cybergate | ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe
Size

449KB
MD5

386f4dec855ea629b06c1edc0201e620
SHA1

7e38f593b678a4ad60fc4907783d7094bc775120
SHA256

ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985
SHA512

688aa507aac289f016b923a63c383a2fc882100bdb209ac0c6b80d5936cdc67e008a7581c00800407cac28c4de8de41e351224281eae44b5cd8fa1bdf16d9164
SSDEEP

12288:r1dlZo5yHAShRGm9f+zQFYw4LnQZG5cz6Nfg4XK1o:r1dlZo5oAShizeYwGQZnz6361o

Score

10^/10

cybergate victima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victima

127.0.0.1:81

hackhabbo.no-ip.org:80

habbohacking.no-ip.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
windll32
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
juangui
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sys32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windll32\\win32.exe"	Sys32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Sys32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windll32\\win32.exe"	Sys32.exe

Executes dropped EXE 6 IoCs

Processes:

Sys32.exeSys32.exeMacro Flooding Tool (Black).exeSys32.exewin32.exewin32.exe

pid process

3520 Sys32.exe
4656 Sys32.exe
3268 Macro Flooding Tool (Black).exe
3588 Sys32.exe
2240 win32.exe
3952 win32.exe

pid	process
3520	Sys32.exe
4656	Sys32.exe
3268	Macro Flooding Tool (Black).exe
3588	Sys32.exe
2240	win32.exe
3952	win32.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sys32.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{J4Q1O16G-A460-3VDS-4HL8-X1A2PC2D51HI}	Sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J4Q1O16G-A460-3VDS-4HL8-X1A2PC2D51HI}\StubPath = "C:\\Windows\\windll32\\win32.exe Restart"	Sys32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{J4Q1O16G-A460-3VDS-4HL8-X1A2PC2D51HI}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J4Q1O16G-A460-3VDS-4HL8-X1A2PC2D51HI}\StubPath = "C:\\Windows\\windll32\\win32.exe"	explorer.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4656-138-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4656-141-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4656-142-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4656-148-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4656-150-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4656-155-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4752-158-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4752-161-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4656-163-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/4656-169-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4656-173-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3588-172-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3588-174-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3952-183-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3952-184-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3952-185-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3588-186-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exeSys32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Sys32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sys32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	Sys32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windll32\\win32.exe"	Sys32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windll32\\win32.exe"	Sys32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Sys32.exewin32.exe

description	pid	process	target process
PID 3520 set thread context of 4656	3520	Sys32.exe	Sys32.exe
PID 2240 set thread context of 3952	2240	win32.exe	win32.exe

Drops file in Windows directory 5 IoCs

Processes:

Sys32.exeSys32.exewin32.exe

description	ioc	process
File created	C:\Windows\windll32\win32.exe	Sys32.exe
File opened for modification	C:\Windows\windll32\win32.exe	Sys32.exe
File opened for modification	C:\Windows\windll32\win32.exe	Sys32.exe
File opened for modification	C:\Windows\windll32\	Sys32.exe
File opened for modification	C:\Windows\windll32\win32.exe	win32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2868 3952 WerFault.exe win32.exe
Modifies registry class 1 IoCs

Processes:

Sys32.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Sys32.exe

pid	pid_target	process	target process
2868	3952	WerFault.exe	win32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sys32.exe

NTFS ADS 1 IoCs

Processes:

ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe

description	ioc	process
File opened for modification	C:\System Volume Extracted\BÞ ˜Ü:ÜÊËY„\|t@ÎöóÄw˜Þ^ìpjòN©Â)›N(\:¼\žÏZ@£ÇSí»ø®¦{:cÂ„‘µ™Thš2ðz6xQÝ. ¡(ý–¯¨FÂI\–×i!13,¢¯iÍ¥CÊË’-ÏñÑc	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Sys32.exe

pid process

4656 Sys32.exe
4656 Sys32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Sys32.exe

pid process

3588 Sys32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Sys32.exe

description pid process

Token: SeDebugPrivilege 3588 Sys32.exe
Token: SeDebugPrivilege 3588 Sys32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Sys32.exe

pid process

4656 Sys32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Sys32.exeMacro Flooding Tool (Black).exewin32.exe

pid process

3520 Sys32.exe
3268 Macro Flooding Tool (Black).exe
2240 win32.exe

pid	process
4656	Sys32.exe
4656	Sys32.exe

pid	process
3588	Sys32.exe

description	pid	process
Token: SeDebugPrivilege	3588	Sys32.exe
Token: SeDebugPrivilege	3588	Sys32.exe

pid	process
4656	Sys32.exe

pid	process
3520	Sys32.exe
3268	Macro Flooding Tool (Black).exe
2240	win32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exeSys32.exeSys32.exe

