cybergate | 7c34875159ec92c7be9f101b05dcac2693cda46b95e321f939fc1e46f951e868

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44515080c55fb13c81e26d980bd69e6f.exe
Size

351KB
MD5

44515080c55fb13c81e26d980bd69e6f
SHA1

5d638f9fc59663fe4dea617713ad5c3af14eeafa
SHA256

7c34875159ec92c7be9f101b05dcac2693cda46b95e321f939fc1e46f951e868
SHA512

a4d19d09bd4c5b2a4a8b38f6c315900f6353981b511d7b92a4bf8a553192816d3f7e3177db0fd65b4b7a8cd1fc17f17f93092d1ef534a2f4ab7d096d368eea10
SSDEEP

6144:i4ABF2AwpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXKaIp09/7:xUsADGLE0kuGnESBp

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

mise1.zapto.org:999

Mutex

Y6W4885G2IRK2H

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
ftp_password
ª÷Öº+Þ
ftp_port
21
ftp_server
ftp.server.com
ftp_username
ftp_user
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44515080c55fb13c81e26d980bd69e6f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	44515080c55fb13c81e26d980bd69e6f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44515080c55fb13c81e26d980bd69e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	44515080c55fb13c81e26d980bd69e6f.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EP488XCD-W013-H2LH-8D6D-N8WM8X4UT3IQ}	44515080c55fb13c81e26d980bd69e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EP488XCD-W013-H2LH-8D6D-N8WM8X4UT3IQ}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	44515080c55fb13c81e26d980bd69e6f.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	44515080c55fb13c81e26d980bd69e6f.exe
2672	44515080c55fb13c81e26d980bd69e6f.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2400-4-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral1/memory/2672-16-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2672-299-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/2400-298-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/files/0x00300000000170b7-303.dat	upx
behavioral1/memory/2688-329-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2688-331-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2672-815-0x0000000010480000-0x00000000104E1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe"	44515080c55fb13c81e26d980bd69e6f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe"	44515080c55fb13c81e26d980bd69e6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2400	44515080c55fb13c81e26d980bd69e6f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	44515080c55fb13c81e26d980bd69e6f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	44515080c55fb13c81e26d980bd69e6f.exe
Token: SeDebugPrivilege	2672	44515080c55fb13c81e26d980bd69e6f.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1672	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28
PID 2400 wrote to memory of 2892	2400	44515080c55fb13c81e26d980bd69e6f.exe	28

C:\Users\Admin\AppData\Local\Temp\44515080c55fb13c81e26d980bd69e6f.exe
"C:\Users\Admin\AppData\Local\Temp\44515080c55fb13c81e26d980bd69e6f.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\44515080c55fb13c81e26d980bd69e6f.exe
  "C:\Users\Admin\AppData\Local\Temp\44515080c55fb13c81e26d980bd69e6f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- - C:\directory\CyberGate\install\server.exe
    "C:\directory\CyberGate\install\server.exe"
    3⤵
    - Executes dropped EXE
    PID:2688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
237KB

MD5
15662b1e8c8e27a4307aafc814543e72

SHA1
9f8b4b68834b3c5894e711245ff172d6279cd27a

SHA256
9db872d8323a6139fa2e25c64c5cc38fb7258b7843b6fc1b0c00136f3570031f

SHA512
79976f0aa09b22e8462ae9798ef0df60b1618771d63ee8419bb82abda9f5781bb78848e89d2c0af954953d505d8b2df948fc78158037679f8f20eebd9bfe6c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f0c8bff95cf5e6a2faff0bed6180f0cd

SHA1
9365e0cfdc0b6c2dd2e001892db013619cf65943

SHA256
cb8c07289c85f213f6d8d1ebbe56a297131720852a15ef4ae9d0211a778406a1

SHA512
3503ae45efb61e6e892f5c57875fcc1a4de86c033b03621e76d7fdca3a3b3d7d37471cfb3665a515ea6d07da1ae3eedf254b58ac39fc09bc4d0299abe5a3c2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0e2cae2fefd61d93d6c0968fcf61d0fd

SHA1
711f71935a1a1ea6730364725393b2e4ce3f9704

SHA256
827ecccb0cfca7c8d4caf7a0576cb1e898e1b3e2ab2b752fb083d43a32047fc7

SHA512
90edf8cb3786b578ae1d449d678b60603530983e364c68a5b53f0bfbcdce6e62720c3e3e8820d13a34ba567fecbf8233d235dcdd67a9afa93aa03f084f9f6725

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5027c9d73691f3e0597d8496f53ce265

SHA1
6ae07affebd1300e6a64c3e9f6219aaf8d29ee17

SHA256
6cf74a08281aa03a5105b89ed7f65b0a2ef051c42df67b915ee7beea2d4b2e6f

SHA512
6046cccaf73f8d7d3b4f560347ac07857c9312f6a79341a48404b0c28e3a7fe5d207cd8de779d0e249326a4d9b800cbf7ec54ec5da24d98c3b69a3a96ceab1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ea099b4460fa246a23d99aafc81f8b81

