cybergate | ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe
Size

449KB
MD5

386f4dec855ea629b06c1edc0201e620
SHA1

7e38f593b678a4ad60fc4907783d7094bc775120
SHA256

ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985
SHA512

688aa507aac289f016b923a63c383a2fc882100bdb209ac0c6b80d5936cdc67e008a7581c00800407cac28c4de8de41e351224281eae44b5cd8fa1bdf16d9164
SSDEEP

12288:r1dlZo5yHAShRGm9f+zQFYw4LnQZG5cz6Nfg4XK1o:r1dlZo5oAShizeYwGQZnz6361o

Score

10^/10

cybergate victima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victima

127.0.0.1:81

hackhabbo.no-ip.org:80

habbohacking.no-ip.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
windll32
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
juangui
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sys32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windll32\\win32.exe"	Sys32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Sys32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windll32\\win32.exe"	Sys32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Sys32.exe

Executes dropped EXE 6 IoCs

Processes:

Sys32.exeSys32.exeMacro Flooding Tool (Black).exeSys32.exewin32.exewin32.exe

pid process

1948 Sys32.exe
972 Sys32.exe
1964 Macro Flooding Tool (Black).exe
1920 Sys32.exe
1604 win32.exe
1948 win32.exe

pid	process
1948	Sys32.exe
972	Sys32.exe
1964	Macro Flooding Tool (Black).exe
1920	Sys32.exe
1604	win32.exe
1948	win32.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sys32.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{J4Q1O16G-A460-3VDS-4HL8-X1A2PC2D51HI}	Sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{J4Q1O16G-A460-3VDS-4HL8-X1A2PC2D51HI}\StubPath = "C:\\Windows\\windll32\\win32.exe Restart"	Sys32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{J4Q1O16G-A460-3VDS-4HL8-X1A2PC2D51HI}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{J4Q1O16G-A460-3VDS-4HL8-X1A2PC2D51HI}\StubPath = "C:\\Windows\\windll32\\win32.exe"	explorer.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/972-62-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/972-67-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/972-68-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/972-75-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/972-77-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/972-86-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1972-91-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1972-94-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/972-96-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/972-103-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/972-108-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1920-109-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1948-121-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1948-122-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1948-123-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1920-124-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1948-125-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1920-126-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exeSys32.exe

pid	process
832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe
832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe
832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe
832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe
1920	Sys32.exe
1920	Sys32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sys32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	Sys32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windll32\\win32.exe"	Sys32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windll32\\win32.exe"	Sys32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Sys32.exewin32.exe

description pid process target process

PID 1948 set thread context of 972 1948 Sys32.exe Sys32.exe
PID 1604 set thread context of 1948 1604 win32.exe win32.exe

description	pid	process	target process
PID 1948 set thread context of 972	1948	Sys32.exe	Sys32.exe
PID 1604 set thread context of 1948	1604	win32.exe	win32.exe

Drops file in Windows directory 5 IoCs

Processes:

Sys32.exewin32.exeSys32.exe

description	ioc	process
File opened for modification	C:\Windows\windll32\	Sys32.exe
File opened for modification	C:\Windows\windll32\win32.exe	win32.exe
File created	C:\Windows\windll32\win32.exe	Sys32.exe
File opened for modification	C:\Windows\windll32\win32.exe	Sys32.exe
File opened for modification	C:\Windows\windll32\win32.exe	Sys32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

Processes:

ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe

description	ioc	process
File opened for modification	C:\System Volume Extracted\BÞ ˜Ü:ÜÊËY„\|t@ÎöóÄw˜Þ^ìpjòN©Â)›N(\:¼\žÏZ@£ÇSí»ø®¦{:cÂ„‘µ™Thš2ðz6xQÝ. ¡(ý–¯¨FÂI\–×i!13,¢¯iÍ¥CÊË’-ÏñÑc	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Sys32.exe

pid process

972 Sys32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Sys32.exe

pid process

1920 Sys32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Sys32.exe

description pid process

Token: SeDebugPrivilege 1920 Sys32.exe
Token: SeDebugPrivilege 1920 Sys32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Sys32.exe

pid process

972 Sys32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Sys32.exeMacro Flooding Tool (Black).exewin32.exe

pid process

1948 Sys32.exe
1964 Macro Flooding Tool (Black).exe
1604 win32.exe

pid	process
972	Sys32.exe

pid	process
1920	Sys32.exe

description	pid	process
Token: SeDebugPrivilege	1920	Sys32.exe
Token: SeDebugPrivilege	1920	Sys32.exe

pid	process
972	Sys32.exe

pid	process
1948	Sys32.exe
1964	Macro Flooding Tool (Black).exe
1604	win32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exeSys32.exeSys32.exe

