cybergate | 7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055

Analysis

max time kernel
151s
max time network
113s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
Size

4.4MB
MD5

9ed07118ff23d177f3d98b12508c5612
SHA1

b156685cf48c8e153716fc637078f1c52a66114e
SHA256

7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055
SHA512

0267560c2f04e0344ed46771fde6a6d70a9d37c33c96779ad489e475395c2cce83da3981abd424e63a1746ba6333c58eb9915ff0081c0aac0e81e056798e8c57
SSDEEP

98304:4CjPKNckJS/qUXdaF3czuGtNf+LUy0Dx3HuSzO1edE/DcvKbKCSgUcTpBl4EDHh:4CbGlSiSaJ2ugEoD9OSEOWcEKdWpT7DB

Score

10^/10

cybergate vpn4 persistence spyware stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

VPN4

joujounette974.ddns.net:8027

Mutex

64M5FRUGH772A6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
HWID Generator is actually down. Please come back later.Sorry for inconvenience.
message_box_title
HWID Generator Error!!
password
123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exeOPEN2C.EXEOPENC.EXEHSCBC.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	OPEN2C.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	OPENC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	HSCBC.EXE

Adds policy Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OPENC.EXEHSCBC.EXE7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exeOPEN2C.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	OPENC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPENC.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HSCBC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	HSCBC.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	OPEN2C.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPEN2C.EXE

Executes dropped EXE 5 IoCs

Processes:

HSCBC.EXEOPEN2C.EXEOPENC.EXEOPENGL.EXEHIDDEN SIGHT.EXE

pid process

1220 HSCBC.EXE
1716 OPEN2C.EXE
1912 OPENC.EXE
820 OPENGL.EXE
888 HIDDEN SIGHT.EXE

pid	process
1220	HSCBC.EXE
1716	OPEN2C.EXE
1912	OPENC.EXE
820	OPENGL.EXE
888	HIDDEN SIGHT.EXE

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1732-56-0x0000000000400000-0x0000000000840000-memory.dmp	upx
behavioral1/memory/1732-58-0x0000000000400000-0x0000000000840000-memory.dmp	upx
behavioral1/memory/1732-59-0x0000000000400000-0x0000000000840000-memory.dmp	upx
behavioral1/memory/1732-63-0x0000000000400000-0x0000000000840000-memory.dmp	upx
behavioral1/memory/1732-64-0x0000000000400000-0x0000000000840000-memory.dmp	upx
behavioral1/memory/1732-65-0x0000000000400000-0x0000000000840000-memory.dmp	upx
behavioral1/memory/1732-78-0x0000000000400000-0x0000000000840000-memory.dmp	upx
behavioral1/memory/1736-126-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1628-131-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1628-132-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1628-136-0x0000000010410000-0x0000000010480000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

1732 svchost.exe
1732 svchost.exe
1732 svchost.exe
708 svchost.exe
708 svchost.exe
1780 svchost.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1732	svchost.exe
1732	svchost.exe
1732	svchost.exe
708	svchost.exe
708	svchost.exe
1780	svchost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exeOPEN2C.EXEOPENC.EXEHSCBC.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	OPEN2C.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPEN2C.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	OPENC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPENC.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	HSCBC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	HSCBC.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1732-60-0x000000000083EB00-mapping.dmp	autoit_exe
behavioral1/memory/1732-64-0x0000000000400000-0x0000000000840000-memory.dmp	autoit_exe
behavioral1/memory/1732-65-0x0000000000400000-0x0000000000840000-memory.dmp	autoit_exe
\Users\Admin\AppData\Local\Temp\HSCBC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE	autoit_exe
\Users\Admin\AppData\Local\Temp\OPEN2C.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE	autoit_exe
\Users\Admin\AppData\Local\Temp\OPENC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPENC.EXE	autoit_exe
behavioral1/memory/1732-78-0x0000000000400000-0x0000000000840000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPENC.EXE	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exeOPEN2C.EXEOPENC.EXEHSCBC.EXE

description	pid	process	target process
PID 1900 set thread context of 1732	1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe	svchost.exe
PID 1716 set thread context of 708	1716	OPEN2C.EXE	svchost.exe
PID 1912 set thread context of 1736	1912	OPENC.EXE	svchost.exe
PID 1220 set thread context of 1780	1220	HSCBC.EXE	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