SHA1
7a2a2513e7e99082eb9da29fed631a0e0c98a12a

SHA256
ccc7dbde4ae23f660103ca5fd61237395572b8cb2af0b36503767ba9f088257e

SHA512
99517ff26a370f1c74744ca7e8f5fd5110b1ac1c73223ffaeb275f47aab78c19672a63bbfaab53f99667717a8fd4eaef84176827a5d4db2d7cc2a447e21ffd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c709d1c13750d4c408a3bc09f517cd80

SHA1
d160c473acdf0e5d51695c158e63b6be70141bad

SHA256
2d8cbabf30ee8838cd2009ee2d3d34a1cbd2cffd487f88a97a9807702976c9e4

SHA512
f126534ebd11ea8bb1950408d2a8847de998e902f3afc674f51803a131172c6bb75321386c96130cff756b549596e39e0e2d9dae54e5b076affd5d2adb3a854a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
778a3cb3417defb6e7bcf8f8fe26ac80

SHA1
5ab8f466eedc61e5be5654e0a716e630d07c3634

SHA256
6287763eec7f4692d14e7ed322648db13e026f854a3d696622436e3594afa3e5

SHA512
6150091e00788fe6bfeb4c11cf3b8ba157705c93c093bf895eaa73764ffae49274941abfb2e870ab11c7a894e7f1b44a9429075570671bd50391e8dbfc441b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b127b80ca46ac75236349600b254804a

SHA1
2faf981b45591e7f7bc8122828c8de500f4bacd3

SHA256
b808183700d943882fdcf445c82bb3d98bcf33c61e507bda5edf9d095207eabc

SHA512
b1b6e8ba2fec6de78b0f8986f8af4c3e710bc3dd2b8eccac31decd601684ba8e0d1b0b450c3258742d143d5f72e3f07c0dac99af0a0e39a53b84430acb37cb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6a7644f61023036ca27aff7d976a114b

SHA1
edc0bda4c9c925b87e993e081908e4cbdffa970b

SHA256
6e973eae1312708b85cbc5f6a3e7832308215cadce6fde7dc6f33de5e62f6d36

SHA512
df95a9a1748bb5d0a5a332a2c94380c9a0c675cb9658bcad5db123a863c6bbbcd20243c2a11245e97e40413b2e45c6e8c72614df8adb373b5efd762f5f5f9311

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
59a031581f2ed3d92f6dee0d510757c4

SHA1
3a2d61c74c36b46733ab8917a80ca05f0428c674

SHA256
56c83fd8a5e96d94a2754933d458c38f50171ab103575c42ba8cfd7d2dd6160f

SHA512
c5ff657561090156e99ecd31280b6c923599ed4905a2e4ce837e3072445c8504b1adf4744db592ff6b5d66cd687c450ea159c4125826ea872652e93086f3761d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2343acf95f8d32bf7cf2845b7b419014

SHA1
172bfeb2a83dbc6f60a2da87a6f9fe995a589a49

SHA256
ad53c722112f4ac6f4426f038f46ac3b5003d36507a248dcd67c1c63899911d3

SHA512
176b316c357ec08245bfaf0c98ba5f549aeb73c22fc9de9e8f65750a1eeb0c3746db41c451b812f2bacd27d12d92cd4fdf9defad717e9e89f68bab36bf942640

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5506d21ead0c419bd767169b9e59fb31

SHA1
8665e9baa998589c9b058dbb3ccad022b35f8621

SHA256
8967249c5a2cd01c5e8b8092e35b9951681f6d434cfe6146388ad5621ab38f07

SHA512
16c6488650f5cc8259592b73edb02d4c4c138350d15d60c7ccad70f762244bb368b09113040e1815887a6f6c25c2a1b8796db6b77b13fea5e788421910555bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
357bfcc9b0fb2555628bc352f64c3f41

SHA1
936920d9854d9461dcd53960f3c5bdd60c4f0a63

SHA256
9014ed70a22b9502942cbd40724b06e5fe321e04a96cb3eccbf103f59354ff6a

SHA512
406477f505e056da64b5b47279ea9fd91b8d68dae23ed65b319efc65087dd31f9a62241152154292562aca7399dc62df2ba315503193a59780c3e8e1365c388d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19b933dda3ff8ab4baed44648950b45a

SHA1
f13d55928782108781dbc9c477c4e4cbad20bcb3

SHA256
9edb76f6db5da360c53c4dc218776d4e79f4fa0499d81cc8803ec7fa25067a17

SHA512
fb1d88371157cd813aec6b8dbb7e1120abb18542e537eaa2741f5c290c3b165a24bb716c96e0f575689491ff4ee9d1b567f4f6ba7b19db50d589da1c5cda66b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4bf7e8777e5996cc4d7288e95d1b9aa6

SHA1
59f71aa3158cfa3517108d768f19773e3abfa3be

SHA256
3c414460ce9dcd0c51814618031368a25dccc8c43e3b6020b0a29e2aa6284fd6

SHA512
d894b3ea473e660d5279f1158be5e27d2061aa3245f180bc0e9b816c40b08b917b4e937685609ab7b2f7ca28054bc968cbb49d66d02e32c87783491e6111f9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
04e78d254e0b58378c28cc6af645c2d6

