cybergate | 562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
Size

4.0MB
MD5

dbf7cf4242162d9f96442d091081cb84
SHA1

729aabddc27569be04af0dd261249bddec0321cd
SHA256

562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0
SHA512

8a7e3f693acc936343a4d671ee8009b049ba4b8a22c978997e4ffd91cb0b78732d048a89620a016cfa4db838c4772d0e2f79e9bfe91a8a885948c1f418c1b8fe
SSDEEP

98304:wCjPKNZ0StVb4sUbpoyOmibD+Zupx8xNGVh:wCbGWWELpoyOm6veNGh

Score

10^/10

cybergate njrat update14/08 vpn4 evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

update14/08

joujounette974.ddns.net:8027

Mutex

4fa07418dc12247f287b9c9760beff66

Attributes

reg_key
4fa07418dc12247f287b9c9760beff66
splitter
|'|'|

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

VPN4

joujounette974.ddns.net:8027

Mutex

64M5FRUGH772A6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
HWID Generator is actually down. Please come back later.Sorry for inconvenience.
message_box_title
HWID Generator Error!!
password
123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exeOPENGL.EXEHSCBC.EXEOPENC.EXEOPEN2C.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	OPENGL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	HSCBC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	OPENC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	OPEN2C.EXE

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds policy Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exeOPENGL.EXEOPENC.EXEOPEN2C.EXEHSCBC.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	OPENGL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	OPENC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPEN2C.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPENGL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	HSCBC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	HSCBC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPENC.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	OPEN2C.EXE

Executes dropped EXE 8 IoCs

Processes:

HSC.NONCRYPT.EXEOPENGL.EXEHSCBC.EXEOPEN2C.EXEOPENC.EXEOPEN.EXEHIDDEN SIGHT.EXEOPENGL.EXE

pid process

1380 HSC.NONCRYPT.EXE
1768 OPENGL.EXE
836 HSCBC.EXE
1172 OPEN2C.EXE
1348 OPENC.EXE
1492 OPEN.EXE
1652 HIDDEN SIGHT.EXE
1392 OPENGL.EXE
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1664 netsh.exe

pid	process
1380	HSC.NONCRYPT.EXE
1768	OPENGL.EXE
836	HSCBC.EXE
1172	OPEN2C.EXE
1348	OPENC.EXE
1492	OPEN.EXE
1652	HIDDEN SIGHT.EXE
1392	OPENGL.EXE

pid	process
1664	netsh.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/960-56-0x0000000000400000-0x00000000007B7000-memory.dmp	upx
behavioral1/memory/960-58-0x0000000000400000-0x00000000007B7000-memory.dmp	upx
behavioral1/memory/960-59-0x0000000000400000-0x00000000007B7000-memory.dmp	upx
behavioral1/memory/960-63-0x0000000000400000-0x00000000007B7000-memory.dmp	upx
behavioral1/memory/960-64-0x0000000000400000-0x00000000007B7000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\HSC.NONCRYPT.EXE	upx
\Users\Admin\AppData\Local\Temp\HSC.NONCRYPT.EXE	upx
C:\Users\Admin\AppData\Local\Temp\HSC.NONCRYPT.EXE	upx
behavioral1/memory/960-74-0x0000000000400000-0x00000000007B7000-memory.dmp	upx
behavioral1/memory/1380-76-0x0000000001370000-0x00000000017B0000-memory.dmp	upx
behavioral1/memory/1380-107-0x0000000001370000-0x00000000017B0000-memory.dmp	upx
behavioral1/memory/1420-189-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1420-195-0x0000000010410000-0x0000000010480000-memory.dmp	upx

Loads dropped DLL 10 IoCs

Processes:

svchost.exeHSC.NONCRYPT.EXEsvchost.exesvchost.exesvchost.exe

pid	process
960	svchost.exe
960	svchost.exe
960	svchost.exe
1380	HSC.NONCRYPT.EXE
1380	HSC.NONCRYPT.EXE
1380	HSC.NONCRYPT.EXE
992	svchost.exe
292	svchost.exe
860	svchost.exe
860	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exeOPENGL.EXEHSCBC.EXEOPENC.EXEOPEN2C.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	OPENGL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPENGL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	HSCBC.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	OPENC.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	HSCBC.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPENC.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	OPEN2C.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	OPEN2C.EXE