OPENGL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OPENGL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	OPENGL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OPENGL.EXE

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

OPENGL.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	OPENGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	OPENGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	OPENGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	OPENGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	OPENGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	OPENGL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1628 svchost.exe
Token: SeDebugPrivilege 1628 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1628	svchost.exe
Token: SeDebugPrivilege	1628	svchost.exe

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exeOPEN2C.EXEHSCBC.EXEOPENC.EXE

pid	process
1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
1716	OPEN2C.EXE
1716	OPEN2C.EXE
1220	HSCBC.EXE
1220	HSCBC.EXE
1912	OPENC.EXE
1912	OPENC.EXE
1220	HSCBC.EXE
1716	OPEN2C.EXE
1716	OPEN2C.EXE
1912	OPENC.EXE
1912	OPENC.EXE
1912	OPENC.EXE
1220	HSCBC.EXE
1220	HSCBC.EXE

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exeOPEN2C.EXEHSCBC.EXEOPENC.EXE

pid	process
1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
1716	OPEN2C.EXE
1716	OPEN2C.EXE
1220	HSCBC.EXE
1220	HSCBC.EXE
1912	OPENC.EXE
1912	OPENC.EXE
1220	HSCBC.EXE
1716	OPEN2C.EXE
1716	OPEN2C.EXE
1912	OPENC.EXE
1912	OPENC.EXE
1912	OPENC.EXE
1220	HSCBC.EXE
1220	HSCBC.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OPENGL.EXE

pid process

820 OPENGL.EXE
820 OPENGL.EXE

pid	process
820	OPENGL.EXE
820	OPENGL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exesvchost.exeOPEN2C.EXEsvchost.exeHSCBC.EXEOPENC.EXEsvchost.exe

description	pid	process	target process
PID 1900 wrote to memory of 1732	1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe	svchost.exe
PID 1900 wrote to memory of 1732	1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe	svchost.exe
PID 1900 wrote to memory of 1732	1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe	svchost.exe
PID 1900 wrote to memory of 1732	1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe	svchost.exe
PID 1900 wrote to memory of 1732	1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe	svchost.exe
PID 1900 wrote to memory of 1732	1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe	svchost.exe
PID 1900 wrote to memory of 1732	1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe	svchost.exe
PID 1900 wrote to memory of 1732	1900	7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe	svchost.exe
PID 1732 wrote to memory of 1220	1732	svchost.exe	HSCBC.EXE
PID 1732 wrote to memory of 1220	1732	svchost.exe	HSCBC.EXE
PID 1732 wrote to memory of 1220	1732	svchost.exe	HSCBC.EXE
PID 1732 wrote to memory of 1220	1732	svchost.exe	HSCBC.EXE
PID 1732 wrote to memory of 1716	1732	svchost.exe	OPEN2C.EXE
PID 1732 wrote to memory of 1716	1732	svchost.exe	OPEN2C.EXE
PID 1732 wrote to memory of 1716	1732	svchost.exe	OPEN2C.EXE
PID 1732 wrote to memory of 1716	1732	svchost.exe	OPEN2C.EXE
PID 1732 wrote to memory of 1912	1732	svchost.exe	OPENC.EXE
PID 1732 wrote to memory of 1912	1732	svchost.exe	OPENC.EXE
PID 1732 wrote to memory of 1912	1732	svchost.exe	OPENC.EXE
PID 1732 wrote to memory of 1912	1732	svchost.exe	OPENC.EXE
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 1716 wrote to memory of 708	1716	OPEN2C.EXE	svchost.exe
PID 708 wrote to memory of 820	708	svchost.exe	OPENGL.EXE
PID 708 wrote to memory of 820	708	svchost.exe	OPENGL.EXE
PID 708 wrote to memory of 820	708	svchost.exe	OPENGL.EXE
PID 708 wrote to memory of 820	708	svchost.exe	OPENGL.EXE
PID 1220 wrote to memory of 1780	1220	HSCBC.EXE	svchost.exe
PID 1220 wrote to memory of 1780	1220	HSCBC.EXE	svchost.exe
PID 1220 wrote to memory of 1780	1220	HSCBC.EXE	svchost.exe
PID 1220 wrote to memory of 1780	1220	HSCBC.EXE	svchost.exe
PID 1220 wrote to memory of 1780	1220	HSCBC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1912 wrote to memory of 1736	1912	OPENC.EXE	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe
PID 1736 wrote to memory of 1628	1736	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe
"C:\Users\Admin\AppData\Local\Temp\7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE
"C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE"
3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Loads dropped DLL
PID:1780

