cybergate | 7c34875159ec92c7be9f101b05dcac2693cda46b95e321f939fc1e46f951e868

Analysis

max time kernel
167s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44515080c55fb13c81e26d980bd69e6f.exe
Size

351KB
MD5

44515080c55fb13c81e26d980bd69e6f
SHA1

5d638f9fc59663fe4dea617713ad5c3af14eeafa
SHA256

7c34875159ec92c7be9f101b05dcac2693cda46b95e321f939fc1e46f951e868
SHA512

a4d19d09bd4c5b2a4a8b38f6c315900f6353981b511d7b92a4bf8a553192816d3f7e3177db0fd65b4b7a8cd1fc17f17f93092d1ef534a2f4ab7d096d368eea10
SSDEEP

6144:i4ABF2AwpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXKaIp09/7:xUsADGLE0kuGnESBp

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

mise1.zapto.org:999

Mutex

Y6W4885G2IRK2H

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
ftp_password
ª÷Öº+Þ
ftp_port
21
ftp_server
ftp.server.com
ftp_username
ftp_user
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44515080c55fb13c81e26d980bd69e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	44515080c55fb13c81e26d980bd69e6f.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44515080c55fb13c81e26d980bd69e6f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	44515080c55fb13c81e26d980bd69e6f.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EP488XCD-W013-H2LH-8D6D-N8WM8X4UT3IQ}	44515080c55fb13c81e26d980bd69e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EP488XCD-W013-H2LH-8D6D-N8WM8X4UT3IQ}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	44515080c55fb13c81e26d980bd69e6f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	44515080c55fb13c81e26d980bd69e6f.exe

Executes dropped EXE 1 IoCs

pid	Process
4844	server.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4460-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4460-4-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral2/memory/2248-11-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4460-15-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4460-66-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/2248-70-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/2248-71-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/4460-72-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x000400000001e7e6-77.dat	upx
behavioral2/memory/2248-94-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/4844-3314-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe"	44515080c55fb13c81e26d980bd69e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe"	44515080c55fb13c81e26d980bd69e6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	4844	WerFault.exe	104

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	44515080c55fb13c81e26d980bd69e6f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	44515080c55fb13c81e26d980bd69e6f.exe
4460	44515080c55fb13c81e26d980bd69e6f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2248	44515080c55fb13c81e26d980bd69e6f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	44515080c55fb13c81e26d980bd69e6f.exe
Token: SeDebugPrivilege	2248	44515080c55fb13c81e26d980bd69e6f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93
PID 4460 wrote to memory of 440	4460	44515080c55fb13c81e26d980bd69e6f.exe	93

C:\Users\Admin\AppData\Local\Temp\44515080c55fb13c81e26d980bd69e6f.exe
"C:\Users\Admin\AppData\Local\Temp\44515080c55fb13c81e26d980bd69e6f.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:440
- C:\Users\Admin\AppData\Local\Temp\44515080c55fb13c81e26d980bd69e6f.exe
  "C:\Users\Admin\AppData\Local\Temp\44515080c55fb13c81e26d980bd69e6f.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- - C:\directory\CyberGate\install\server.exe
    "C:\directory\CyberGate\install\server.exe"
    3⤵
    - Executes dropped EXE
    PID:4844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 564
      4⤵
      Program crash
      PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4844 -ip 4844
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
237KB

MD5
15662b1e8c8e27a4307aafc814543e72

SHA1
9f8b4b68834b3c5894e711245ff172d6279cd27a

SHA256
9db872d8323a6139fa2e25c64c5cc38fb7258b7843b6fc1b0c00136f3570031f

SHA512
79976f0aa09b22e8462ae9798ef0df60b1618771d63ee8419bb82abda9f5781bb78848e89d2c0af954953d505d8b2df948fc78158037679f8f20eebd9bfe6c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c294169bf283f14f3efd11ffd6dcf34c

SHA1
1ea502ce26ee0ae4a7121d55416ef89d819e8c78

SHA256
4c798f72e015085740a0d4ed0125c8d9c2d437273f5adb26b849c866f5bc4bb1

SHA512
06fc50e7d5dbf0955012a6f46ea907c4fef88aeaedfbb7a7d1b924bc8cc7806d37da642d261c6e8522b3a977ec1dd7fc91649f030e904c513cd2d27bd4d566ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f81bd686c2c859c6b4c0f8d0d15c37e8