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/960-64-0x0000000000400000-0x00000000007B7000-memory.dmp	autoit_exe
\Users\Admin\AppData\Local\Temp\OPENGL.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE	autoit_exe
behavioral1/memory/960-74-0x0000000000400000-0x00000000007B7000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE	autoit_exe
behavioral1/memory/1380-76-0x0000000001370000-0x00000000017B0000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE	autoit_exe
\Users\Admin\AppData\Local\Temp\OPEN2C.EXE	autoit_exe
\Users\Admin\AppData\Local\Temp\HSCBC.EXE	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\OPENC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE	autoit_exe
behavioral1/memory/1380-107-0x0000000001370000-0x00000000017B0000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPENC.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\OPENC.EXE	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe	autoit_exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exeOPENGL.EXEHSCBC.EXEOPENC.EXEOPEN2C.EXE

description	pid	process	target process
PID 864 set thread context of 960	864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe	svchost.exe
PID 1768 set thread context of 992	1768	OPENGL.EXE	svchost.exe
PID 836 set thread context of 292	836	HSCBC.EXE	svchost.exe
PID 1348 set thread context of 2040	1348	OPENC.EXE	svchost.exe
PID 1172 set thread context of 860	1172	OPEN2C.EXE	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

OPENGL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	OPENGL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OPENGL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OPENGL.EXE

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

OPENGL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	OPENGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	OPENGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	OPENGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	OPENGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	OPENGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	OPENGL.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

svchost.exeOPEN.EXE

description	pid	process
Token: SeDebugPrivilege	1420	svchost.exe
Token: SeDebugPrivilege	1420	svchost.exe
Token: SeDebugPrivilege	1492	OPEN.EXE
Token: 33	1492	OPEN.EXE
Token: SeIncBasePriorityPrivilege	1492	OPEN.EXE
Token: 33	1492	OPEN.EXE
Token: SeIncBasePriorityPrivilege	1492	OPEN.EXE
Token: 33	1492	OPEN.EXE
Token: SeIncBasePriorityPrivilege	1492	OPEN.EXE
Token: 33	1492	OPEN.EXE
Token: SeIncBasePriorityPrivilege	1492	OPEN.EXE
Token: 33	1492	OPEN.EXE
Token: SeIncBasePriorityPrivilege	1492	OPEN.EXE
Token: 33	1492	OPEN.EXE
Token: SeIncBasePriorityPrivilege	1492	OPEN.EXE

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exeOPENGL.EXEHSCBC.EXEOPEN2C.EXEOPENC.EXE

pid	process
864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
1768	OPENGL.EXE
1768	OPENGL.EXE
836	HSCBC.EXE
836	HSCBC.EXE
836	HSCBC.EXE
1768	OPENGL.EXE
1768	OPENGL.EXE
1172	OPEN2C.EXE
1172	OPEN2C.EXE
1172	OPEN2C.EXE
1348	OPENC.EXE
1348	OPENC.EXE
836	HSCBC.EXE
836	HSCBC.EXE
1172	OPEN2C.EXE
1348	OPENC.EXE
1348	OPENC.EXE
1172	OPEN2C.EXE
1172	OPEN2C.EXE

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exeOPENGL.EXEHSCBC.EXEOPEN2C.EXEOPENC.EXE

pid	process
864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
1768	OPENGL.EXE
1768	OPENGL.EXE
836	HSCBC.EXE
836	HSCBC.EXE
836	HSCBC.EXE
1768	OPENGL.EXE
1768	OPENGL.EXE
1172	OPEN2C.EXE
1172	OPEN2C.EXE
1172	OPEN2C.EXE
1348	OPENC.EXE
1348	OPENC.EXE
836	HSCBC.EXE
836	HSCBC.EXE
1172	OPEN2C.EXE
1348	OPENC.EXE
1348	OPENC.EXE
1172	OPEN2C.EXE
1172	OPEN2C.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OPENGL.EXE

pid process

1392 OPENGL.EXE
1392 OPENGL.EXE

pid	process
1392	OPENGL.EXE
1392	OPENGL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exesvchost.exeOPENGL.EXEHSC.NONCRYPT.EXEHSCBC.EXEsvchost.exeOPENC.EXEsvchost.exe

