Malware Analysis Report

2025-01-02 13:55

Sample ID 230626-g6az1sgg47
Target CyberGate v3.4.2.2 Cracked.zip
SHA256 4b60c647ac9d4582d43c4ca63186258809f380e8e9d7672ca996dbc8c0340f40
Tags
upx cybergate remote persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b60c647ac9d4582d43c4ca63186258809f380e8e9d7672ca996dbc8c0340f40

Threat Level: Known bad

The file CyberGate v3.4.2.2 Cracked.zip was found to be: Known bad.

Malicious Activity Summary

upx cybergate remote persistence stealer trojan

Cybergate family

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Checks computer location settings

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-26 06:24

Signatures

Cybergate family

cybergate

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-26 06:24

Reported

2023-06-26 06:26

Platform

win10v2004-20230621-en

Max time kernel

83s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe

"C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 47.125.24.20.in-addr.arpa udp
US 20.189.173.9:443 tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 126.130.241.8.in-addr.arpa udp

Files

memory/2684-133-0x0000000000400000-0x000000000140D000-memory.dmp

memory/2684-134-0x00000000758D0000-0x0000000075AE5000-memory.dmp

memory/2684-2072-0x00000000756D0000-0x0000000075870000-memory.dmp

memory/2684-3077-0x0000000075F80000-0x0000000075FFA000-memory.dmp

memory/2684-6670-0x0000000000400000-0x000000000140D000-memory.dmp

memory/2684-6671-0x0000000000400000-0x000000000140D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cnvB6B.tmp

MD5 c8bb6fe40d038b85a8464c23c8b03a39
SHA1 16a42f14e8fc75f732ddfe561f01237241adcd0a
SHA256 a6f0fd04ca2ae012d6fa72e027fc4ffd1043d611cf7f77aa17604647867a3fa0
SHA512 c25bd5b08e076546a48fdfdb09c75e66d170cb1e51a39ae21c77134ff68c2b9b3c173bca91404778a51adb983c64bd52dbe3c7338f1a6f36d5048b7788513f9c

memory/2684-6676-0x0000000010000000-0x000000001018A000-memory.dmp

memory/2684-6677-0x0000000000400000-0x000000000140D000-memory.dmp

memory/2684-6678-0x0000000010000000-0x000000001018A000-memory.dmp

memory/2684-6686-0x0000000010000000-0x000000001018A000-memory.dmp

memory/2684-6687-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2684-6688-0x0000000000400000-0x000000000140D000-memory.dmp

memory/2684-6689-0x0000000010000000-0x000000001018A000-memory.dmp

memory/2684-6690-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2684-6691-0x0000000000400000-0x000000000140D000-memory.dmp

memory/2684-6693-0x0000000000400000-0x000000000140D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-26 06:24

Reported

2023-06-26 06:25

Platform

win10v2004-20230621-en

Max time kernel

17s

Max time network

19s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\directory\CyberGate\install\server.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2540 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe

"C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\directory\CyberGate\install\server.exe

"C:\directory\CyberGate\install\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 229.78.74.40.in-addr.arpa udp
JP 40.79.189.59:443 tcp

Files

memory/2540-136-0x0000000010410000-0x0000000010480000-memory.dmp

memory/2540-140-0x0000000010480000-0x00000000104F0000-memory.dmp

memory/2216-144-0x0000000000700000-0x0000000000701000-memory.dmp

memory/2216-145-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/2540-200-0x00000000104F0000-0x0000000010560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 f8ea6b460cd968e4b12a3d7a57dda28f
SHA1 abc2943337cfb876fe72dcc3684bbb12bb1ec638
SHA256 5ce0400db7fea62d32f20e8a72c2e116c316a58e2b5575340a5097f4ffe46386
SHA512 020aba30ef6fe4505db41c5e501b71f284c9a9f76ff8cfcd92604bc4c4383b17b912fc69e7248560e39df676e689ac70b117198415ff955f97bd440abf00d22b

