cybergate | 0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238

Analysis

max time kernel
252s
max time network
359s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
Size

4.2MB
MD5

027a8042ac64fad8b80c50fdf472ad2e
SHA1

5f9899bd11556c144385968ee1faf42b7f2f4287
SHA256

0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238
SHA512

57e6c0938da0ec031b86116cd31a238c06826b367cc1b1c422a2a3e6343766e14f3d3984fdc7af705bc2f8a9229a8197e1f273687d4df83e836af973056489f1
SSDEEP

98304:gCjPKNciZGis0FKxcewvemveP0E3S5FeHKMgJsJAMJt:gCbGcgJFKbwmmveP0EspMAUdt

Score

10^/10

cybergate pony crypter vpn2 collection discovery persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

pony

http://tuttyfrutty.hol.es/root/Panel/gate.php

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

VPN2

joujounette974.ddns.net:8027

Mutex

S723VTV4Y21R8A

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Generator actually down for maintenance.Please try again later.
message_box_title
HWID Generator Error!!
password
123456

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Crypter

warrior0007.no-ip.biz:8027

Mutex

T13MG4FDX66L27

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exeWINUPDATE.EXECRYPT.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\winlogon.exe,explorer.exe"	WINUPDATE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\Microsoft\\HeciServer.exe,explorer.exe"	CRYPT.EXE

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Adds policy Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exeWINUPDATE.EXEsvchost.exeCRYPT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WINUPDATE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	WINUPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\55169 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msagiyo.com"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	CRYPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft(R) Delayed Launcher = "%AppData%\\Microsoft\\HeciServer.exe"	CRYPT.EXE

Executes dropped EXE 11 IoCs

Processes:

TEST3.EXEWINUPDATE.EXEOPENGL.EXETEST2.EXETEST.EXEWUPDATE.EXECRYPT.EXEHSCB.EXEWINUPDATE.EXEHIDDEN SIGHT.EXEOPENGL.EXE

pid	process
1828	TEST3.EXE
1544	WINUPDATE.EXE
1276	OPENGL.EXE
1680	TEST2.EXE
964	TEST.EXE
1172	WUPDATE.EXE
1684	CRYPT.EXE
1732	HSCB.EXE
2036	WINUPDATE.EXE
948	HIDDEN SIGHT.EXE
1748	OPENGL.EXE

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1168-56-0x0000000000400000-0x00000000007E6000-memory.dmp	upx
behavioral1/memory/1168-58-0x0000000000400000-0x00000000007E6000-memory.dmp	upx
behavioral1/memory/1168-59-0x0000000000400000-0x00000000007E6000-memory.dmp	upx
behavioral1/memory/1168-63-0x0000000000400000-0x00000000007E6000-memory.dmp	upx
behavioral1/memory/1168-64-0x0000000000400000-0x00000000007E6000-memory.dmp	upx
behavioral1/memory/1168-65-0x0000000000400000-0x00000000007E6000-memory.dmp	upx
behavioral1/memory/1168-75-0x0000000000400000-0x00000000007E6000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\TEST.EXE	upx
\Users\Admin\AppData\Local\Temp\TEST.EXE	upx
C:\Users\Admin\AppData\Local\Temp\TEST.EXE	upx
behavioral1/memory/1680-116-0x0000000002D90000-0x000000000304C000-memory.dmp	upx
behavioral1/memory/1528-118-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1856-123-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/964-125-0x0000000000DC0000-0x000000000107C000-memory.dmp	upx
behavioral1/memory/1856-127-0x0000000010410000-0x0000000010480000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\HSCB.EXE	upx
\Users\Admin\AppData\Local\Temp\HSCB.EXE	upx
\Users\Admin\AppData\Local\Temp\HSCB.EXE	upx
behavioral1/memory/1732-148-0x0000000000D20000-0x0000000000E8A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE	upx
behavioral1/memory/1732-156-0x0000000000D20000-0x0000000000E8A000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE	upx
behavioral1/memory/964-157-0x0000000000DC0000-0x000000000107C000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE	upx
\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE	upx
\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE	upx
C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE	upx
behavioral1/memory/2036-171-0x0000000001000000-0x0000000001052000-memory.dmp	upx
behavioral1/memory/2036-182-0x0000000001000000-0x0000000001052000-memory.dmp	upx
behavioral1/memory/1856-190-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/2028-197-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1696-203-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1696-205-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1696-212-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Loads dropped DLL 23 IoCs

Processes:

svchost.exeTEST3.EXETEST2.EXETEST.EXEWUPDATE.EXEHSCB.EXEWINUPDATE.EXE

pid	process
1168	svchost.exe
1168	svchost.exe
1168	svchost.exe
1828	TEST3.EXE
1828	TEST3.EXE
1828	TEST3.EXE
1828	TEST3.EXE
1680	TEST2.EXE
1680	TEST2.EXE
1680	TEST2.EXE
964	TEST.EXE
1172	WUPDATE.EXE
1172	WUPDATE.EXE
964	TEST.EXE
964	TEST.EXE
1172	WUPDATE.EXE
964	TEST.EXE
1732	HSCB.EXE
2036	WINUPDATE.EXE
2036	WINUPDATE.EXE
2036	WINUPDATE.EXE
2036	WINUPDATE.EXE
2036	WINUPDATE.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

WUPDATE.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	WUPDATE.EXE

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

WUPDATE.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	WUPDATE.EXE

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WINUPDATE.EXECRYPT.EXE0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	WINUPDATE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	WINUPDATE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	CRYPT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft(R) Delayed Launcher = "%AppData%\\Microsoft\\HeciServer.exe"	CRYPT.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "%AppData%\\Microsoft\\winlogon.exe"	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OPENGL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	OPENGL.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	OPENGL.EXE

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1168-60-0x00000000007E4190-mapping.dmp	autoit_exe
behavioral1/memory/1168-64-0x0000000000400000-0x00000000007E6000-memory.dmp	autoit_exe
behavioral1/memory/1168-65-0x0000000000400000-0x00000000007E6000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE	autoit_exe
\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE	autoit_exe
behavioral1/memory/1168-75-0x0000000000400000-0x00000000007E6000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe	autoit_exe
behavioral1/memory/964-125-0x0000000000DC0000-0x000000000107C000-memory.dmp	autoit_exe
\Users\Admin\AppData\Local\Temp\CRYPT.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\CRYPT.EXE	autoit_exe
C:\Users\Admin\AppData\Local\Temp\CRYPT.EXE	autoit_exe
behavioral1/memory/964-146-0x0000000002C20000-0x0000000002D8A000-memory.dmp	autoit_exe
behavioral1/memory/964-157-0x0000000000DC0000-0x000000000107C000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exeWINUPDATE.EXECRYPT.EXE

description	pid	process	target process
PID 784 set thread context of 1168	784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe	svchost.exe
PID 1544 set thread context of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1684 set thread context of 2028	1684	CRYPT.EXE	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\PROGRA~3\LOCALS~1\Temp\msagiyo.com svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\PROGRA~3\LOCALS~1\Temp\msagiyo.com	svchost.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