description	pid	process	target process
PID 864 wrote to memory of 960	864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe	svchost.exe
PID 864 wrote to memory of 960	864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe	svchost.exe
PID 864 wrote to memory of 960	864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe	svchost.exe
PID 864 wrote to memory of 960	864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe	svchost.exe
PID 864 wrote to memory of 960	864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe	svchost.exe
PID 864 wrote to memory of 960	864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe	svchost.exe
PID 864 wrote to memory of 960	864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe	svchost.exe
PID 864 wrote to memory of 960	864	562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe	svchost.exe
PID 960 wrote to memory of 1380	960	svchost.exe	HSC.NONCRYPT.EXE
PID 960 wrote to memory of 1380	960	svchost.exe	HSC.NONCRYPT.EXE
PID 960 wrote to memory of 1380	960	svchost.exe	HSC.NONCRYPT.EXE
PID 960 wrote to memory of 1380	960	svchost.exe	HSC.NONCRYPT.EXE
PID 960 wrote to memory of 1768	960	svchost.exe	OPENGL.EXE
PID 960 wrote to memory of 1768	960	svchost.exe	OPENGL.EXE
PID 960 wrote to memory of 1768	960	svchost.exe	OPENGL.EXE
PID 960 wrote to memory of 1768	960	svchost.exe	OPENGL.EXE
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1380 wrote to memory of 836	1380	HSC.NONCRYPT.EXE	HSCBC.EXE
PID 1380 wrote to memory of 836	1380	HSC.NONCRYPT.EXE	HSCBC.EXE
PID 1380 wrote to memory of 836	1380	HSC.NONCRYPT.EXE	HSCBC.EXE
PID 1380 wrote to memory of 836	1380	HSC.NONCRYPT.EXE	HSCBC.EXE
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1768 wrote to memory of 992	1768	OPENGL.EXE	svchost.exe
PID 1380 wrote to memory of 1172	1380	HSC.NONCRYPT.EXE	OPEN2C.EXE
PID 1380 wrote to memory of 1172	1380	HSC.NONCRYPT.EXE	OPEN2C.EXE
PID 1380 wrote to memory of 1172	1380	HSC.NONCRYPT.EXE	OPEN2C.EXE
PID 1380 wrote to memory of 1172	1380	HSC.NONCRYPT.EXE	OPEN2C.EXE
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 1380 wrote to memory of 1348	1380	HSC.NONCRYPT.EXE	OPENC.EXE
PID 1380 wrote to memory of 1348	1380	HSC.NONCRYPT.EXE	OPENC.EXE
PID 1380 wrote to memory of 1348	1380	HSC.NONCRYPT.EXE	OPENC.EXE
PID 1380 wrote to memory of 1348	1380	HSC.NONCRYPT.EXE	OPENC.EXE
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 992 wrote to memory of 1492	992	svchost.exe	OPEN.EXE
PID 992 wrote to memory of 1492	992	svchost.exe	OPEN.EXE
PID 992 wrote to memory of 1492	992	svchost.exe	OPEN.EXE
PID 992 wrote to memory of 1492	992	svchost.exe	OPEN.EXE
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 836 wrote to memory of 292	836	HSCBC.EXE	svchost.exe
PID 1348 wrote to memory of 2040	1348	OPENC.EXE	svchost.exe
PID 1348 wrote to memory of 2040	1348	OPENC.EXE	svchost.exe
PID 1348 wrote to memory of 2040	1348	OPENC.EXE	svchost.exe
PID 1348 wrote to memory of 2040	1348	OPENC.EXE	svchost.exe
PID 292 wrote to memory of 1652	292	svchost.exe	HIDDEN SIGHT.EXE
PID 292 wrote to memory of 1652	292	svchost.exe	HIDDEN SIGHT.EXE
PID 292 wrote to memory of 1652	292	svchost.exe	HIDDEN SIGHT.EXE
PID 292 wrote to memory of 1652	292	svchost.exe	HIDDEN SIGHT.EXE
PID 1348 wrote to memory of 2040	1348	OPENC.EXE	svchost.exe
PID 1348 wrote to memory of 2040	1348	OPENC.EXE	svchost.exe