SHA1
9a25486c53770144745029bef33e600c0e48ef89

SHA256
9489f37d98cd9908ea3800c43cd8fa51a6cddd7a140b86163221c07bba76cd8b

SHA512
7f74f46922e6e1a39a97fd4cee550c801e9ed7fd7bdadb3c2939ee0fd29432666958a6a31ab11813b77925223c1521ec27843556b933b9d33d295e5f664b8e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
95c5d451dd4f66f9586ca3ab8f2d5ad7

SHA1
bcce24641809fd830b1fc3904e37231adb0bb380

SHA256
0e63c85681409be902903c32b39fb49d55bd386f2e868c5a1d14b43b4556825c

SHA512
aa4340576978fbd6f49718ee2ba8bee1060ad88476f6acf57580c35ac8902edf284fb6723c9e86c8613fa8445aa0914ba6d8b7c73ac07cf02f5f42a5b2a9b453

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
71d00e96c0c4b681efd2145e04b5068e

SHA1
80d3e063c1dd77936c575391ff09459ad3e5ac2c

SHA256
4c05c5c742d876dd07cc753228d2e77e5c5d7c05de2a81993c7755d5f9595a0d

SHA512
3c045c32c687bba5b3f57b41f49af4dea422d66fb1818207454e3c16f8a8ae7c5734dc7840e9c8572c36c01b8be2cc0556d077ca51d1b09d4e3ff53b0c292f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f13c85a5361f01a36266a3eeb90752f8

SHA1
b50e0bef2f6c7a9119827c7ddb6179b6aa329882

SHA256
2488108e41ae75d00ef5db50d7568a5999c8d33f8f8561770aa226eaa2114554

SHA512
e68f08911b5296bd33920254f103f26a6db8072ddd6f71f0dd13a53466942d2869cf4a070d378b353b8b7bc96f4819a21acc19c67097ddf2a809777aaa7f0eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ee5fbdc4a04a66dd34f41697f33c9e22

SHA1
5eb7bfa95685f43581ee2a3e141917027c1ff1fd

SHA256
9169eaa879245a318dc0a142eeaf974e4945d29d556a0c02dc977e3dcaf01012

SHA512
2822efe87521c795d787a298ef8c1dc197838fd68fd9196087921d4affd4dda04d9f1e4d83ce4b96f788b0ac51d550b490b69848f359593f98808adf645e701c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7bf39ef82df1e0aab284340e83c61be1

SHA1
c6fed15365ed8490fb39ca92c1f7d7e2369d7eb6

SHA256
05a3fb062c68acab06a8a25393a53a1c63bbad1495c4cc7f1648d5ffa6d805bc

SHA512
7818bf77fbb2657173ed76a26800b509a28c9befa98f3e0675767cc2c8e607365d0ad3e9e0f92bec13c26bba5326a65a3e5244aa249c97f23055909e0b6fb31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
686a8dacbccad57032bbcbc8ade760d2

SHA1
b5ef5a367cfbc6c2386ccacc060a43d08c817625

SHA256
bb8f9caeab25ef390e77d34b31dbfced400cd2b751bf08b3fb5c9d3d3c5739e8

SHA512
d288339c72cc77c58e2b1d96e08319b1c64ef6b359093b1b48a1291c75686f70a2e30d1058bb1bda239ae506eef6576e807a98cb5e90820276bdc7034c8b7e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c27ae5c158f9ae03e0e2672320084587

SHA1
b7717102bb35fc081d432a21708bf262999dcde6

SHA256
21b997bd32db63270017e3a130372a1b9bea4799b4da401cfcc71831bf686cdc

SHA512
4d2d91e2840c9e1763c231b69b3a44a8220b4e3cf55b3ac64785533e2bc026b7c1d6ae2f4fe4723c60901e651f0fed690805931bdb1a899f94d2beaba0839791

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9d89c9b80ccc57b050cbcb9799303e40

SHA1
25e32a5eb6491f92efc4f0fbdbafad68ea2deef4

SHA256
63074fb7d6443a8cc2b79f4ed2f89425dc0aac9a8115ed08be5ae77a05c3c0d7

SHA512
43899389e2316b20f6b83b91530af33f5379371307e225c92d42bc5db2db43007b3389cda9d7a62f05732412bce4592a1ec5c739f872234137b88fc395028e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
dd28f20a2d7aca8c92afe1ef837ccdf8

SHA1
a1a3367c2f8f2f4bfe1ef64b5a01e2bc569c14c3

SHA256
bd73f0be5ebb183f152b6e5394d374049366a4e44ee03e23b1afc1e888558ba3

SHA512
e78c5d5440f03aad3239628989f7cb4c3d5d306688c49e32ef00cb72fa19fb4f07590c013514cccac5988dbf4987e1bdf057c6a76397964430ea87002ff81d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cac09508dbbf6c2546775bb750029438