C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
"C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE"
5⤵
- Executes dropped EXE
PID:888

C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE
"C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE"
3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:708

C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
"C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE"
5⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:820

C:\Users\Admin\AppData\Local\Temp\OPENC.EXE
"C:\Users\Admin\AppData\Local\Temp\OPENC.EXE"
3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
385KB

MD5
f71bd4785fea449e63819a9b39a98bf7

SHA1
7eb8bad4cc669c01f80f00968402662d482bea90

SHA256
a82f26d5964313ff2e7139c64a163f3d0ecffab528df55e7911c7b150790a3b7

SHA512
d0becd76374213e47bdc55e6313d78bc3e2509c932e7f4adaefc557d60b2dc9396ad0910abace2cd1bd46f9b25b59c076a4f6895aab1abcb0fcce560592dcbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE

Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE

Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE

Filesize
2.1MB

MD5
79243da94c2c6d3d78247422e4cb78e0

SHA1
6e6e9d157cba4171e2a26c196328c64208e8ed43

SHA256
2a789d163786760ea8ef32c644de547a53fba9da219db3341d869b7aca9570f0

SHA512
d09cdc81ad74598b6d2342d1b98bfacf88ab830ad75434873969aac29a77937068c2bca11ee005c1724797a9055efd4a03018e0aad97c4103e531eff752b389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE

Filesize
2.1MB

MD5
79243da94c2c6d3d78247422e4cb78e0

SHA1
6e6e9d157cba4171e2a26c196328c64208e8ed43

SHA256
2a789d163786760ea8ef32c644de547a53fba9da219db3341d869b7aca9570f0

SHA512
d09cdc81ad74598b6d2342d1b98bfacf88ab830ad75434873969aac29a77937068c2bca11ee005c1724797a9055efd4a03018e0aad97c4103e531eff752b389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE

Filesize
888KB

MD5
4e4818e6840c81dbdf8a25efb9b0f70e

SHA1
96b54837747ae556cc16439d66437e6abb97a4eb

SHA256
68886d0f0a55930b409be489dde9b4073a3e59ece4e804cd8b54fbf480ed57e9

SHA512
2dcbdd53f0b2af1cd99ff4874b53d920a5fcfc5043fb47a85598261d381bbc52dc3f633f87187259cb5a7b03533c57c5488ca414bcdc136898fcf0bf62aa1ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE

Filesize
888KB

MD5
4e4818e6840c81dbdf8a25efb9b0f70e

SHA1
96b54837747ae556cc16439d66437e6abb97a4eb

SHA256
68886d0f0a55930b409be489dde9b4073a3e59ece4e804cd8b54fbf480ed57e9

SHA512
2dcbdd53f0b2af1cd99ff4874b53d920a5fcfc5043fb47a85598261d381bbc52dc3f633f87187259cb5a7b03533c57c5488ca414bcdc136898fcf0bf62aa1ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENC.EXE

Filesize
1.2MB

MD5
eec4104f809db2664f6190263407e310

SHA1
2367ed04c753d8cc11275742da6a799e6c759a0d

SHA256
b3ad13a78dcab54c9dca91dcefd3a562d24835d9049ba0a3d490fc71a04947bf

SHA512
f8e79039f1c0d6ba7038b7ad0d67786602aa52c9a89f8159f428556ae53075ec7aaa859a3552775bf5c9c25c5ae3202b2d6a385319e2eb5f4f4952e894c693a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENC.EXE