C:\Users\Admin\AppData\Local\Temp\562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe
"C:\Users\Admin\AppData\Local\Temp\562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\HSC.NONCRYPT.EXE
"C:\Users\Admin\AppData\Local\Temp\HSC.NONCRYPT.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE
"C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE"
4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
"C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE"
6⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE
"C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE"
4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1172

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
5⤵
- Loads dropped DLL
PID:860

C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
"C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE"
6⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Users\Admin\AppData\Local\Temp\OPENC.EXE
"C:\Users\Admin\AppData\Local\Temp\OPENC.EXE"
4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
5⤵
PID:2040

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
"C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE"
3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\OPEN.EXE
"C:\Users\Admin\AppData\Local\Temp\OPEN.EXE"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\OPEN.EXE" "OPEN.EXE" ENABLE
6⤵
- Modifies Windows Firewall
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
385KB

MD5
f71bd4785fea449e63819a9b39a98bf7

SHA1
7eb8bad4cc669c01f80f00968402662d482bea90

SHA256
a82f26d5964313ff2e7139c64a163f3d0ecffab528df55e7911c7b150790a3b7

SHA512
d0becd76374213e47bdc55e6313d78bc3e2509c932e7f4adaefc557d60b2dc9396ad0910abace2cd1bd46f9b25b59c076a4f6895aab1abcb0fcce560592dcbc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSC.NONCRYPT.EXE
Filesize
2.4MB

MD5
8e747a4a069d68981408241abd84328e

SHA1
5f17baa027ab3f1f5baff4da37ec15e98556031d

SHA256
406f4cd9147d3188c8bde245c0962f851e4b17310ff94afd60830ccb8ec88547

SHA512
3707ed12ac60f4820bf8b4079e99719582301d8d6afe2b5d213cbb39977ce17ec5608e1634a78762881889519ffb9a27b53a615c6d2bb780df40e821f43b5b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE
Filesize
2.1MB

MD5
79243da94c2c6d3d78247422e4cb78e0

SHA1
6e6e9d157cba4171e2a26c196328c64208e8ed43

SHA256
2a789d163786760ea8ef32c644de547a53fba9da219db3341d869b7aca9570f0

SHA512
d09cdc81ad74598b6d2342d1b98bfacf88ab830ad75434873969aac29a77937068c2bca11ee005c1724797a9055efd4a03018e0aad97c4103e531eff752b389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSCBC.EXE
Filesize
2.1MB

MD5
79243da94c2c6d3d78247422e4cb78e0

SHA1
6e6e9d157cba4171e2a26c196328c64208e8ed43

SHA256
2a789d163786760ea8ef32c644de547a53fba9da219db3341d869b7aca9570f0

SHA512
d09cdc81ad74598b6d2342d1b98bfacf88ab830ad75434873969aac29a77937068c2bca11ee005c1724797a9055efd4a03018e0aad97c4103e531eff752b389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPEN.EXE
Filesize
206KB

MD5
7299394289adff5f8899683f9ce1bdee

SHA1
a65472d5cc55592de6f7427e5e469880c10e675c

SHA256
2feec1161972fb5c86a483b5d4c9e734684fc5a3e4779fd4dcf1031c8bf22bf3

SHA512
dafc35f6e6b670d41528894247927d12bbad6a964fa9013f7ab8ee7a73ab9d0feb4e532083452f0964e9f4bda11336f3a85f12b58d30a09a3d388258604f07a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPEN.EXE
Filesize
206KB

MD5
7299394289adff5f8899683f9ce1bdee

SHA1
a65472d5cc55592de6f7427e5e469880c10e675c

SHA256
2feec1161972fb5c86a483b5d4c9e734684fc5a3e4779fd4dcf1031c8bf22bf3

SHA512
dafc35f6e6b670d41528894247927d12bbad6a964fa9013f7ab8ee7a73ab9d0feb4e532083452f0964e9f4bda11336f3a85f12b58d30a09a3d388258604f07a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE
Filesize
888KB

MD5
4e4818e6840c81dbdf8a25efb9b0f70e

SHA1
96b54837747ae556cc16439d66437e6abb97a4eb

SHA256
68886d0f0a55930b409be489dde9b4073a3e59ece4e804cd8b54fbf480ed57e9

SHA512
2dcbdd53f0b2af1cd99ff4874b53d920a5fcfc5043fb47a85598261d381bbc52dc3f633f87187259cb5a7b03533c57c5488ca414bcdc136898fcf0bf62aa1ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPEN2C.EXE
Filesize
888KB