OPENGL.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	OPENGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	OPENGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	OPENGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	OPENGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	OPENGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	OPENGL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

OPENGL.EXE

pid process

1276 OPENGL.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

1696 svchost.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

OPENGL.EXE

pid process

1276 OPENGL.EXE
1276 OPENGL.EXE

pid	process
1276	OPENGL.EXE

pid	process
1696	svchost.exe

pid	process
1276	OPENGL.EXE
1276	OPENGL.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

svchost.exeWUPDATE.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	1856	svchost.exe
Token: SeDebugPrivilege	1856	svchost.exe
Token: SeImpersonatePrivilege	1172	WUPDATE.EXE
Token: SeTcbPrivilege	1172	WUPDATE.EXE
Token: SeChangeNotifyPrivilege	1172	WUPDATE.EXE
Token: SeCreateTokenPrivilege	1172	WUPDATE.EXE
Token: SeBackupPrivilege	1172	WUPDATE.EXE
Token: SeRestorePrivilege	1172	WUPDATE.EXE
Token: SeIncreaseQuotaPrivilege	1172	WUPDATE.EXE
Token: SeAssignPrimaryTokenPrivilege	1172	WUPDATE.EXE
Token: SeBackupPrivilege	1696	svchost.exe
Token: SeRestorePrivilege	1696	svchost.exe
Token: SeDebugPrivilege	1696	svchost.exe
Token: SeDebugPrivilege	1696	svchost.exe
Token: SeImpersonatePrivilege	1172	WUPDATE.EXE
Token: SeTcbPrivilege	1172	WUPDATE.EXE
Token: SeChangeNotifyPrivilege	1172	WUPDATE.EXE
Token: SeCreateTokenPrivilege	1172	WUPDATE.EXE
Token: SeBackupPrivilege	1172	WUPDATE.EXE
Token: SeRestorePrivilege	1172	WUPDATE.EXE
Token: SeIncreaseQuotaPrivilege	1172	WUPDATE.EXE
Token: SeAssignPrimaryTokenPrivilege	1172	WUPDATE.EXE
Token: SeImpersonatePrivilege	1172	WUPDATE.EXE
Token: SeTcbPrivilege	1172	WUPDATE.EXE
Token: SeChangeNotifyPrivilege	1172	WUPDATE.EXE
Token: SeCreateTokenPrivilege	1172	WUPDATE.EXE
Token: SeBackupPrivilege	1172	WUPDATE.EXE
Token: SeRestorePrivilege	1172	WUPDATE.EXE
Token: SeIncreaseQuotaPrivilege	1172	WUPDATE.EXE
Token: SeAssignPrimaryTokenPrivilege	1172	WUPDATE.EXE
Token: SeImpersonatePrivilege	1172	WUPDATE.EXE
Token: SeTcbPrivilege	1172	WUPDATE.EXE
Token: SeChangeNotifyPrivilege	1172	WUPDATE.EXE
Token: SeCreateTokenPrivilege	1172	WUPDATE.EXE
Token: SeBackupPrivilege	1172	WUPDATE.EXE
Token: SeRestorePrivilege	1172	WUPDATE.EXE
Token: SeIncreaseQuotaPrivilege	1172	WUPDATE.EXE
Token: SeAssignPrimaryTokenPrivilege	1172	WUPDATE.EXE
Token: SeRestorePrivilege	1172	WUPDATE.EXE
Token: SeBackupPrivilege	1172	WUPDATE.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exeWINUPDATE.EXECRYPT.EXE

pid	process
784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
1544	WINUPDATE.EXE
1544	WINUPDATE.EXE
1544	WINUPDATE.EXE
1684	CRYPT.EXE
1684	CRYPT.EXE
1684	CRYPT.EXE
1684	CRYPT.EXE
1684	CRYPT.EXE

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exeWINUPDATE.EXECRYPT.EXE

pid	process
784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
1544	WINUPDATE.EXE
1544	WINUPDATE.EXE
1544	WINUPDATE.EXE
1684	CRYPT.EXE
1684	CRYPT.EXE
1684	CRYPT.EXE
1684	CRYPT.EXE
1684	CRYPT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OPENGL.EXE

pid process

1748 OPENGL.EXE
1748 OPENGL.EXE

pid	process
1748	OPENGL.EXE
1748	OPENGL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exesvchost.exeWINUPDATE.EXETEST3.EXEOPENGL.EXEsvchost.exe