Filesize
1.2MB

MD5
eec4104f809db2664f6190263407e310

SHA1
2367ed04c753d8cc11275742da6a799e6c759a0d

SHA256
b3ad13a78dcab54c9dca91dcefd3a562d24835d9049ba0a3d490fc71a04947bf

SHA512
f8e79039f1c0d6ba7038b7ad0d67786602aa52c9a89f8159f428556ae53075ec7aaa859a3552775bf5c9c25c5ae3202b2d6a385319e2eb5f4f4952e894c693a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE

Filesize
57KB

MD5
726f1ca343fa18b6dae23b2ca0f13447

SHA1
856ae7acd0d7386aa72a6c811b96d90e64f6cb6a

SHA256
9719b594632fa2d503fe4e7a6623f36860eb54e7ab00aec3f4257da079c8f7d8

SHA512
cbf2c244c91d1e04be4eff5b38401074d73bbd215feb9d3a4b6a66324d1b26a1bfb35c947fad61f022ab8922bed33b945961cf7e67f655602683b0957dbbdd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE

Filesize
57KB

MD5
726f1ca343fa18b6dae23b2ca0f13447

SHA1
856ae7acd0d7386aa72a6c811b96d90e64f6cb6a

SHA256
9719b594632fa2d503fe4e7a6623f36860eb54e7ab00aec3f4257da079c8f7d8

SHA512
cbf2c244c91d1e04be4eff5b38401074d73bbd215feb9d3a4b6a66324d1b26a1bfb35c947fad61f022ab8922bed33b945961cf7e67f655602683b0957dbbdd1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe

Filesize
4.4MB

MD5
9ed07118ff23d177f3d98b12508c5612

SHA1
b156685cf48c8e153716fc637078f1c52a66114e

SHA256
7fa4e5e11ec3818f6caef4fe877d14d60513352dbabd1f3a6a80e3918eea5055

SHA512
0267560c2f04e0344ed46771fde6a6d70a9d37c33c96779ad489e475395c2cce83da3981abd424e63a1746ba6333c58eb9915ff0081c0aac0e81e056798e8c57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe

Filesize
1.2MB

MD5
eec4104f809db2664f6190263407e310

SHA1
2367ed04c753d8cc11275742da6a799e6c759a0d

SHA256
b3ad13a78dcab54c9dca91dcefd3a562d24835d9049ba0a3d490fc71a04947bf

SHA512
f8e79039f1c0d6ba7038b7ad0d67786602aa52c9a89f8159f428556ae53075ec7aaa859a3552775bf5c9c25c5ae3202b2d6a385319e2eb5f4f4952e894c693a9

Download Submit
\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE

Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
\Users\Admin\AppData\Local\Temp\HSCBC.EXE

Filesize
2.1MB

MD5
79243da94c2c6d3d78247422e4cb78e0

SHA1
6e6e9d157cba4171e2a26c196328c64208e8ed43

SHA256
2a789d163786760ea8ef32c644de547a53fba9da219db3341d869b7aca9570f0

SHA512
d09cdc81ad74598b6d2342d1b98bfacf88ab830ad75434873969aac29a77937068c2bca11ee005c1724797a9055efd4a03018e0aad97c4103e531eff752b389c

Download Submit
\Users\Admin\AppData\Local\Temp\OPEN2C.EXE

Filesize
888KB

MD5
4e4818e6840c81dbdf8a25efb9b0f70e

SHA1
96b54837747ae556cc16439d66437e6abb97a4eb

SHA256
68886d0f0a55930b409be489dde9b4073a3e59ece4e804cd8b54fbf480ed57e9

SHA512
2dcbdd53f0b2af1cd99ff4874b53d920a5fcfc5043fb47a85598261d381bbc52dc3f633f87187259cb5a7b03533c57c5488ca414bcdc136898fcf0bf62aa1ff8