MD5
4e4818e6840c81dbdf8a25efb9b0f70e

SHA1
96b54837747ae556cc16439d66437e6abb97a4eb

SHA256
68886d0f0a55930b409be489dde9b4073a3e59ece4e804cd8b54fbf480ed57e9

SHA512
2dcbdd53f0b2af1cd99ff4874b53d920a5fcfc5043fb47a85598261d381bbc52dc3f633f87187259cb5a7b03533c57c5488ca414bcdc136898fcf0bf62aa1ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENC.EXE
Filesize
1.2MB

MD5
eec4104f809db2664f6190263407e310

SHA1
2367ed04c753d8cc11275742da6a799e6c759a0d

SHA256
b3ad13a78dcab54c9dca91dcefd3a562d24835d9049ba0a3d490fc71a04947bf

SHA512
f8e79039f1c0d6ba7038b7ad0d67786602aa52c9a89f8159f428556ae53075ec7aaa859a3552775bf5c9c25c5ae3202b2d6a385319e2eb5f4f4952e894c693a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENC.EXE
Filesize
1.2MB

MD5
eec4104f809db2664f6190263407e310

SHA1
2367ed04c753d8cc11275742da6a799e6c759a0d

SHA256
b3ad13a78dcab54c9dca91dcefd3a562d24835d9049ba0a3d490fc71a04947bf

SHA512
f8e79039f1c0d6ba7038b7ad0d67786602aa52c9a89f8159f428556ae53075ec7aaa859a3552775bf5c9c25c5ae3202b2d6a385319e2eb5f4f4952e894c693a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
57KB

MD5
726f1ca343fa18b6dae23b2ca0f13447

SHA1
856ae7acd0d7386aa72a6c811b96d90e64f6cb6a

SHA256
9719b594632fa2d503fe4e7a6623f36860eb54e7ab00aec3f4257da079c8f7d8

SHA512
cbf2c244c91d1e04be4eff5b38401074d73bbd215feb9d3a4b6a66324d1b26a1bfb35c947fad61f022ab8922bed33b945961cf7e67f655602683b0957dbbdd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
57KB

MD5
726f1ca343fa18b6dae23b2ca0f13447

SHA1
856ae7acd0d7386aa72a6c811b96d90e64f6cb6a

SHA256
9719b594632fa2d503fe4e7a6623f36860eb54e7ab00aec3f4257da079c8f7d8

SHA512
cbf2c244c91d1e04be4eff5b38401074d73bbd215feb9d3a4b6a66324d1b26a1bfb35c947fad61f022ab8922bed33b945961cf7e67f655602683b0957dbbdd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
1.3MB

MD5
f703799934b3519463c61e3253438d32

SHA1
1f3ba83999f1a31a4dc186bc8774f78f1b6621d4

SHA256
40fc1462e7cf527ace69297326ce89d443f2ab72299648e7504b1e3d0f1e065a

SHA512
204153c17a57e2b4927d3bebf3be23af5b4676cc64cb5c6f53a6b4e45f84c9d396dd59303fdf90fdf9c5d07f0e71cb3d341363e0f3efb0d920e3d7094431338c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
1.3MB

MD5
f703799934b3519463c61e3253438d32

SHA1
1f3ba83999f1a31a4dc186bc8774f78f1b6621d4

SHA256
40fc1462e7cf527ace69297326ce89d443f2ab72299648e7504b1e3d0f1e065a

SHA512
204153c17a57e2b4927d3bebf3be23af5b4676cc64cb5c6f53a6b4e45f84c9d396dd59303fdf90fdf9c5d07f0e71cb3d341363e0f3efb0d920e3d7094431338c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
Filesize
2.1MB

MD5
79243da94c2c6d3d78247422e4cb78e0

SHA1
6e6e9d157cba4171e2a26c196328c64208e8ed43

SHA256
2a789d163786760ea8ef32c644de547a53fba9da219db3341d869b7aca9570f0

SHA512
d09cdc81ad74598b6d2342d1b98bfacf88ab830ad75434873969aac29a77937068c2bca11ee005c1724797a9055efd4a03018e0aad97c4103e531eff752b389c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
Filesize
4.0MB