description	pid	process	target process
PID 784 wrote to memory of 1168	784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe	svchost.exe
PID 784 wrote to memory of 1168	784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe	svchost.exe
PID 784 wrote to memory of 1168	784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe	svchost.exe
PID 784 wrote to memory of 1168	784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe	svchost.exe
PID 784 wrote to memory of 1168	784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe	svchost.exe
PID 784 wrote to memory of 1168	784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe	svchost.exe
PID 784 wrote to memory of 1168	784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe	svchost.exe
PID 784 wrote to memory of 1168	784	0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe	svchost.exe
PID 1168 wrote to memory of 1828	1168	svchost.exe	TEST3.EXE
PID 1168 wrote to memory of 1828	1168	svchost.exe	TEST3.EXE
PID 1168 wrote to memory of 1828	1168	svchost.exe	TEST3.EXE
PID 1168 wrote to memory of 1828	1168	svchost.exe	TEST3.EXE
PID 1168 wrote to memory of 1544	1168	svchost.exe	WINUPDATE.EXE
PID 1168 wrote to memory of 1544	1168	svchost.exe	WINUPDATE.EXE
PID 1168 wrote to memory of 1544	1168	svchost.exe	WINUPDATE.EXE
PID 1168 wrote to memory of 1544	1168	svchost.exe	WINUPDATE.EXE
PID 1168 wrote to memory of 1544	1168	svchost.exe	WINUPDATE.EXE
PID 1168 wrote to memory of 1544	1168	svchost.exe	WINUPDATE.EXE
PID 1168 wrote to memory of 1544	1168	svchost.exe	WINUPDATE.EXE
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1544 wrote to memory of 1528	1544	WINUPDATE.EXE	svchost.exe
PID 1828 wrote to memory of 1276	1828	TEST3.EXE	OPENGL.EXE
PID 1828 wrote to memory of 1276	1828	TEST3.EXE	OPENGL.EXE
PID 1828 wrote to memory of 1276	1828	TEST3.EXE	OPENGL.EXE
PID 1828 wrote to memory of 1276	1828	TEST3.EXE	OPENGL.EXE
PID 1276 wrote to memory of 824	1276	OPENGL.EXE	svchost.exe
PID 1276 wrote to memory of 824	1276	OPENGL.EXE	svchost.exe
PID 1276 wrote to memory of 824	1276	OPENGL.EXE	svchost.exe
PID 1276 wrote to memory of 824	1276	OPENGL.EXE	svchost.exe
PID 1828 wrote to memory of 1680	1828	TEST3.EXE	TEST2.EXE
PID 1828 wrote to memory of 1680	1828	TEST3.EXE	TEST2.EXE
PID 1828 wrote to memory of 1680	1828	TEST3.EXE	TEST2.EXE
PID 1828 wrote to memory of 1680	1828	TEST3.EXE	TEST2.EXE
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe
PID 1528 wrote to memory of 1856	1528	svchost.exe	svchost.exe

outlook_win_path 1 IoCs

Processes:

WUPDATE.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	WUPDATE.EXE

C:\Users\Admin\AppData\Local\Temp\0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe
"C:\Users\Admin\AppData\Local\Temp\0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\TEST3.EXE
"C:\Users\Admin\AppData\Local\Temp\TEST3.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
"C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
PID:824

C:\Users\Admin\AppData\Local\Temp\TEST2.EXE
"C:\Users\Admin\AppData\Local\Temp\TEST2.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680

C:\Users\Admin\AppData\Local\Temp\TEST.EXE
"C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964

C:\Users\Admin\AppData\Local\Temp\CRYPT.EXE
"C:\Users\Admin\AppData\Local\Temp\CRYPT.EXE"
6⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
7⤵
PID:2028

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
8⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
9⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\HSCB.EXE
"C:\Users\Admin\AppData\Local\Temp\HSCB.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732

C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
"C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE"
7⤵
- Executes dropped EXE
PID:948

C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
"C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036

C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
"C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE"
7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Users\Admin\AppData\Local\Temp\WUPDATE.EXE
"C:\Users\Admin\AppData\Local\Temp\WUPDATE.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1172

C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
"C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE"
3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
3722a8f5483573e7cfae02a3d4e2f951

SHA1
90c30f08401fd54e83552416965c02652049c98a

SHA256
71b31c1809a7f2dd5a6065f4c545287efe558e301ac81e3de2f254c6fb55f9b7

SHA512
bb8ee87ed3ed0b1ce3165a582878a6232b27ecbafd0b813996514224a64b622f8701153604d605b3c8d19524259fba1afbb914ebf134c63dfe24a4ba65df8743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
385KB

MD5
bb479e19dbe371a699d5c6037eb10fe3

SHA1
e49646fe8d4b3bc2c883d1133e4a806f9f56db45

SHA256
934cf1393f9cf9e206641e4def42ce85115ad7ed23bbc5a9f1d871779aa82747

SHA512
7aab815ebfe5f69894de6c813f016e63b3585b81db6c347e204dba179ab14cdcae6606bf874af72198751c44538c4120b515484b2d23db9ccb3411745c6b7e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
df578f383dcc29db098e78ee2de729fd

SHA1
a89ef23f15e3642bcb401332e580280931e8a953

SHA256
563fea1f17fa1d8552f53725ce563d5c2c9b905581380e0eeb4e279b819386d9

SHA512
b9deb6b070f6a196fe5780055300fb30747bc3c879007e6d5ef4603d05dda2e881c3d1375ae5218d0192df095fe955a8e0922496f0abdc47b8f168f2be0ef305

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
330faa4a0549238b1c633c3ac57cea51

SHA1
df4d43514dd887975ea442a1bce830015f778d93

SHA256
dc19f93dce2120cd6934e0bd24b187b9ac6db0c887ed29080fc02258334c5ba6

SHA512
a719b5270f39723053f07f4d254fa6127235a03383baf4faca1432e064fea3dd6c319b67ad68a4a7742e06eb4231f58cfe104014a2d3552a86d546ee610c7e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
330faa4a0549238b1c633c3ac57cea51

SHA1
df4d43514dd887975ea442a1bce830015f778d93

SHA256
dc19f93dce2120cd6934e0bd24b187b9ac6db0c887ed29080fc02258334c5ba6

SHA512
a719b5270f39723053f07f4d254fa6127235a03383baf4faca1432e064fea3dd6c319b67ad68a4a7742e06eb4231f58cfe104014a2d3552a86d546ee610c7e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
ecdecf3c14532bf6afe6a573bb50c61f

SHA1
2552fbb6c74648fba887ecbaa17fe3ef590819b4

SHA256
7fba134391ec825b995516752b5f88a08ba9a154a00e0ad05f8cabad9419a091

SHA512
dc16d70a11b49229fec61704b4e39ff23a95fe946494da163f66ae06168d7aaa4fdb360a0dbdd69c28ea1c407d81bf26bfe1838948306bec4b96d57b9a042ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
ecdecf3c14532bf6afe6a573bb50c61f

SHA1
2552fbb6c74648fba887ecbaa17fe3ef590819b4

SHA256
7fba134391ec825b995516752b5f88a08ba9a154a00e0ad05f8cabad9419a091

SHA512
dc16d70a11b49229fec61704b4e39ff23a95fe946494da163f66ae06168d7aaa4fdb360a0dbdd69c28ea1c407d81bf26bfe1838948306bec4b96d57b9a042ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
ecdecf3c14532bf6afe6a573bb50c61f

SHA1
2552fbb6c74648fba887ecbaa17fe3ef590819b4

SHA256
7fba134391ec825b995516752b5f88a08ba9a154a00e0ad05f8cabad9419a091

SHA512
dc16d70a11b49229fec61704b4e39ff23a95fe946494da163f66ae06168d7aaa4fdb360a0dbdd69c28ea1c407d81bf26bfe1838948306bec4b96d57b9a042ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
f8458a2e260d6d92ae1ca54d98ff0a07

