cybergate | b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62

Analysis

max time kernel
151s
max time network
66s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe
Size

3.1MB
MD5

713f0e4f5d1d025eb5a2feb578520767
SHA1

34873086330b0c142a1bc56986c3a883027aba01
SHA256

b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62
SHA512

087e9d556da525269bc5daf793d355951cb69e0e17728c51294d7769a72b232a9014a84c03afae6c6bbdb2e05ba211f02b3526d34e502cb06d33e65c848b7326
SSDEEP

98304:xtrbTA1GBYx/sEkmgEHiTx72blrCXDgYXY66FiN:jc1mYWEkmgECZ2blrCXDgYX68N

Score

10^/10

cybergate new persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

NEW

joujounette974.ddns.net:8027

Mutex

8LO785716L517K

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HSCBC.EXEOPEN2C.EXEb5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	HSCBC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	OPEN2C.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HSCBC.EXEOPEN2C.EXEb5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HSCBC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	HSCBC.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	OPEN2C.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPEN2C.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe

Executes dropped EXE 3 IoCs

Processes:

HSCBC.EXEOPEN2C.EXEHIDDEN SIGHT.EXE

pid process

1476 HSCBC.EXE
1144 OPEN2C.EXE
592 HIDDEN SIGHT.EXE

pid	process
1476	HSCBC.EXE
1144	OPEN2C.EXE
592	HIDDEN SIGHT.EXE

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1628-56-0x0000000000400000-0x0000000000762000-memory.dmp	upx
behavioral1/memory/1628-58-0x0000000000400000-0x0000000000762000-memory.dmp	upx
behavioral1/memory/1628-59-0x0000000000400000-0x0000000000762000-memory.dmp	upx
behavioral1/memory/1628-63-0x0000000000400000-0x0000000000762000-memory.dmp	upx
behavioral1/memory/1628-64-0x0000000000400000-0x0000000000762000-memory.dmp	upx
behavioral1/memory/1628-65-0x0000000000400000-0x0000000000762000-memory.dmp	upx
behavioral1/memory/1628-74-0x0000000000400000-0x0000000000762000-memory.dmp	upx
behavioral1/memory/1312-87-0x0000000000400000-0x000000000056A000-memory.dmp	upx
behavioral1/memory/1312-86-0x0000000000400000-0x000000000056A000-memory.dmp	upx
behavioral1/memory/1312-81-0x0000000000400000-0x000000000056A000-memory.dmp	upx
behavioral1/memory/1312-80-0x0000000000400000-0x000000000056A000-memory.dmp	upx
behavioral1/memory/1312-78-0x0000000000400000-0x000000000056A000-memory.dmp	upx
behavioral1/memory/1312-102-0x0000000000400000-0x000000000056A000-memory.dmp	upx
behavioral1/memory/1576-114-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1784-119-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1784-121-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1784-124-0x0000000010410000-0x0000000010480000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

svchost.exesvchost.exe

pid process

1628 svchost.exe
1628 svchost.exe
1312 svchost.exe

pid	process
1628	svchost.exe
1628	svchost.exe
1312	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exeHSCBC.EXEOPEN2C.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	HSCBC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	HSCBC.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	OPEN2C.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPEN2C.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1628-64-0x0000000000400000-0x0000000000762000-memory.dmp	autoit_exe
behavioral1/memory/1628-65-0x0000000000400000-0x0000000000762000-memory.dmp	autoit_exe
\Users\Admin\AppData\Local\Temp\HSCBC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE	autoit_exe
\Users\Admin\AppData\Local\Temp\OPEN2C.EXE	autoit_exe
behavioral1/memory/1628-74-0x0000000000400000-0x0000000000762000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exeHSCBC.EXEOPEN2C.EXE

description	pid	process	target process
PID 1168 set thread context of 1628	1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe	svchost.exe
PID 1476 set thread context of 1312	1476	HSCBC.EXE	svchost.exe
PID 1144 set thread context of 1576	1144	OPEN2C.EXE	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1784 svchost.exe
Token: SeDebugPrivilege 1784 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1784	svchost.exe
Token: SeDebugPrivilege	1784	svchost.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exeHSCBC.EXEOPEN2C.EXE

pid	process
1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe
1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe
1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe
1476	HSCBC.EXE
1476	HSCBC.EXE
1144	OPEN2C.EXE
1144	OPEN2C.EXE
1476	HSCBC.EXE
1144	OPEN2C.EXE
1144	OPEN2C.EXE
1144	OPEN2C.EXE