MD5
dbf7cf4242162d9f96442d091081cb84

SHA1
729aabddc27569be04af0dd261249bddec0321cd

SHA256
562405929b8de1d05cae02c1e654c21a7a961e5ef07c83f4c6d764194e0f46d0

SHA512
8a7e3f693acc936343a4d671ee8009b049ba4b8a22c978997e4ffd91cb0b78732d048a89620a016cfa4db838c4772d0e2f79e9bfe91a8a885948c1f418c1b8fe

Download Submit
\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
\Users\Admin\AppData\Local\Temp\HSC.NONCRYPT.EXE
Filesize
2.4MB

MD5
8e747a4a069d68981408241abd84328e

SHA1
5f17baa027ab3f1f5baff4da37ec15e98556031d

SHA256
406f4cd9147d3188c8bde245c0962f851e4b17310ff94afd60830ccb8ec88547

SHA512
3707ed12ac60f4820bf8b4079e99719582301d8d6afe2b5d213cbb39977ce17ec5608e1634a78762881889519ffb9a27b53a615c6d2bb780df40e821f43b5b0e

Download Submit
\Users\Admin\AppData\Local\Temp\HSC.NONCRYPT.EXE
Filesize
2.4MB

MD5
8e747a4a069d68981408241abd84328e

SHA1
5f17baa027ab3f1f5baff4da37ec15e98556031d

SHA256
406f4cd9147d3188c8bde245c0962f851e4b17310ff94afd60830ccb8ec88547

SHA512
3707ed12ac60f4820bf8b4079e99719582301d8d6afe2b5d213cbb39977ce17ec5608e1634a78762881889519ffb9a27b53a615c6d2bb780df40e821f43b5b0e

Download Submit
\Users\Admin\AppData\Local\Temp\HSCBC.EXE
Filesize
2.1MB

MD5
79243da94c2c6d3d78247422e4cb78e0

SHA1
6e6e9d157cba4171e2a26c196328c64208e8ed43

SHA256
2a789d163786760ea8ef32c644de547a53fba9da219db3341d869b7aca9570f0

SHA512
d09cdc81ad74598b6d2342d1b98bfacf88ab830ad75434873969aac29a77937068c2bca11ee005c1724797a9055efd4a03018e0aad97c4103e531eff752b389c

Download Submit
\Users\Admin\AppData\Local\Temp\OPEN.EXE
Filesize
206KB

MD5
7299394289adff5f8899683f9ce1bdee

SHA1
a65472d5cc55592de6f7427e5e469880c10e675c

SHA256
2feec1161972fb5c86a483b5d4c9e734684fc5a3e4779fd4dcf1031c8bf22bf3

SHA512
dafc35f6e6b670d41528894247927d12bbad6a964fa9013f7ab8ee7a73ab9d0feb4e532083452f0964e9f4bda11336f3a85f12b58d30a09a3d388258604f07a5

Download Submit
\Users\Admin\AppData\Local\Temp\OPEN2C.EXE
Filesize
888KB

MD5
4e4818e6840c81dbdf8a25efb9b0f70e

SHA1
96b54837747ae556cc16439d66437e6abb97a4eb

SHA256
68886d0f0a55930b409be489dde9b4073a3e59ece4e804cd8b54fbf480ed57e9

SHA512
2dcbdd53f0b2af1cd99ff4874b53d920a5fcfc5043fb47a85598261d381bbc52dc3f633f87187259cb5a7b03533c57c5488ca414bcdc136898fcf0bf62aa1ff8

Download Submit
\Users\Admin\AppData\Local\Temp\OPENC.EXE
Filesize
1.2MB

MD5
eec4104f809db2664f6190263407e310

SHA1
2367ed04c753d8cc11275742da6a799e6c759a0d

SHA256
b3ad13a78dcab54c9dca91dcefd3a562d24835d9049ba0a3d490fc71a04947bf

SHA512
f8e79039f1c0d6ba7038b7ad0d67786602aa52c9a89f8159f428556ae53075ec7aaa859a3552775bf5c9c25c5ae3202b2d6a385319e2eb5f4f4952e894c693a9