SHA1
2249bf4d8ac6f8bd6b484062be37ddc837e75d47

SHA256
095be85fba549b6cf1512792609e6d493b30b5fd5f87038a048bac65e4dec12e

SHA512
657e8e699e5e454bd92024387d96d70701aa12b722bb769916a942f51cd0c214ab55c7e162ff000fbd7e342d80be2f0e79634a861bd419362814b4928d1e4390

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
f8458a2e260d6d92ae1ca54d98ff0a07

SHA1
2249bf4d8ac6f8bd6b484062be37ddc837e75d47

SHA256
095be85fba549b6cf1512792609e6d493b30b5fd5f87038a048bac65e4dec12e

SHA512
657e8e699e5e454bd92024387d96d70701aa12b722bb769916a942f51cd0c214ab55c7e162ff000fbd7e342d80be2f0e79634a861bd419362814b4928d1e4390

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
f8458a2e260d6d92ae1ca54d98ff0a07

SHA1
2249bf4d8ac6f8bd6b484062be37ddc837e75d47

SHA256
095be85fba549b6cf1512792609e6d493b30b5fd5f87038a048bac65e4dec12e

SHA512
657e8e699e5e454bd92024387d96d70701aa12b722bb769916a942f51cd0c214ab55c7e162ff000fbd7e342d80be2f0e79634a861bd419362814b4928d1e4390

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
98e428b8b969baa477f241aaa89cfcf8

SHA1
1ecc9bdf8ac6226fcf4fb4d4f12eeedf0d95dc31

SHA256
cffd36c556f3ad68149e421a93111ed59ff2a48982b0f5c5b6b34f4da50ac376

SHA512
de36db23d07ee4e839be29767f5ab373d05105110d41299ae330da2b925c0129f74c4270a0c0a2ca85c1c4bd1efd0f9e8f1bc9b2b9755e68b8c94b14a6aad09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
98e428b8b969baa477f241aaa89cfcf8

SHA1
1ecc9bdf8ac6226fcf4fb4d4f12eeedf0d95dc31

SHA256
cffd36c556f3ad68149e421a93111ed59ff2a48982b0f5c5b6b34f4da50ac376

SHA512
de36db23d07ee4e839be29767f5ab373d05105110d41299ae330da2b925c0129f74c4270a0c0a2ca85c1c4bd1efd0f9e8f1bc9b2b9755e68b8c94b14a6aad09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
98e428b8b969baa477f241aaa89cfcf8

SHA1
1ecc9bdf8ac6226fcf4fb4d4f12eeedf0d95dc31

SHA256
cffd36c556f3ad68149e421a93111ed59ff2a48982b0f5c5b6b34f4da50ac376

SHA512
de36db23d07ee4e839be29767f5ab373d05105110d41299ae330da2b925c0129f74c4270a0c0a2ca85c1c4bd1efd0f9e8f1bc9b2b9755e68b8c94b14a6aad09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
98e428b8b969baa477f241aaa89cfcf8

SHA1
1ecc9bdf8ac6226fcf4fb4d4f12eeedf0d95dc31

SHA256
cffd36c556f3ad68149e421a93111ed59ff2a48982b0f5c5b6b34f4da50ac376

SHA512
de36db23d07ee4e839be29767f5ab373d05105110d41299ae330da2b925c0129f74c4270a0c0a2ca85c1c4bd1efd0f9e8f1bc9b2b9755e68b8c94b14a6aad09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
29e119e64903351d1c180d7d0bd1d8be

SHA1
4de93eda3bf8a969399207ac1aa488bd8067926d

SHA256
f6c49176443325b91eee060b70fe67910eb45f13101ee546d67ada2df0894a41

SHA512
eaece75a4937a649b30cc94e827b601aca62670b2e3db720b959c0554c3e45ee261829c10e46a262baac2ee4a1228af13496e3fa78257dab609c48383c1f4355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
29e119e64903351d1c180d7d0bd1d8be

SHA1
4de93eda3bf8a969399207ac1aa488bd8067926d

SHA256
f6c49176443325b91eee060b70fe67910eb45f13101ee546d67ada2df0894a41

SHA512
eaece75a4937a649b30cc94e827b601aca62670b2e3db720b959c0554c3e45ee261829c10e46a262baac2ee4a1228af13496e3fa78257dab609c48383c1f4355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
29e119e64903351d1c180d7d0bd1d8be

SHA1
4de93eda3bf8a969399207ac1aa488bd8067926d

SHA256
f6c49176443325b91eee060b70fe67910eb45f13101ee546d67ada2df0894a41

SHA512
eaece75a4937a649b30cc94e827b601aca62670b2e3db720b959c0554c3e45ee261829c10e46a262baac2ee4a1228af13496e3fa78257dab609c48383c1f4355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
29e119e64903351d1c180d7d0bd1d8be

SHA1
4de93eda3bf8a969399207ac1aa488bd8067926d

SHA256
f6c49176443325b91eee060b70fe67910eb45f13101ee546d67ada2df0894a41

SHA512
eaece75a4937a649b30cc94e827b601aca62670b2e3db720b959c0554c3e45ee261829c10e46a262baac2ee4a1228af13496e3fa78257dab609c48383c1f4355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
fd19507afddcce2d2ecec97932533a6f

SHA1
9eeda45fd1684c9c717c94b58f36fa5252f91676

SHA256
b49af8da1b25171354256e3fa29ec9913df5c279f9b583660202b58b683668f7

SHA512
03da1f294fbe0433728d7e9b87244ebf99133083c02e729b28f817b9d9e0355d6602c37e43f7e2969bc6a8e700ed3d99911db26d9f85e66262faf63b186b9121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
fd19507afddcce2d2ecec97932533a6f

SHA1
9eeda45fd1684c9c717c94b58f36fa5252f91676

SHA256
b49af8da1b25171354256e3fa29ec9913df5c279f9b583660202b58b683668f7

SHA512
03da1f294fbe0433728d7e9b87244ebf99133083c02e729b28f817b9d9e0355d6602c37e43f7e2969bc6a8e700ed3d99911db26d9f85e66262faf63b186b9121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin8
Filesize
8B

MD5
af97f8e7474eca4d466a17a2153e5c27

SHA1
08a28240b0a567bc3ee5e5fbc7264d560abd5616

SHA256
2e760765a87fad33705e5c1207e3e95285ab7a34b31cb67347eba57d0626ea5b

SHA512
a821c92f970f3fee73b37e694331e9f1c90062d496d6bdd32acb1988fe51ec77c3a068f7edb61feee5f70a1376ebc7f423b2903f2747105f1ff7e9f3d081d369