description	pid	process	target process
PID 3480 wrote to memory of 3520	3480	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Sys32.exe
PID 3480 wrote to memory of 3520	3480	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Sys32.exe
PID 3480 wrote to memory of 3520	3480	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Sys32.exe
PID 3520 wrote to memory of 4656	3520	Sys32.exe	Sys32.exe
PID 3520 wrote to memory of 4656	3520	Sys32.exe	Sys32.exe
PID 3520 wrote to memory of 4656	3520	Sys32.exe	Sys32.exe
PID 3520 wrote to memory of 4656	3520	Sys32.exe	Sys32.exe
PID 3520 wrote to memory of 4656	3520	Sys32.exe	Sys32.exe
PID 3520 wrote to memory of 4656	3520	Sys32.exe	Sys32.exe
PID 3520 wrote to memory of 4656	3520	Sys32.exe	Sys32.exe
PID 3520 wrote to memory of 4656	3520	Sys32.exe	Sys32.exe
PID 3480 wrote to memory of 3268	3480	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Macro Flooding Tool (Black).exe
PID 3480 wrote to memory of 3268	3480	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Macro Flooding Tool (Black).exe
PID 3480 wrote to memory of 3268	3480	ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe	Macro Flooding Tool (Black).exe
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE
PID 4656 wrote to memory of 2576	4656	Sys32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe
"C:\Users\Admin\AppData\Local\Temp\ca28419cdfcf0501ac7cdd7ea5ffb55937b64eca129646b27fb67c3df0461985.exe"
2⤵
- Checks computer location settings
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3480

C:\System Volume Extracted\Sys32.exe
"C:\System Volume Extracted\Sys32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520

C:\System Volume Extracted\Sys32.exe
"C:\System Volume Extracted\Sys32.exe"
4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Modifies Installed Components in the registry
PID:4752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:992

C:\System Volume Extracted\Sys32.exe
"C:\System Volume Extracted\Sys32.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\windll32\win32.exe
"C:\Windows\windll32\win32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Windows\windll32\win32.exe
C:\Windows\windll32\win32.exe
7⤵
- Executes dropped EXE
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 532
8⤵
- Program crash
PID:2868

C:\System Volume Extracted\Macro Flooding Tool (Black).exe
"C:\System Volume Extracted\Macro Flooding Tool (Black).exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3952 -ip 3952
1⤵
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\System Volume Extracted\Macro Flooding Tool (Black).exe
Filesize
492KB

MD5
b972ee4dc35e03e1fec65a92914240db

SHA1
278f45da162d9e748a0fa5cf2ca03148d85d6bd2

SHA256
d239fcd491ca79bd54abeed4b458ca62b8b637ddecc50617a8b9c0724f5ea0db

SHA512
70820e4151f30742a074d4fbda29cc7e26d3cc61cf11970689401c8b4d40f2a3e73a686989af28869b5e2a7610a86dbe30337367359168cd80c57f4628c2a2af

Download Submit
C:\System Volume Extracted\Macro Flooding Tool (Black).exe
Filesize
492KB

MD5
b972ee4dc35e03e1fec65a92914240db

SHA1
278f45da162d9e748a0fa5cf2ca03148d85d6bd2

SHA256
d239fcd491ca79bd54abeed4b458ca62b8b637ddecc50617a8b9c0724f5ea0db

SHA512
70820e4151f30742a074d4fbda29cc7e26d3cc61cf11970689401c8b4d40f2a3e73a686989af28869b5e2a7610a86dbe30337367359168cd80c57f4628c2a2af

Download Submit
C:\System Volume Extracted\Sys32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\System Volume Extracted\Sys32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\System Volume Extracted\Sys32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\System Volume Extracted\Sys32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
1dbbe923b9a0861e41c93a73bbe61cd0

SHA1
305d08af121dde5bed148dd0eed203857cfc21a9

SHA256
750a1279a9b82a85f2d86daf2707a1e04061b119ef6d096e521c21892b5318fb

SHA512
f6f1b58c18a373661c74768526cd6b80f8a6df03bb35e7a6d823fb91bf9e9e0c457998bcb9d528a2817870ae01877506843eb6430fbf823ef092f0ceb9211965

Download Submit
C:\Windows\windll32\win32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\Windows\windll32\win32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
C:\Windows\windll32\win32.exe
Filesize
404KB

MD5
aa7547efaccd640c9e48530dfcfc2b03

SHA1
da3d071e38778af7fe0201fc80762297c85a8c66

SHA256
4d058b748e72947347868f93f356b910b3e68ca5c039345a4b6659a360332078

SHA512
c0c5f4b84cdd1f72ac82fe69997b4933e4d5dc86ba0581534a8b7a8aa4ba5fb183944e0923f66cca6cf2e495f058ab11c5a016e57dc2377cdc441c93015ed7ab

Download Submit
memory/2240-175-0x0000000000000000-mapping.dmp

Download
memory/3268-143-0x0000000000000000-mapping.dmp

Download
memory/3520-132-0x0000000000000000-mapping.dmp

Download
memory/3588-172-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3588-186-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3588-174-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3588-167-0x0000000000000000-mapping.dmp

Download
memory/3952-185-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3952-184-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3952-183-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3952-179-0x0000000000000000-mapping.dmp

Download
memory/4656-169-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4656-150-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4656-173-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4656-142-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4656-163-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4656-141-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4656-138-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4656-137-0x0000000000000000-mapping.dmp

Download
memory/4656-148-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4656-155-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4752-161-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4752-158-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4752-154-0x0000000000000000-mapping.dmp

Download