Download Submit
\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
57KB

MD5
726f1ca343fa18b6dae23b2ca0f13447

SHA1
856ae7acd0d7386aa72a6c811b96d90e64f6cb6a

SHA256
9719b594632fa2d503fe4e7a6623f36860eb54e7ab00aec3f4257da079c8f7d8

SHA512
cbf2c244c91d1e04be4eff5b38401074d73bbd215feb9d3a4b6a66324d1b26a1bfb35c947fad61f022ab8922bed33b945961cf7e67f655602683b0957dbbdd1d

Download Submit
\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
57KB

MD5
726f1ca343fa18b6dae23b2ca0f13447

SHA1
856ae7acd0d7386aa72a6c811b96d90e64f6cb6a

SHA256
9719b594632fa2d503fe4e7a6623f36860eb54e7ab00aec3f4257da079c8f7d8

SHA512
cbf2c244c91d1e04be4eff5b38401074d73bbd215feb9d3a4b6a66324d1b26a1bfb35c947fad61f022ab8922bed33b945961cf7e67f655602683b0957dbbdd1d

Download Submit
\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
1.3MB

MD5
f703799934b3519463c61e3253438d32

SHA1
1f3ba83999f1a31a4dc186bc8774f78f1b6621d4

SHA256
40fc1462e7cf527ace69297326ce89d443f2ab72299648e7504b1e3d0f1e065a

SHA512
204153c17a57e2b4927d3bebf3be23af5b4676cc64cb5c6f53a6b4e45f84c9d396dd59303fdf90fdf9c5d07f0e71cb3d341363e0f3efb0d920e3d7094431338c

Download Submit
memory/292-134-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/292-118-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/292-109-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/292-125-0x0000000000403248-mapping.dmp

Download
memory/292-113-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/292-99-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/292-120-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/292-101-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/292-122-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/292-129-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/836-84-0x0000000000000000-mapping.dmp

Download
memory/860-150-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/860-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/860-171-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/860-162-0x0000000000403248-mapping.dmp

Download
memory/860-155-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/860-156-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/860-146-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/960-58-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/960-63-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/960-64-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/960-59-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/960-56-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/960-60-0x00000000007B5930-mapping.dmp

Download
memory/960-74-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/960-55-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/992-78-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/992-116-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/992-96-0x0000000000403248-mapping.dmp

Download
memory/992-77-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/992-92-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/992-123-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/992-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/992-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/992-108-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/992-85-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/992-89-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1172-94-0x0000000000000000-mapping.dmp

Download
memory/1348-103-0x0000000000000000-mapping.dmp

Download
memory/1380-76-0x0000000001370000-0x00000000017B0000-memory.dmp

Filesize
4.2MB

Download
memory/1380-67-0x0000000000000000-mapping.dmp

Download
memory/1380-107-0x0000000001370000-0x00000000017B0000-memory.dmp

Filesize
4.2MB

Download
memory/1392-169-0x0000000000000000-mapping.dmp

Download
memory/1392-193-0x0000000001FE6000-0x0000000002005000-memory.dmp

Filesize
124KB

Download
memory/1420-180-0x0000000000000000-mapping.dmp

Download
memory/1420-189-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1420-195-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1492-117-0x0000000000000000-mapping.dmp

Download
memory/1492-194-0x0000000073DB0000-0x000000007435B000-memory.dmp

Filesize
5.7MB

Download
memory/1492-176-0x0000000073DB0000-0x000000007435B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-174-0x0000000004AA0000-0x0000000004C06000-memory.dmp

Filesize
1.4MB

Download
memory/1652-166-0x0000000000940000-0x0000000000A8C000-memory.dmp

Filesize
1.3MB

Download
memory/1652-196-0x0000000002136000-0x0000000002147000-memory.dmp

Filesize
68KB

Download
memory/1652-132-0x0000000000000000-mapping.dmp

Download
memory/1652-192-0x0000000002136000-0x0000000002147000-memory.dmp

Filesize
68KB

Download
memory/1664-197-0x0000000000000000-mapping.dmp

Download
memory/1768-71-0x0000000000000000-mapping.dmp

Download
memory/2040-142-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-139-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-177-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-138-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-136-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-140-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-190-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-141-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-154-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-145-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-130-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-147-0x0000000000409860-mapping.dmp

Download
memory/2040-149-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download