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRYPT.EXE
Filesize
1.0MB

MD5
94a20be0aca341f670175ad7b30cdb70

SHA1
c3be21ca95cb96b99a9dfc4d16b53d8eefc4f25e

SHA256
ea769b216bf1f9233e283475993c418b72f8b29cd9f617914a4f792325f761a9

SHA512
d7f99f7351afe72fdaf58c194025451f4f9d3d1303dc6ad23dfcd9c2b88361edfb6ea01c1f7dfb1fd922f1a5bda07276e95703ddfe3fa7b35f750656833c6320

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRYPT.EXE
Filesize
1.0MB

MD5
94a20be0aca341f670175ad7b30cdb70

SHA1
c3be21ca95cb96b99a9dfc4d16b53d8eefc4f25e

SHA256
ea769b216bf1f9233e283475993c418b72f8b29cd9f617914a4f792325f761a9

SHA512
d7f99f7351afe72fdaf58c194025451f4f9d3d1303dc6ad23dfcd9c2b88361edfb6ea01c1f7dfb1fd922f1a5bda07276e95703ddfe3fa7b35f750656833c6320

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSCB.EXE
Filesize
1.3MB

MD5
f4a9746343bff59289683b61ee2aaea5

SHA1
e1a1040bd75a61db265b305cdaf4faae103081d1

SHA256
1ee8010e22d9ba4a307b8590ce81c532c15d569cae57b4f6314988602e0f8ab1

SHA512
28b5ade6d176d124a5f2eaecf7dc2418d599495950cba113c189fc5912ea6815523e098d9d5485d344b86daa9d79bf5663993dafa0be71c3581c68670d4fcfee

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
241KB

MD5
8681a2f9790d32af1e04ae38bb6718c8

SHA1
49a9c4f835a48bf68231a2055bf6e16635baa5ed

SHA256
a2897968e611ec96fcb54e7bb7a237b070af95993db86f9ab9d1ea0736ed690c

SHA512
aabe4dd33f4dab7c12f225f46d1e9b6d409a9f6a283bf96293e87536e177a1d6ec752ac55a65450a02160dc5e357608e02f6695bb40b5e361f5345f940706081

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
241KB

MD5
8681a2f9790d32af1e04ae38bb6718c8

SHA1
49a9c4f835a48bf68231a2055bf6e16635baa5ed

SHA256
a2897968e611ec96fcb54e7bb7a237b070af95993db86f9ab9d1ea0736ed690c

SHA512
aabe4dd33f4dab7c12f225f46d1e9b6d409a9f6a283bf96293e87536e177a1d6ec752ac55a65450a02160dc5e357608e02f6695bb40b5e361f5345f940706081

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
13KB

MD5
13df3a7950f9dadf1caa884ca9beb5d3

SHA1
7fbc42e2ad9e5dca82986dc4bdee3d757f7f5050

SHA256
2c78d465d966d04fe57238e6426f18e22620ff71bd46a62d756dc8c6b100e111

SHA512
fa35add0af040b30d675f1363e13a5a716081c206ece19573975a3a24b1106d709abfc3343ca3661e54ac180a6dde71b8bb5d7468872aa6acc86d5c5212f815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
13KB

MD5
13df3a7950f9dadf1caa884ca9beb5d3

SHA1
7fbc42e2ad9e5dca82986dc4bdee3d757f7f5050

SHA256
2c78d465d966d04fe57238e6426f18e22620ff71bd46a62d756dc8c6b100e111

SHA512
fa35add0af040b30d675f1363e13a5a716081c206ece19573975a3a24b1106d709abfc3343ca3661e54ac180a6dde71b8bb5d7468872aa6acc86d5c5212f815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEST.EXE
Filesize
2.2MB

MD5
97dd74c87a8c95010e03df713ba89e94

SHA1
aa31325cb792217a67a6e35a081cc76428e8962c

SHA256
e5d876834e82c464d03e5d02a75be4859974bc8e011da2408e03187808c5aec7

SHA512
d5bd1f98c041ea837e2ed090249e4425846829ddac208ba1f282315180bef5cf90c652ad573db0bbfc6bb97a9cac4e368287cc90c161356ec1e0c4e5393f3ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEST2.EXE
Filesize
2.4MB

MD5
925037fce4e40da2630be9ba1d0b5168

SHA1
894b3b936ec140ca8084b376057232c8aeeed57d

SHA256
b2548e0bdddc2d28c8a9b8d39b27b1ae2acf1ec6a100ce1d20142c6e7999d587

SHA512
af51b73efeeed67b74e02b783978e373481d2dc78ef20f9718064569137bf940314c8f0767608960e2a82513b83c413f2fc71715528d5d6a9aaeda90e5350d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEST3.EXE
Filesize
2.6MB

MD5
30be59a5ef02c6452e31c5772cf25dcc

SHA1
6f7c605390f7dd279972dfc873df5141f2a9ca5e

SHA256
6c3e4663e9ba0aabbae64def3475e0d781024d9d2e833fa0514fe0119040dca9

SHA512
e269facccb6414367c8f6e08d74e78b25585df6dcbee196173cf82bebeb5094818c9c15385a8a76a107cd72421fd9cd5e15258c946e2743f56afcb30c91d20b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
Filesize
182KB

MD5
d238aa515b128c52b27742ecfd1ce970

SHA1
654369aca49d68d01428c9312e1fe6cda9d12c41

SHA256
4b1cc4a115989e569e8edabf83a7bd603886ba700e828028cd7607a07ae67af6

SHA512
372bb36cb4d037e695637ada7d95e943374e953d25eb3ca0c2d3961af259c93a67f051ba6f5c8e20e814b7f1d9922012f6760ea0620bd1a3db8c30745d3d4af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
Filesize
182KB

MD5
d238aa515b128c52b27742ecfd1ce970

SHA1
654369aca49d68d01428c9312e1fe6cda9d12c41

SHA256
4b1cc4a115989e569e8edabf83a7bd603886ba700e828028cd7607a07ae67af6

SHA512
372bb36cb4d037e695637ada7d95e943374e953d25eb3ca0c2d3961af259c93a67f051ba6f5c8e20e814b7f1d9922012f6760ea0620bd1a3db8c30745d3d4af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
Filesize
1.2MB