description	pid	process	target process
PID 832 wrote to memory of 1948	832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Sys32.exe
PID 832 wrote to memory of 1948	832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Sys32.exe
PID 832 wrote to memory of 1948	832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Sys32.exe
PID 832 wrote to memory of 1948	832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Sys32.exe
PID 1948 wrote to memory of 972	1948	Sys32.exe	Sys32.exe
PID 1948 wrote to memory of 972	1948	Sys32.exe	Sys32.exe
PID 1948 wrote to memory of 972	1948	Sys32.exe	Sys32.exe
PID 1948 wrote to memory of 972	1948	Sys32.exe	Sys32.exe
PID 1948 wrote to memory of 972	1948	Sys32.exe	Sys32.exe
PID 1948 wrote to memory of 972	1948	Sys32.exe	Sys32.exe
PID 1948 wrote to memory of 972	1948	Sys32.exe	Sys32.exe
PID 1948 wrote to memory of 972	1948	Sys32.exe	Sys32.exe
PID 1948 wrote to memory of 972	1948	Sys32.exe	Sys32.exe
PID 832 wrote to memory of 1964	832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Macro Flooding Tool (Black).exe
PID 832 wrote to memory of 1964	832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Macro Flooding Tool (Black).exe
PID 832 wrote to memory of 1964	832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Macro Flooding Tool (Black).exe
PID 832 wrote to memory of 1964	832	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Macro Flooding Tool (Black).exe
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE
PID 972 wrote to memory of 1412	972	Sys32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe
"C:\Users\Admin\AppData\Local\Temp\ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe"
2⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:832

C:\System Volume Extracted\Sys32.exe
"C:\System Volume Extracted\Sys32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948

C:\System Volume Extracted\Sys32.exe
"C:\System Volume Extracted\Sys32.exe"
4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Modifies Installed Components in the registry
PID:1972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1912

C:\System Volume Extracted\Sys32.exe
"C:\System Volume Extracted\Sys32.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\windll32\win32.exe
"C:\Windows\windll32\win32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\windll32\win32.exe
C:\Windows\windll32\win32.exe
7⤵
- Executes dropped EXE
PID:1948

C:\System Volume Extracted\Macro Flooding Tool (Black).exe
"C:\System Volume Extracted\Macro Flooding Tool (Black).exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\System Volume Extracted\Macro Flooding Tool (Black).exe
Filesize
492KB

MD5
b972ee4dc35e03e1fec65a92914240db

SHA1
278f45da162d9e748a0fa5cf2ca03148d85d6bd2

SHA256
d239fcd491ca79bd54abeed4b458ca62b8b637ddecc50617a8b9c0724f5ea0db

SHA512
70820e4151f30742a074d4fbda29cc7e26d3cc61cf11970689401c8b4d40f2a3e73a686989af28869b5e2a7610a86dbe30337367359168cd80c57f4628c2a2af

Download Submit
C:\System Volume Extracted\Sys32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\System Volume Extracted\Sys32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\System Volume Extracted\Sys32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\System Volume Extracted\Sys32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
1dbbe923b9a0861e41c93a73bbe61cd0

SHA1
305d08af121dde5bed148dd0eed203857cfc21a9

SHA256
750a1279a9b82a85f2d86daf2707a1e04061b119ef6d096e521c21892b5318fb

SHA512
f6f1b58c18a373661c74768526cd6b80f8a6df03bb35e7a6d823fb91bf9e9e0c457998bcb9d528a2817870ae01877506843eb6430fbf823ef092f0ceb9211965

Download Submit
C:\Windows\windll32\win32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\Windows\windll32\win32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\Windows\windll32\win32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
\System Volume Extracted\Macro Flooding Tool (Black).exe
Filesize
492KB

MD5
b972ee4dc35e03e1fec65a92914240db

SHA1
278f45da162d9e748a0fa5cf2ca03148d85d6bd2

SHA256
d239fcd491ca79bd54abeed4b458ca62b8b637ddecc50617a8b9c0724f5ea0db

SHA512
70820e4151f30742a074d4fbda29cc7e26d3cc61cf11970689401c8b4d40f2a3e73a686989af28869b5e2a7610a86dbe30337367359168cd80c57f4628c2a2af

Download Submit
\System Volume Extracted\Macro Flooding Tool (Black).exe
Filesize
492KB

MD5
b972ee4dc35e03e1fec65a92914240db

SHA1
278f45da162d9e748a0fa5cf2ca03148d85d6bd2

SHA256
d239fcd491ca79bd54abeed4b458ca62b8b637ddecc50617a8b9c0724f5ea0db

SHA512
70820e4151f30742a074d4fbda29cc7e26d3cc61cf11970689401c8b4d40f2a3e73a686989af28869b5e2a7610a86dbe30337367359168cd80c57f4628c2a2af

Download Submit
\System Volume Extracted\Sys32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
\System Volume Extracted\Sys32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
\Windows\windll32\win32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
\Windows\windll32\win32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
memory/832-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/972-86-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/972-62-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/972-67-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/972-108-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/972-77-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/972-103-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/972-75-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/972-68-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/972-63-0x0000000000455C00-mapping.dmp

Download
memory/972-96-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1412-80-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1604-112-0x0000000000000000-mapping.dmp

Download
memory/1920-100-0x0000000000000000-mapping.dmp

Download
memory/1920-124-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1920-109-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1920-126-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1948-117-0x0000000000455C00-mapping.dmp

Download
memory/1948-57-0x0000000000000000-mapping.dmp

Download
memory/1948-121-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1948-122-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1948-123-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1948-125-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1964-71-0x0000000000000000-mapping.dmp

Download
memory/1972-94-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1972-91-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1972-85-0x0000000074551000-0x0000000074553000-memory.dmp

Filesize
8KB

Download
memory/1972-83-0x0000000000000000-mapping.dmp

Download