SHA1
78478fe6c0d9c2931aabbf2da0717d62eb74bad7

SHA256
4152ba37977dc4a0cfe3f7cdd0e5a0019ce7bd2da22ae681b6f4618bb0350874

SHA512
bdd454276734eaff89e00a94daee713422c02b02b0b161ae68eecb96ccbaca67789c572894af87c577d824ffb04d3aeec2378a5ce22ef09e96fb66a1c36d489f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6b21364b43d25ea1e127e2218cbd9987

SHA1
fd9f4b0940f8fdb50e297d426e353bbc6565ac70

SHA256
ebaf373481af86e65f42d2ebfc273794c0b4878e1627ab8c2b226cae38977292

SHA512
dd930d31a57ac0075bf7413dcafb01e297b6dc4ddcdcbd628931cb025e1584c7745ea49c771ed1f46063ffcd7f526f4a8b2c6a628f32eed24d9d0c5ba153f357

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7ad64b28ac7199cc0f7b727acb25fd71

SHA1
2fe404f05f38e7bb60b09bd3ce00113ed8c39c22

SHA256
8d24b583dd9dab960451998ddfc2caef327d3113d98250c3c045aa4088190bfe

SHA512
644b51520b8a96561b511f0ff816a04207253483634528e407c4b22df9fcc8bd2dadbab013f4f2e8a12259413a21780ebea1a3f4345f9898dee30f417d31b962

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5212645b2ae960b8398af32f5776ba4a

SHA1
21071583b503ff4e8fbccc8be2dfd65bb9e4797d

SHA256
12ea5b709e3b1807f730f9ac568e016472aceaf149881fa316954fbfaf6abe1c

SHA512
fb22920c06502a37a612f59fbff82b29dc4f1f540205b3b86b5978ff53b7d15217df8f87ff14ffa69e1c1e851984319917fbdc5db2ff8212335908743a89f970

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7081ce04968a87fbd05db1d87c75db0b

SHA1
5d8d07b956277447d69c490f114f5e487fd520fe

SHA256
71371ef8fea980c6622f5fd1f60794acbbb6dd8eb86048202b2c6c475ced1b38

SHA512
2c541bf8a90ac5092e4a4a19a5ff7df97e6751bde7bed56fc93c0cab645736ab956a341b83885860fd2a7d70b1745cd57fa67e6fc6db32441d1fe6845214795d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eadf9915c24ff82c5f4df798fc541b6f

SHA1
9043015695d4c51bcadcad9ae951ab48ca6e75e7

SHA256
9fa69cb3e08019daa6781a48907f0bd3cfdbae18d3918a5379907537d2d67d69

SHA512
43f0d18e05c55f2dc2d6f1885d7fae137ff66af2daed19fd3a05660cf7d8b29b5eba636a8fef3bc4a4c19c6cfb47c9fbb3e1a494c3fba5bc2fbb2404d00fa161

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ba265ab1656a1c52e918dcbbc3466fa4

SHA1
743cb77ceaaaa3e9e530d2a7e7c25f7360543276

SHA256
629ab5f614b16894298f7020c639f67679759982be3b415289483348aa71898f

SHA512
f6dc6843da02b3eba784d65e123d9b6fc2349e75b3a46ccc38f4742059ea2d260eb397c287802daf17a1f91850c23bb3424255db99be14e3e47352a2973f501a

Download Submit
C:\Users\Admin\AppData\Local\Temp\une img2.jpg

Filesize
14KB

MD5
67dbc594d9c41571135418c4490776c9

SHA1
34594831aefb52adc1c383ea883c8b36fbe77e0c

SHA256
62133b97e38036ad62c8fb9512d36dd2ce28fbda72f7ffde8f3bbc08c853fb7e

SHA512
0574b7b9218a363b189831ef9bf91a0b3ec2e1c9eb03a6fa1934ea5183c91f4601086b5cb588c10bc9df099c3582b9b802773d1446bfb937f2f0db6e6949fad4

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\??\c:\directory\CyberGate\install\server.exe

Filesize
351KB

MD5
44515080c55fb13c81e26d980bd69e6f

SHA1
5d638f9fc59663fe4dea617713ad5c3af14eeafa

SHA256
7c34875159ec92c7be9f101b05dcac2693cda46b95e321f939fc1e46f951e868

SHA512
a4d19d09bd4c5b2a4a8b38f6c315900f6353981b511d7b92a4bf8a553192816d3f7e3177db0fd65b4b7a8cd1fc17f17f93092d1ef534a2f4ab7d096d368eea10

Download Submit
memory/1672-324-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1672-1001-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2400-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2400-298-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2400-4-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/2672-815-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2672-16-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2672-21-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2672-1328-0x00000000043C0000-0x0000000004419000-memory.dmp

Filesize
356KB

Download
memory/2672-299-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2672-8-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2672-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2672-328-0x00000000043C0000-0x0000000004419000-memory.dmp

Filesize
356KB

Download
memory/2688-329-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2688-331-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download