MD5
0732c162c744ac9ef9a947f54f48233e

SHA1
d98379af96cb0d60771b45ff78154af15587661e

SHA256
d606c4128fb7eb2b5a280cf881438f1374563d5edb69f471a3c01113f995040a

SHA512
509cd3ac284308cf2004248bde1ec3dd1b7a1b2e089c80f415229f8a8e37726b40828ee01ac849c476830ed48179474b4616e7e8e3f49eec09762e55f1221eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
Filesize
1.2MB

MD5
0732c162c744ac9ef9a947f54f48233e

SHA1
d98379af96cb0d60771b45ff78154af15587661e

SHA256
d606c4128fb7eb2b5a280cf881438f1374563d5edb69f471a3c01113f995040a

SHA512
509cd3ac284308cf2004248bde1ec3dd1b7a1b2e089c80f415229f8a8e37726b40828ee01ac849c476830ed48179474b4616e7e8e3f49eec09762e55f1221eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUPDATE.EXE
Filesize
82KB

MD5
52e851fba866c2714ad2c4c5cd8cd59b

SHA1
fda9115844d468d05595e1e0b9391a55395a0af0

SHA256
149d057c10135e5637cb4022722958b6e0ec73a873eca4bd0e35891a8e847448

SHA512
4aabc15e7180e699ac9723155d75c5cb40c669b33ae96fcad0f42b3fd94be0a424a1593986ee12be1625206c6a9858db2f17a869a284cd554945c396a29ab06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUPDATE.EXE
Filesize
82KB

MD5
52e851fba866c2714ad2c4c5cd8cd59b

SHA1
fda9115844d468d05595e1e0b9391a55395a0af0

SHA256
149d057c10135e5637cb4022722958b6e0ec73a873eca4bd0e35891a8e847448

SHA512
4aabc15e7180e699ac9723155d75c5cb40c669b33ae96fcad0f42b3fd94be0a424a1593986ee12be1625206c6a9858db2f17a869a284cd554945c396a29ab06a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
Filesize
4.2MB

MD5
027a8042ac64fad8b80c50fdf472ad2e

SHA1
5f9899bd11556c144385968ee1faf42b7f2f4287

SHA256
0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238

SHA512
57e6c0938da0ec031b86116cd31a238c06826b367cc1b1c422a2a3e6343766e14f3d3984fdc7af705bc2f8a9229a8197e1f273687d4df83e836af973056489f1

Download Submit
\Users\Admin\AppData\Local\Temp\CRYPT.EXE
Filesize
1.0MB

MD5
94a20be0aca341f670175ad7b30cdb70

SHA1
c3be21ca95cb96b99a9dfc4d16b53d8eefc4f25e

SHA256
ea769b216bf1f9233e283475993c418b72f8b29cd9f617914a4f792325f761a9

SHA512
d7f99f7351afe72fdaf58c194025451f4f9d3d1303dc6ad23dfcd9c2b88361edfb6ea01c1f7dfb1fd922f1a5bda07276e95703ddfe3fa7b35f750656833c6320

Download Submit
\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
\Users\Admin\AppData\Local\Temp\HSCB.EXE
Filesize
1.3MB

MD5
f4a9746343bff59289683b61ee2aaea5

SHA1
e1a1040bd75a61db265b305cdaf4faae103081d1

SHA256
1ee8010e22d9ba4a307b8590ce81c532c15d569cae57b4f6314988602e0f8ab1

SHA512
28b5ade6d176d124a5f2eaecf7dc2418d599495950cba113c189fc5912ea6815523e098d9d5485d344b86daa9d79bf5663993dafa0be71c3581c68670d4fcfee

Download Submit
\Users\Admin\AppData\Local\Temp\HSCB.EXE
Filesize
1.3MB

MD5
f4a9746343bff59289683b61ee2aaea5

SHA1
e1a1040bd75a61db265b305cdaf4faae103081d1

SHA256
1ee8010e22d9ba4a307b8590ce81c532c15d569cae57b4f6314988602e0f8ab1

SHA512
28b5ade6d176d124a5f2eaecf7dc2418d599495950cba113c189fc5912ea6815523e098d9d5485d344b86daa9d79bf5663993dafa0be71c3581c68670d4fcfee

Download Submit
\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
241KB

MD5
8681a2f9790d32af1e04ae38bb6718c8

SHA1
49a9c4f835a48bf68231a2055bf6e16635baa5ed

SHA256
a2897968e611ec96fcb54e7bb7a237b070af95993db86f9ab9d1ea0736ed690c

SHA512
aabe4dd33f4dab7c12f225f46d1e9b6d409a9f6a283bf96293e87536e177a1d6ec752ac55a65450a02160dc5e357608e02f6695bb40b5e361f5345f940706081

Download Submit
\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
241KB

MD5
8681a2f9790d32af1e04ae38bb6718c8

SHA1
49a9c4f835a48bf68231a2055bf6e16635baa5ed

SHA256
a2897968e611ec96fcb54e7bb7a237b070af95993db86f9ab9d1ea0736ed690c

SHA512
aabe4dd33f4dab7c12f225f46d1e9b6d409a9f6a283bf96293e87536e177a1d6ec752ac55a65450a02160dc5e357608e02f6695bb40b5e361f5345f940706081

Download Submit
\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
13KB

MD5
13df3a7950f9dadf1caa884ca9beb5d3

SHA1
7fbc42e2ad9e5dca82986dc4bdee3d757f7f5050

SHA256
2c78d465d966d04fe57238e6426f18e22620ff71bd46a62d756dc8c6b100e111

SHA512
fa35add0af040b30d675f1363e13a5a716081c206ece19573975a3a24b1106d709abfc3343ca3661e54ac180a6dde71b8bb5d7468872aa6acc86d5c5212f815e

Download Submit
\Users\Admin\AppData\Local\Temp\OPENGL.EXE
Filesize
13KB

MD5
13df3a7950f9dadf1caa884ca9beb5d3

SHA1
7fbc42e2ad9e5dca82986dc4bdee3d757f7f5050

SHA256
2c78d465d966d04fe57238e6426f18e22620ff71bd46a62d756dc8c6b100e111

SHA512
fa35add0af040b30d675f1363e13a5a716081c206ece19573975a3a24b1106d709abfc3343ca3661e54ac180a6dde71b8bb5d7468872aa6acc86d5c5212f815e