Download Submit
\Users\Admin\AppData\Local\Temp\OPENC.EXE

Filesize
1.2MB

MD5
eec4104f809db2664f6190263407e310

SHA1
2367ed04c753d8cc11275742da6a799e6c759a0d

SHA256
b3ad13a78dcab54c9dca91dcefd3a562d24835d9049ba0a3d490fc71a04947bf

SHA512
f8e79039f1c0d6ba7038b7ad0d67786602aa52c9a89f8159f428556ae53075ec7aaa859a3552775bf5c9c25c5ae3202b2d6a385319e2eb5f4f4952e894c693a9

Download Submit
\Users\Admin\AppData\Local\Temp\OPENGL.EXE

Filesize
57KB

MD5
726f1ca343fa18b6dae23b2ca0f13447

SHA1
856ae7acd0d7386aa72a6c811b96d90e64f6cb6a

SHA256
9719b594632fa2d503fe4e7a6623f36860eb54e7ab00aec3f4257da079c8f7d8

SHA512
cbf2c244c91d1e04be4eff5b38401074d73bbd215feb9d3a4b6a66324d1b26a1bfb35c947fad61f022ab8922bed33b945961cf7e67f655602683b0957dbbdd1d

Download Submit
\Users\Admin\AppData\Local\Temp\OPENGL.EXE

Filesize
57KB

MD5
726f1ca343fa18b6dae23b2ca0f13447

SHA1
856ae7acd0d7386aa72a6c811b96d90e64f6cb6a

SHA256
9719b594632fa2d503fe4e7a6623f36860eb54e7ab00aec3f4257da079c8f7d8

SHA512
cbf2c244c91d1e04be4eff5b38401074d73bbd215feb9d3a4b6a66324d1b26a1bfb35c947fad61f022ab8922bed33b945961cf7e67f655602683b0957dbbdd1d

Download Submit
memory/708-96-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/708-101-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/708-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/708-93-0x0000000000403248-mapping.dmp

Download
memory/708-83-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/708-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/708-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/708-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/708-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/708-92-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/820-135-0x000007FEF29A0000-0x000007FEF3A36000-memory.dmp

Filesize
16.6MB

Download
memory/820-100-0x0000000000000000-mapping.dmp

Download
memory/820-121-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmp

Filesize
10.1MB

Download
memory/820-159-0x00000000004B0000-0x0000000000530000-memory.dmp

Filesize
512KB

Download
memory/820-162-0x00000000004B0000-0x0000000000530000-memory.dmp

Filesize
512KB

Download
memory/888-160-0x0000000004C46000-0x0000000004C57000-memory.dmp

Filesize
68KB

Download
memory/888-163-0x0000000004C46000-0x0000000004C57000-memory.dmp

Filesize
68KB

Download
memory/888-151-0x0000000000000000-mapping.dmp

Download
memory/888-155-0x0000000000E60000-0x0000000000FAC000-memory.dmp

Filesize
1.3MB

Download
memory/888-156-0x00000000048E0000-0x0000000004A46000-memory.dmp

Filesize
1.4MB

Download
memory/1220-67-0x0000000000000000-mapping.dmp

Download
memory/1628-132-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1628-124-0x0000000000000000-mapping.dmp

Download
memory/1628-131-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1628-129-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1628-136-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1716-71-0x0000000000000000-mapping.dmp

Download
memory/1732-78-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1732-58-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1732-59-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1732-56-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1732-55-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1732-63-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1732-64-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1732-60-0x000000000083EB00-mapping.dmp

Download
memory/1732-65-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1736-110-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-112-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-122-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-134-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-120-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-118-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-107-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-108-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-111-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-126-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1736-113-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-114-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-116-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1736-117-0x0000000000409860-mapping.dmp

Download
memory/1780-149-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1780-145-0x0000000000403248-mapping.dmp

Download
memory/1780-144-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1780-142-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1780-153-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1780-140-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1780-139-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1780-137-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1780-105-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1780-104-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1900-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1912-76-0x0000000000000000-mapping.dmp

Download