SHA1
1a99acf96a9fa1f59e3297e7f8e126f5f3ab481e

SHA256
84380163ebcbd7b0b7f61bdfd7e818c713eaacc98a5f890af51cf07d4f011a09

SHA512
0545b3f016ed2e48771ffe97803be130f2f1ee2ce4d0c9b2df405d12950816942820e7c5a647835778130fbaa1972118ad0400dd2f676809bfd98c0844202755

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
118af7d3c36cb15337cb4bbc13953309

SHA1
0c6e987a0fb544332228aa75dc3371e21fea8457

SHA256
142c37cd0b8f336a92b9a345ffe149ccb1153f6c90f6094dec9cc535e4b06b90

SHA512
5e1c4802f5c0361c378b14dc80f67a4bc992cd3d20270ccb928d44ae19031616898e28e5a2fbb507ed370fc5a0ac53d61a7e566b2934ec816fa522f4af640563

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3fbeba122de2b333832d490413568d54

SHA1
b372c7515f30f0ab07fd98238983d62d3ec19217

SHA256
08cb76baf24be259745f3a03af9159a116951b7ca4452c8869c803501de74980

SHA512
76432e0aba744c3d173fd1c5493594e05e94fae7737761c75595b9a79c32fff0f94e7aef0a89f982a9c464a0ebdf2e9984318d43fa6d76730de8299f3f6a36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1149c9e5a3f358fbf7fed10edd91d5ec

SHA1
737c009ef4882f6ceb13d5181dfed8145e5aa596

SHA256
914edf70d1ea01cb8b871cc5b7b128f97c39c025f63ab8390b089d488ffbb5a2

SHA512
e4202d4e089cbcafda8baca7d3c40c2156a771f2e3e57a7335b71b4e691007e413c83e2fa78d99f16b6d9f941b522e014129a98594bfecf5c55fddb2bf61c72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1b4b179072715ae8316f730cab590524

SHA1
a26884c69c711ebb8038aab4cca58465e1f12acf

SHA256
ad8841fe7e7ce454fef428987a15dc9ae8e335745c6211a065d12bd88b66fcce

SHA512
82f535e858540d32f5c06475e9cefdde537b57d8c79e462e262b4b2703de03f608a89a8e41c7dd799e529bec00d716ab732807069d0574bd39bf4feeff1595c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
414a13f770e112f1b0c6b0c0fd91187a

SHA1
702352f65350238edbf222fa20532f336de82157

SHA256
f0effb456d5c95bfaa25e67574d37c8b2fbc637e4d43f703f3183c53a84e42f8

SHA512
af2729a851b0929615005d9aed8d0bab2d387cb8d7b13115459aeff6eca3caf78c326489b00828bc0eb8a7b08b6a3acfa0d2b2f983fbd205cef7456c9dc5a509

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b9633542f5d33e43756934362dc13797

SHA1
442d93a4aececa5c419d1da2aa057950d411a459

SHA256
bd923ac799418881625f9e3a20bfcc89e4e09d3ad7e50d13688d5a601415b7a3

SHA512
c94fea5dfabcffe89217e22512a7f1f6fdaf3393d563454a4e3d6e2d377789e5723600247f8aecdefef5846d2c0c16b5e70236eff1489fb477d1d172f7ba0b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b59639bb087cffcbbcb82aa5f7eb5d8e

SHA1
69b158aa2cf938c2ca7b149fc88958d79b9e5e40

SHA256
f4fde6c79274cfc67349d0d4e1e39c14d1641b8e724b72e37383aa4149331cf9

SHA512
ee11ca1886bfccdac5a46c8ca35df629129c278c55d3d5f9bee11e3af6ef17041156eb1f4157ff286c42043edce9e913c2c557fbe93651a640e5e4cf690eed3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8973e6c2001e37fa5b93d8fac3686a91

SHA1
145a3540b6fe9ef672a58509e1af9f825070a396

SHA256
74988e7965117f3397a74649c32eb21e41f8bdf9557ae9ca2f8d2a4e7df60f0a

SHA512
84bf30ebfcfac159f8de37aec3f616634b813daaa9e9bf8a1c31cebc640036ab1cd23a9953a380ec5fa9d3340d6f3b44c11b33c92d26d2974965cd230d96fc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fca06f29fa52536a1e0ae3af75e74c81