Download Submit
\Users\Admin\AppData\Local\Temp\TEST.EXE
Filesize
2.2MB

MD5
97dd74c87a8c95010e03df713ba89e94

SHA1
aa31325cb792217a67a6e35a081cc76428e8962c

SHA256
e5d876834e82c464d03e5d02a75be4859974bc8e011da2408e03187808c5aec7

SHA512
d5bd1f98c041ea837e2ed090249e4425846829ddac208ba1f282315180bef5cf90c652ad573db0bbfc6bb97a9cac4e368287cc90c161356ec1e0c4e5393f3ee4

Download Submit
\Users\Admin\AppData\Local\Temp\TEST.EXE
Filesize
2.2MB

MD5
97dd74c87a8c95010e03df713ba89e94

SHA1
aa31325cb792217a67a6e35a081cc76428e8962c

SHA256
e5d876834e82c464d03e5d02a75be4859974bc8e011da2408e03187808c5aec7

SHA512
d5bd1f98c041ea837e2ed090249e4425846829ddac208ba1f282315180bef5cf90c652ad573db0bbfc6bb97a9cac4e368287cc90c161356ec1e0c4e5393f3ee4

Download Submit
\Users\Admin\AppData\Local\Temp\TEST2.EXE
Filesize
2.4MB

MD5
925037fce4e40da2630be9ba1d0b5168

SHA1
894b3b936ec140ca8084b376057232c8aeeed57d

SHA256
b2548e0bdddc2d28c8a9b8d39b27b1ae2acf1ec6a100ce1d20142c6e7999d587

SHA512
af51b73efeeed67b74e02b783978e373481d2dc78ef20f9718064569137bf940314c8f0767608960e2a82513b83c413f2fc71715528d5d6a9aaeda90e5350d3e

Download Submit
\Users\Admin\AppData\Local\Temp\TEST2.EXE
Filesize
2.4MB

MD5
925037fce4e40da2630be9ba1d0b5168

SHA1
894b3b936ec140ca8084b376057232c8aeeed57d

SHA256
b2548e0bdddc2d28c8a9b8d39b27b1ae2acf1ec6a100ce1d20142c6e7999d587

SHA512
af51b73efeeed67b74e02b783978e373481d2dc78ef20f9718064569137bf940314c8f0767608960e2a82513b83c413f2fc71715528d5d6a9aaeda90e5350d3e

Download Submit
\Users\Admin\AppData\Local\Temp\TEST3.EXE
Filesize
2.6MB

MD5
30be59a5ef02c6452e31c5772cf25dcc

SHA1
6f7c605390f7dd279972dfc873df5141f2a9ca5e

SHA256
6c3e4663e9ba0aabbae64def3475e0d781024d9d2e833fa0514fe0119040dca9

SHA512
e269facccb6414367c8f6e08d74e78b25585df6dcbee196173cf82bebeb5094818c9c15385a8a76a107cd72421fd9cd5e15258c946e2743f56afcb30c91d20b0

Download Submit
\Users\Admin\AppData\Local\Temp\TEST3.EXE
Filesize
2.6MB

MD5
30be59a5ef02c6452e31c5772cf25dcc

SHA1
6f7c605390f7dd279972dfc873df5141f2a9ca5e

SHA256
6c3e4663e9ba0aabbae64def3475e0d781024d9d2e833fa0514fe0119040dca9

SHA512
e269facccb6414367c8f6e08d74e78b25585df6dcbee196173cf82bebeb5094818c9c15385a8a76a107cd72421fd9cd5e15258c946e2743f56afcb30c91d20b0

Download Submit
\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
Filesize
182KB

MD5
d238aa515b128c52b27742ecfd1ce970

SHA1
654369aca49d68d01428c9312e1fe6cda9d12c41

SHA256
4b1cc4a115989e569e8edabf83a7bd603886ba700e828028cd7607a07ae67af6

SHA512
372bb36cb4d037e695637ada7d95e943374e953d25eb3ca0c2d3961af259c93a67f051ba6f5c8e20e814b7f1d9922012f6760ea0620bd1a3db8c30745d3d4af5

Download Submit
\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
Filesize
182KB

MD5
d238aa515b128c52b27742ecfd1ce970

SHA1
654369aca49d68d01428c9312e1fe6cda9d12c41

SHA256
4b1cc4a115989e569e8edabf83a7bd603886ba700e828028cd7607a07ae67af6

SHA512
372bb36cb4d037e695637ada7d95e943374e953d25eb3ca0c2d3961af259c93a67f051ba6f5c8e20e814b7f1d9922012f6760ea0620bd1a3db8c30745d3d4af5

Download Submit
\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
Filesize
182KB

MD5
d238aa515b128c52b27742ecfd1ce970

SHA1
654369aca49d68d01428c9312e1fe6cda9d12c41

SHA256
4b1cc4a115989e569e8edabf83a7bd603886ba700e828028cd7607a07ae67af6

SHA512
372bb36cb4d037e695637ada7d95e943374e953d25eb3ca0c2d3961af259c93a67f051ba6f5c8e20e814b7f1d9922012f6760ea0620bd1a3db8c30745d3d4af5

Download Submit
\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
Filesize
182KB

MD5
d238aa515b128c52b27742ecfd1ce970

SHA1
654369aca49d68d01428c9312e1fe6cda9d12c41

SHA256
4b1cc4a115989e569e8edabf83a7bd603886ba700e828028cd7607a07ae67af6

SHA512
372bb36cb4d037e695637ada7d95e943374e953d25eb3ca0c2d3961af259c93a67f051ba6f5c8e20e814b7f1d9922012f6760ea0620bd1a3db8c30745d3d4af5

Download Submit
\Users\Admin\AppData\Local\Temp\WINUPDATE.EXE
Filesize
1.2MB

MD5
0732c162c744ac9ef9a947f54f48233e

SHA1
d98379af96cb0d60771b45ff78154af15587661e

SHA256
d606c4128fb7eb2b5a280cf881438f1374563d5edb69f471a3c01113f995040a

SHA512
509cd3ac284308cf2004248bde1ec3dd1b7a1b2e089c80f415229f8a8e37726b40828ee01ac849c476830ed48179474b4616e7e8e3f49eec09762e55f1221eae

Download Submit
\Users\Admin\AppData\Local\Temp\WUPDATE.EXE
Filesize
82KB

MD5
52e851fba866c2714ad2c4c5cd8cd59b

SHA1
fda9115844d468d05595e1e0b9391a55395a0af0

SHA256
149d057c10135e5637cb4022722958b6e0ec73a873eca4bd0e35891a8e847448

SHA512
4aabc15e7180e699ac9723155d75c5cb40c669b33ae96fcad0f42b3fd94be0a424a1593986ee12be1625206c6a9858db2f17a869a284cd554945c396a29ab06a