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exeHSCBC.EXEOPEN2C.EXE

pid	process
1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe
1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe
1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe
1476	HSCBC.EXE
1476	HSCBC.EXE
1144	OPEN2C.EXE
1144	OPEN2C.EXE
1476	HSCBC.EXE
1144	OPEN2C.EXE
1144	OPEN2C.EXE
1144	OPEN2C.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exesvchost.exeHSCBC.EXEOPEN2C.EXEsvchost.exesvchost.exe

description	pid	process	target process
PID 1168 wrote to memory of 1628	1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe	svchost.exe
PID 1168 wrote to memory of 1628	1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe	svchost.exe
PID 1168 wrote to memory of 1628	1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe	svchost.exe
PID 1168 wrote to memory of 1628	1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe	svchost.exe
PID 1168 wrote to memory of 1628	1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe	svchost.exe
PID 1168 wrote to memory of 1628	1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe	svchost.exe
PID 1168 wrote to memory of 1628	1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe	svchost.exe
PID 1168 wrote to memory of 1628	1168	b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe	svchost.exe
PID 1628 wrote to memory of 1476	1628	svchost.exe	HSCBC.EXE
PID 1628 wrote to memory of 1476	1628	svchost.exe	HSCBC.EXE
PID 1628 wrote to memory of 1476	1628	svchost.exe	HSCBC.EXE
PID 1628 wrote to memory of 1476	1628	svchost.exe	HSCBC.EXE
PID 1628 wrote to memory of 1144	1628	svchost.exe	OPEN2C.EXE
PID 1628 wrote to memory of 1144	1628	svchost.exe	OPEN2C.EXE
PID 1628 wrote to memory of 1144	1628	svchost.exe	OPEN2C.EXE
PID 1628 wrote to memory of 1144	1628	svchost.exe	OPEN2C.EXE
PID 1476 wrote to memory of 1312	1476	HSCBC.EXE	svchost.exe
PID 1476 wrote to memory of 1312	1476	HSCBC.EXE	svchost.exe
PID 1476 wrote to memory of 1312	1476	HSCBC.EXE	svchost.exe
PID 1476 wrote to memory of 1312	1476	HSCBC.EXE	svchost.exe
PID 1476 wrote to memory of 1312	1476	HSCBC.EXE	svchost.exe
PID 1476 wrote to memory of 1312	1476	HSCBC.EXE	svchost.exe
PID 1476 wrote to memory of 1312	1476	HSCBC.EXE	svchost.exe
PID 1476 wrote to memory of 1312	1476	HSCBC.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1144 wrote to memory of 1576	1144	OPEN2C.EXE	svchost.exe
PID 1312 wrote to memory of 592	1312	svchost.exe	HIDDEN SIGHT.EXE
PID 1312 wrote to memory of 592	1312	svchost.exe	HIDDEN SIGHT.EXE
PID 1312 wrote to memory of 592	1312	svchost.exe	HIDDEN SIGHT.EXE
PID 1312 wrote to memory of 592	1312	svchost.exe	HIDDEN SIGHT.EXE
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe
PID 1576 wrote to memory of 1784	1576	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe
"C:\Users\Admin\AppData\Local\Temp\b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE
"C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE"
3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
"C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE"
5⤵
- Executes dropped EXE
PID:592

C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE
"C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE"
3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
385KB

MD5
58001f0d64026d11d7c15f3f32bdad90

SHA1
c96e7df4183fb2680a8505b9de272a5ab06d2eb5

SHA256
0c2b1b227736adafced90457930f189f880efa1c72828ea62c8cfbce46dc0939

SHA512
164df204b773ef9befa2ab24d7f47262977652865325aea98b1d19f807d9909735059313425f465c0fd02fe6ec3bc425bd12777f0b7f91eb441926958f132cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE

Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE

Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE

Filesize
2.1MB

MD5
f5799a961590d26685ff7be28ffdb411

SHA1
12ded45db4ec2842f3efb0fb66d3359100256776

SHA256
a20f2f35732899467e9f8e571b19100d90c6f2de8ebeaa3d2396e43388885157

SHA512
40c867eeab6f7f507b35ee91af4622019bfc2914f69ab9a202b6645486e11f2af3dc601974e2ae38d20222385d669a3983f2f4819817611d41787e02391fe2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE

