de3a6dc80200f43202837a

Download Submit
C:\Windows\SysWOW64\exwetikxysptg.exe

Filesize
308KB

MD5
5304fb7c1fec8c5a101bea2b98dc3b75

SHA1
45600c555bf2cbe4900ccf0e2b4761f2910118e5

SHA256
b2577e5d1571e745c8dd31785610c908146f307465514d945df2f73c9fa8bcf1

SHA512
e411941dc3b186cf240fd924a147f2843f455b11f5c80a98bc313bda970fed4f0515283dd97bd6420bd30b0dd94207c516d8deb3917466a8f387f62c38ea09f3

Download Submit
C:\Windows\SysWOW64\jwyqottm.exe

Filesize
275KB

MD5
646e1363b8efc2e2fde902d97116fbcb

SHA1
ecfacf78a45a44c93caf0d3a59a6f55c00064942

SHA256
23ca33fd7af9555c40eb36bc84070d2572dc2e5b257f4e965f39ed30b2be9f26

SHA512
63495e73bff028696cf5a19b51de7e188bdae49d459c47ab5ee467c00bc82aa4e1ff007bd546581b8e8446f37f703fcfc0d751dd9f425e35e78064dd7841071b

Download Submit
C:\Windows\SysWOW64\jwyqottm.exe

Filesize
260KB

MD5
52a8a81d0bf3e3abfb7189f8880a96f4

SHA1
440c33d7e727c2e2af9f419cb9e0129ea44ad742

SHA256
c24e18f82ac92b520d1aba44f40dd8ebcefe19652ce74b3fd4649f655cf24abe

SHA512
a4196b94f1139edfcadd1df43bde8497670c44c9cd9c7507db1e2ccb1b9a321df3010566f0e192e59f2abbf4f3d151d081f7bcb64c3cc4fd50b246f9342486d8

Download Submit
C:\Windows\SysWOW64\jwyqottm.exe

Filesize
189KB

MD5
618a0e894627815af9cc25a7af489632

SHA1
446b3e66ff3676624292a4d3e62e3357d4d74e78

SHA256
c59c499607660bd75269280c3e5daa34cb85e940c1d83f389993703e2d22de28

SHA512
c437b337951aa9fecf2846745d4d057ca4e7599c22602f4fa79a8068472862b821d14f89d988d331211b5056997c88fa8eadc826a4af995bb50d204cef8b7956

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\bgqontpatw.exe

Filesize
326KB

MD5
0c8000349d8b2041e8f9e9b1e6b791ba

SHA1
2084973dcd6f79ce0f2c6d055177e530517c7fe6

SHA256
758aa764508f39c07ad9a0688fda2d58b5d68f818769376075630c8ca107d826

SHA512
b4327782f903a0d03c1a7b66b0604f8292c58f7d3a8db5b7cf6a0988c7a2b0f7715e06a672ae95d8c63378b75e4c179b5d0373f7a31afb86b819302900e006d0

Download Submit
\Windows\SysWOW64\djichmnwgeibtds.exe

Filesize
197KB

MD5
72f8170ec934cbf28f0ab998aa8466b1

SHA1
cc29cc8cd0a36e18954cdca81698c066f7357972

SHA256
e79dcc36fb3733b007b40e1aeffd3b3ee85cf5077d4184af1264e7aa4b35f80e

SHA512
1daf54cdeb12a540a8f4c809e6296557d4b248f6dc0b763c66b224dfaf3f5341e1c4a65be024818577a7fedace4dd14325e0533f17a00fc8134124743d7e991e

Download Submit
\Windows\SysWOW64\exwetikxysptg.exe

Filesize
133KB

MD5
153d5755639a823d7db0591a56060758

SHA1
d6f43b541aa0c55e162667bc8fa980e82fe474b3

SHA256
80203e2105773d5613dd974676598a683a66ceb5f40407bf103fe91db119fded

SHA512
e3bc6ed549f79a21206fe97087e7332130febf156a8084f8279920b3796afb97ca54b19c493fa8642f97f06de4d844bfb0cfce2d9e1f832ad77b71f59f65ec11

Download Submit
\Windows\SysWOW64\jwyqottm.exe

Filesize
512KB

MD5
4c4f1b8cda45396c904fc9e6e912d1e6

SHA1
344cc1bfafde37121f134fce5334903d1f1cb2ba

SHA256
da8d953320e8dd4c981f28f5cbefb13021c4444d68122774afcab58fcda244db

SHA512
673f711761af3c860c45c03647da216f5c9acdb15db77a966a968fe379fd2800789e234c33f60ac4fd0712a058335e00692369511523c6d7c21b9c9abe0ce020

Download Submit
\Windows\SysWOW64\jwyqottm.exe

Filesize
414KB

MD5
97e2a7d0f45c3268efaf3ad92712968f

SHA1
b6569f04cea4edeabd17314a2484faa18201e92a

SHA256
84d3fda2d5795e5df61bfc06253a85066007d3d6f91897ab46ba1e21dd8b6105

SHA512
3473687cc9e39e24b97641e46bd7de8b5f1fc9b1ea587b1547a887d19d48511e2eb2a2274d2e2b8bf9546b03c5ceaade8f456601762497170de1fdc3b9c5ce8e

Download Submit
memory/2432-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2664-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2664-47-0x000000007172D000-0x0000000071738000-memory.dmp

Filesize
44KB

Download
memory/2664-45-0x000000002F681000-0x000000002F682000-memory.dmp

Filesize
4KB

Download
memory/2664-78-0x000000007172D000-0x0000000071738000-memory.dmp

Filesize
44KB

Download
memory/2664-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download