Download Submit
\Users\Admin\AppData\Local\Temp\WUPDATE.EXE
Filesize
82KB

MD5
52e851fba866c2714ad2c4c5cd8cd59b

SHA1
fda9115844d468d05595e1e0b9391a55395a0af0

SHA256
149d057c10135e5637cb4022722958b6e0ec73a873eca4bd0e35891a8e847448

SHA512
4aabc15e7180e699ac9723155d75c5cb40c669b33ae96fcad0f42b3fd94be0a424a1593986ee12be1625206c6a9858db2f17a869a284cd554945c396a29ab06a

Download Submit
\Users\Admin\AppData\Local\Temp\WUPDATE.EXE
Filesize
82KB

MD5
52e851fba866c2714ad2c4c5cd8cd59b

SHA1
fda9115844d468d05595e1e0b9391a55395a0af0

SHA256
149d057c10135e5637cb4022722958b6e0ec73a873eca4bd0e35891a8e847448

SHA512
4aabc15e7180e699ac9723155d75c5cb40c669b33ae96fcad0f42b3fd94be0a424a1593986ee12be1625206c6a9858db2f17a869a284cd554945c396a29ab06a

Download Submit
\Users\Admin\AppData\Local\Temp\WUPDATE.EXE
Filesize
82KB

MD5
52e851fba866c2714ad2c4c5cd8cd59b

SHA1
fda9115844d468d05595e1e0b9391a55395a0af0

SHA256
149d057c10135e5637cb4022722958b6e0ec73a873eca4bd0e35891a8e847448

SHA512
4aabc15e7180e699ac9723155d75c5cb40c669b33ae96fcad0f42b3fd94be0a424a1593986ee12be1625206c6a9858db2f17a869a284cd554945c396a29ab06a

Download Submit
memory/188-207-0x0000000000000000-mapping.dmp

Download
memory/784-54-0x00000000767C1000-0x00000000767C3000-memory.dmp

Filesize
8KB

Download
memory/824-103-0x0000000000000000-mapping.dmp

Download
memory/824-110-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/824-106-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/824-107-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/948-210-0x0000000004F16000-0x0000000004F27000-memory.dmp

Filesize
68KB

Download
memory/948-153-0x0000000000000000-mapping.dmp

Download
memory/948-231-0x0000000004F16000-0x0000000004F27000-memory.dmp

Filesize
68KB

Download
memory/948-187-0x00000000010B0000-0x00000000011FC000-memory.dmp

Filesize
1.3MB

Download
memory/948-188-0x0000000004B00000-0x0000000004C66000-memory.dmp

Filesize
1.4MB

Download
memory/964-125-0x0000000000DC0000-0x000000000107C000-memory.dmp

Filesize
2.7MB

Download
memory/964-157-0x0000000000DC0000-0x000000000107C000-memory.dmp

Filesize
2.7MB

Download
memory/964-146-0x0000000002C20000-0x0000000002D8A000-memory.dmp

Filesize
1.4MB

Download
memory/964-147-0x0000000002C20000-0x0000000002D8A000-memory.dmp

Filesize
1.4MB

Download
memory/964-113-0x0000000000000000-mapping.dmp

Download
memory/1168-63-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/1168-56-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/1168-59-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/1168-64-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/1168-55-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/1168-65-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/1168-60-0x00000000007E4190-mapping.dmp

Download
memory/1168-58-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/1168-75-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/1172-129-0x0000000000000000-mapping.dmp

Download
memory/1276-102-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1276-93-0x0000000000000000-mapping.dmp

Download
memory/1528-89-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-87-0x0000000000409860-mapping.dmp

Download
memory/1528-78-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-80-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-81-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-82-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-83-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-126-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-86-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-77-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-84-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-109-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-94-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1528-118-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1528-101-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1544-72-0x0000000000000000-mapping.dmp

Download
memory/1680-117-0x0000000002D90000-0x000000000304C000-memory.dmp

Filesize
2.7MB

Download
memory/1680-116-0x0000000002D90000-0x000000000304C000-memory.dmp

Filesize
2.7MB

Download
memory/1680-98-0x0000000000000000-mapping.dmp

Download
memory/1684-132-0x0000000000000000-mapping.dmp

Download
memory/1696-203-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1696-200-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1696-205-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1696-212-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1696-193-0x0000000000000000-mapping.dmp

Download
memory/1732-156-0x0000000000D20000-0x0000000000E8A000-memory.dmp

Filesize
1.4MB

Download
memory/1732-148-0x0000000000D20000-0x0000000000E8A000-memory.dmp

Filesize
1.4MB

Download
memory/1732-142-0x0000000000000000-mapping.dmp

Download
memory/1748-208-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1748-180-0x0000000000000000-mapping.dmp

Download
memory/1748-186-0x000007FEF3BC0000-0x000007FEF45E3000-memory.dmp

Filesize
10.1MB

Download
memory/1748-232-0x000000001D320000-0x000000001D61F000-memory.dmp

Filesize
3.0MB

Download
memory/1748-196-0x000007FEF26D0000-0x000007FEF3766000-memory.dmp

Filesize
16.6MB

Download
memory/1748-209-0x0000000000BA6000-0x0000000000BC5000-memory.dmp

Filesize
124KB

Download
memory/1828-68-0x0000000000000000-mapping.dmp

Download
memory/1856-127-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1856-105-0x0000000000000000-mapping.dmp

Download
memory/1856-123-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1856-190-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1856-121-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/2028-175-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-173-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-189-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-185-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-154-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-194-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-177-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-176-0x000000000040E1A8-mapping.dmp

Download
memory/2028-202-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-197-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2028-158-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-172-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-166-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-170-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-168-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2036-167-0x00000000001D0000-0x0000000000222000-memory.dmp

Filesize
328KB

Download
memory/2036-150-0x0000000000000000-mapping.dmp

Download
memory/2036-169-0x00000000001D0000-0x0000000000222000-memory.dmp

Filesize
328KB

Download
memory/2036-171-0x0000000001000000-0x0000000001052000-memory.dmp

Filesize
328KB

Download
memory/2036-182-0x0000000001000000-0x0000000001052000-memory.dmp

Filesize
328KB

Download