C:\Users\Admin\AppData\Local\Temp\Admin8

MD5 13eab812c78c8973c4835624e6c0d3cf
SHA1 e4adad263ad256162af9b8398da3cd5aef4b3092
SHA256 b7be0d6f25b38613d997963809168224e5aa7549df18fcdc3b71d693fd71d801
SHA512 b64d750209a228dfd33feab7f29fb17eed5108073cc9f3d7658482f8cb55862e51a610246f56f7720829d3872ea9627df320b9c3603238320e0e59cd3d2c1bea

memory/2216-278-0x00000000104F0000-0x0000000010560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 01aefe7b5a7c1627737371735d2714f1
SHA1 6454d23e6ef2ae97f205ef357f2d8a1907a639cf
SHA256 211d0ac0b1ddd8dbfe3b0fd4e4483c19576ac6e36969d705e11451fc57b1ee1b
SHA512 3d62bf48fbd1203066f4e599977b9719538af5e9cd84df4a3a67c59ff1b532a96212d2ae8462b013b50fcc4f692c37c39ab61c1ad4bcd2476fe06dc4fd0311a5

C:\directory\CyberGate\install\server.exe

MD5 193642d723ede4bbfc6243fdee330a46
SHA1 7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7
SHA256 022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85
SHA512 faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7b9d07b6d767fa2487594c83db76b164
SHA1 12aa06b39ef87804b22f3cf32d79161386ef1d79
SHA256 a4d2692bc6abe15f636c237443af0158f56f62b9539b8f104d6342e1890d5f1c
SHA512 c33c9ae0907a2c0b21c6069451779b3410c1ba3eba917a353a5fbce162d8f5caf72e65ef3027c70e13c0f2910b710e8edaf4148447c861161c1ecbd58bd9caf1

C:\directory\CyberGate\install\server.exe

MD5 193642d723ede4bbfc6243fdee330a46
SHA1 7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7
SHA256 022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85
SHA512 faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed

C:\directory\CyberGate\install\server.exe

MD5 193642d723ede4bbfc6243fdee330a46
SHA1 7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7
SHA256 022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85
SHA512 faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7b69b6d44607fb2a2cbfd647a8f592a0
SHA1 b0369006edcd8653036d48ad03d77c5aa0b67843
SHA256 df873d76452582dafbd3f6608b860796451b797d3ec4cf3dadb935fa543b0769
SHA512 c9ed8fdc2dd983f7d489cb2c9b8aa1898075adb7fc1e4316431b727afe1ac2efc4811dcd8af4f289116111c09c20f9d89feb0d35b04dce848238745e5055ba33

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f7534c9e71f8d48ab4b11eadd0b1c808
SHA1 1e5e837724e7a799c82e36eb74c75bced16e6062
SHA256 ae1e3c2702433eb81d6688ee87350cdf2be6c2ff444993095f191d5ca40c26f2
SHA512 3a0b2dee44a83b204dfac834ddb4868395abf1ea09b44127cff17789e508d69fe1295d08d1bf73e2b5f304a9f662c479c3f4698fcd87ebd229ba36d4f76dee8f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 229668c2fcaa626b8b1e83dc5532f8d2
SHA1 ce106476db7d97a15f8fe4eea2b65c4db6872a61
SHA256 4f8a724876400db5213979a34b33abd983744a87e6ab67a82168d0142ce060b8
SHA512 d41b17642c942afcfa5f5ae7c21659538da18b20520b70f484ae54e5e5d37384d6e8b4df2545005df0f850dd614063d2b3e19ed3d51d2ceae2610c1f4df20a6b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 408be7f1457433c36e817076281c04c1
SHA1 23792832611a278d434e0e985490cf57a9903f8e
SHA256 c4021ef34cf2454cf95a36a5e04502781e1c149ff75882a44df9c39c224cb4f0
SHA512 e1ebb1ccb4dc4278678096f7826b61fe42daa5cd54ac250ec479d32240126b9d84f93826c7a59370220cbec1a88f9138282e0ea548f9e442967d8236f0e6d885

memory/2216-1411-0x00000000104F0000-0x0000000010560000-memory.dmp