Filesize
2.1MB

MD5
f5799a961590d26685ff7be28ffdb411

SHA1
12ded45db4ec2842f3efb0fb66d3359100256776

SHA256
a20f2f35732899467e9f8e571b19100d90c6f2de8ebeaa3d2396e43388885157

SHA512
40c867eeab6f7f507b35ee91af4622019bfc2914f69ab9a202b6645486e11f2af3dc601974e2ae38d20222385d669a3983f2f4819817611d41787e02391fe2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE

Filesize
1.2MB

MD5
da2b3550a161dccb7a7292711a76fcd4

SHA1
532613af7685f3c3b476210d7d2dfa7df4ee812c

SHA256
1d99f04c15bd9146ab1e576f02d3cf2483873432c493f0002e3c026592536bda

SHA512
9f5d25dd44f61c4b075ac49e330e0ea9e75e41a32266087481da02bac37c383969cfe8efb99cfc12e1444b92d1eadaa81cf543395d2d62114eb82d8a1c293eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE

Filesize
1.2MB

MD5
da2b3550a161dccb7a7292711a76fcd4

SHA1
532613af7685f3c3b476210d7d2dfa7df4ee812c

SHA256
1d99f04c15bd9146ab1e576f02d3cf2483873432c493f0002e3c026592536bda

SHA512
9f5d25dd44f61c4b075ac49e330e0ea9e75e41a32266087481da02bac37c383969cfe8efb99cfc12e1444b92d1eadaa81cf543395d2d62114eb82d8a1c293eb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe

Filesize
3.1MB

MD5
713f0e4f5d1d025eb5a2feb578520767

SHA1
34873086330b0c142a1bc56986c3a883027aba01

SHA256
b5820955e9e488312bd1d6787e55aa0310adbe0108bca90a98c8678c9182ea62

SHA512
087e9d556da525269bc5daf793d355951cb69e0e17728c51294d7769a72b232a9014a84c03afae6c6bbdb2e05ba211f02b3526d34e502cb06d33e65c848b7326

Download Submit
\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE

Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
\Users\Admin\AppData\Local\Temp\HSCBC.EXE

Filesize
2.1MB

MD5
f5799a961590d26685ff7be28ffdb411

SHA1
12ded45db4ec2842f3efb0fb66d3359100256776

SHA256
a20f2f35732899467e9f8e571b19100d90c6f2de8ebeaa3d2396e43388885157

SHA512
40c867eeab6f7f507b35ee91af4622019bfc2914f69ab9a202b6645486e11f2af3dc601974e2ae38d20222385d669a3983f2f4819817611d41787e02391fe2c9

Download Submit
\Users\Admin\AppData\Local\Temp\OPEN2C.EXE

Filesize
1.2MB

MD5
da2b3550a161dccb7a7292711a76fcd4

SHA1
532613af7685f3c3b476210d7d2dfa7df4ee812c

SHA256
1d99f04c15bd9146ab1e576f02d3cf2483873432c493f0002e3c026592536bda

SHA512
9f5d25dd44f61c4b075ac49e330e0ea9e75e41a32266087481da02bac37c383969cfe8efb99cfc12e1444b92d1eadaa81cf543395d2d62114eb82d8a1c293eb7

Download Submit
memory/592-99-0x0000000000000000-mapping.dmp

Download
memory/592-125-0x0000000000680000-0x00000000006C0000-memory.dmp

Filesize
256KB

Download
memory/592-123-0x0000000000680000-0x00000000006C0000-memory.dmp

Filesize
256KB

Download
memory/592-108-0x0000000004B50000-0x0000000004CB6000-memory.dmp

Filesize
1.4MB

Download
memory/592-107-0x0000000000080000-0x00000000001CC000-memory.dmp

Filesize
1.3MB

Download
memory/1144-70-0x0000000000000000-mapping.dmp

Download
memory/1168-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1312-81-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1312-102-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1312-87-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1312-86-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1312-80-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1312-78-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1312-77-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1312-82-0x0000000000568780-mapping.dmp

Download
memory/1476-67-0x0000000000000000-mapping.dmp

Download
memory/1576-114-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1576-89-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-94-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-91-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-95-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-122-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-93-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-103-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-101-0x0000000000409860-mapping.dmp

Download
memory/1576-106-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-92-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-110-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-98-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-88-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1628-59-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1628-64-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1628-74-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1628-63-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1628-60-0x000000000075FEF0-mapping.dmp

Download
memory/1628-58-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1628-56-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1628-65-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1628-55-0x0000000000400000-0x0000000000762000-memory.dmp

Filesize
3.4MB

Download
memory/1784-117-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1784-121-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1784-119-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1784-124-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1784-112-0x0000000000000000-mapping.dmp

Download