SHA1
14e9cd4d2f332779530763d4d988f3b6d7af285b

SHA256
ad40f847338c0b5f6982d1ecf52b28e87d4edabf101fe5d8352c926dcdf0ac68

SHA512
ef032d0c7b6ec268239b15fb6396ed14fdfc7b4b9a3a71c20d154743ceca1a7c0257ba26f2ad68108bdc11c2c3b7ac0098414a62f872447af3dc0732cd652abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ad56f21c3b62941319f54d0c16d8c72c

SHA1
d311f31633eb7f77701a23b7396f631880b4222e

SHA256
fc773d22bd595f7091d022a97287a4de3b43ffed2c5e718ff2f384f2ce06da61

SHA512
7020a382f445d5a492022e58f0ebfc34added7b470e5e6df5f99f6fbfdb7fbb345ae27f956ecc6ac0dba34ab516d686072167a8d594abe522a34685a8c9c7da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ae47a10b59be4038aee253f09b16e20

SHA1
5e494cd8d56e8e4bca72e18d669c3ab9f7567b08

SHA256
190ef6167223cc129a2acdceda7615afa88648f919656674f2a4670f8d4aa224

SHA512
c4326bf3948ac897d94175631139779b0ab0679af3426f8a8c1d830a65a5383f9990634ab88118173cf693c20a55184cc610eee922dfecb6042880f3d5abb534

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
807a8ad776b773950ad7c75a88c76f63

SHA1
242fb000a2e21b2f35a62bde9cf9ffcf7622e67b

SHA256
a0990ee955c0372487ec3a41533bdb519f996aa9eb91b4b10fffd213c6227ea6

SHA512
390681926e09665d9fb819b2b1b8eb94b581bf8ac342853a0387b5650e14d86820fb47bdacaf2addd244625903163bbd85d1eb25c26c5c8b6dc9b571dd4f0e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bed5d310f3d34d5c1ecdfc3c86ac8a9b

SHA1
78e44a4f90ed8be1e46dbdb66a8564844d125f4e

SHA256
0caa64f532fa5d017745260d72ca51e944c457ad4d84a3dff9c830e6d8df4f6b

SHA512
0446f8e6cc668b4ddf083a0772b7ea1e42eda22237c924286fa357d6859e2f0ac36c429857bceaa6b13bd88735e8b1990dabdf367ca9992ebc3d94df1c19e8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6bf69290ae6e6becf5bf7f35c54c9ed1

SHA1
2d1f01085859766b1995e9ab5f369425e55da870

SHA256
ee7a491bcad3a1955a8f08c150fefb71c3d29a768a8b6b0596feed263ed12884

SHA512
b10c33550fc55195a705bce39a2ae9a8a208ff7a99257cb2a2ed1455da5a6d8000e6761ef7b7b210f691b76aff020b3ad2d4cb4d05305302e1dd84f9ae89a975

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e0dd3bb51b86f1fb8ba3f431eb3e2e5

SHA1
94040d2347326bc7ad60b3bd6b6f7e46e31d6439

SHA256
8c400a084ddce2d0faafc4baf1b920e3b54da3edddf893366b6faa70eeabbe10

SHA512
313cd90d20b70c717f8de92c928599f1c3902fd2390b15b4ef35fff8e64f2cf124236a254025a127f4a3c26a53eaedd60e10506ab11637f9a71ddd31c4ab5f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a6c925a6175046e182c2129a237d1cd9

SHA1
1f046dfe6071314e5e167d82cee2eb0b970c7a07

SHA256
8a4e038da0276aa7f9456381cebff28530da094d3fbee4da7a9bd004fd3f8f9c

SHA512
e1e5997e509c2f6518d357a948a6988fc4fd4874131971d1b5acc32da1831e727e56847a82be62556f045577e8c80c2ffb991c27a5ca09d98edef4c3fb80995c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4936ac0804e1d47dd17f73630553b8c2

SHA1
df98a88e52bde00281a25aebd4d3e3eda481aa49

SHA256
d0e12bbd5ec9b00f3f9fe973026966bd8a96f86b1f60d4624c858973c6b809ab

SHA512
000d29f450f8567d65248f6077fc109b5d2653bcd162f987a933de4bf6e7a860ca80b4fabe312d9b35f8e9fe990066033360b0bd26b8c4853066c1148c153e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8b4c44f70d964c55ec0dd279827dd9d1

SHA1
6bae7fe9d7684f8cfe55e9516ac42dfab0d08dc8

SHA256
f85fe463b9d7001528572fe2fa22bd8c59712ae5ccdd870ecdd64704a9351b9c

SHA512
77370426bbe4e829d288c661582ec547be2442ab1e71ff904b82180f14ca7e4db8acf3ad9ce0d2746a3fd32bf962be4895a8b196bdce81de519fc88cdef978fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6bbd63b9da079c78729ef52b2e712240

SHA1
d3ef114bef025e1de138812218ea6bfd736b9c76

SHA256
5b13aa9663fec27b2e7a5edfc3a26420bc04163373cab28aae79025019363695

SHA512
d7b364a351b23e47a19d798325e8cc9b8a5e5685039016c30994191a06fa3919da56fb6ea033b52ccab505b0047863a7dc82587d656fcecf20b9e0b4d15a0ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1da9c5a4366c423afd52499f672a5ccf

SHA1
3fe8a19f0ba64de453e4e7c746467ed00c858ef6

SHA256
db6ebe7dbd45964a3a4320c264d26b804cfdd2b2be8bc368def61301ec72b87a

SHA512
903d6a814b3c855675f59662acf76621a4b5b7d7d7222aa448cea93408277c246be49abfe6ecdf08fd73a1e306c64574cbc88bfc0c15258e79e14e1a099ff5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
477287ece19d3dd67b4755ef8e2f6ee6

SHA1
be8dcb4d6fdada9c06c1a10c6e1cec631083f645

SHA256
03841b7c27502c086663702ea95b49c13963e64fc3d3028db9492038435b5063

SHA512
b1c725934129dc761548c08200e4a27739ad5e660d8f2541437f8f4792f7fd0e48e4a65b73bd279212b300d9b1da817eac467cde6b130f185d20a4d8e32f9c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e20391ac754bf147ef9a49d5bece4f4

SHA1
b16ef6a5f156f33ac0b447eed21667d91016c0e4

SHA256
5388316888bee666bb04d014e7da1d0020d5c67d79f1c8ad2e710dabbc61a26f

SHA512
3d4b3407e6f0f1ff47d211e629eca70e8ba15ed8e261c3a26bc57cd9bfc0a87a4fd9c0d5a0408b1a658f9cd7584bad0741abbeaa1b1d8b2a3e2e22702061e4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a74cea910f5ad5ce1fec774f06844ab1

SHA1
6649fb1b55c92e1250844fe6ad516996fe1187a1

SHA256
2a62a74c6d43417e8fbe7f6c6dfb739a48c16aabeb27c4a9163ffbf757607fd8

SHA512
6c443aa031994f84e89d5269edf965659759c8e970b28b72815e49adcb9fa3cb69e3af00261ed61d613fa29349bbdcd57c1d16bf1ac2a024a7d04bcd00e616a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
84fec10ee0ff3781b219f99b9cc027b6

SHA1
df1dadb15fc47ca7afff0b45214c2547c916de59

SHA256
156f6dc7ab185fd6f20ab149d7e253345cd35b8a6c37a3740d583afc3f85955d

SHA512
da5df499ceffb6bb9831a662d0b513bcd785ac389a6c93aa7530cd7379673eaedc321cac50a4f356b5567dff62b1e78d0fae40f88f34ea0e4351396c504f4b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d3c9465a316a0532e7675e81fcb27cad

SHA1
a845c78c288962566cd8f3e1e8ec4683608df995

SHA256
02c03edd681b851f6dc2b683b835ac2c1460806144f2a78f5e387afc5b8a0ab1

SHA512
7f4a87e6c76b12833ef1a29a0b80632f70fdf0c7cd1912a594b6f65b99e6d24e97b531dec777ec58e88d57fcbcd857d1bad2acdc7ab2bcf415d25ac2d690ba50

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\??\c:\directory\CyberGate\install\server.exe

Filesize
351KB

MD5
44515080c55fb13c81e26d980bd69e6f

SHA1
5d638f9fc59663fe4dea617713ad5c3af14eeafa

SHA256
7c34875159ec92c7be9f101b05dcac2693cda46b95e321f939fc1e46f951e868

SHA512
a4d19d09bd4c5b2a4a8b38f6c315900f6353981b511d7b92a4bf8a553192816d3f7e3177db0fd65b4b7a8cd1fc17f17f93092d1ef534a2f4ab7d096d368eea10

Download Submit
memory/2248-11-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2248-71-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2248-70-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2248-94-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2248-69-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/2248-9-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2248-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4460-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4460-66-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/4460-15-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4460-72-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4460-4-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/4844-3314-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download