cybergate | b2b1f374822e760b574cff680d989d0f229bdaf9029acacb2449162b92bbc16b

Analysis

max time kernel
2s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FrostBot v1.exe
Size

264KB
MD5

cf1bbacd8ef9fec5e72137d3da543401
SHA1

5cd65d1c0c3b8e8d69e9dd7807c1a19c7b277b42
SHA256

6c650bcd3dd6accac5cae23ed42af2a6f57d936329a8e51ee710cb9cd2e2f3f3
SHA512

b0c451f371f6f9e616211b0e9489c11c1a28b4a60f318f2f08889a85628f1e74a9110591da64a54a14d13f25cd8dca8ee0b587fca7649ac40321cebdbcaa0b94
SSDEEP

6144:Xkkog1WPDJpu1DxZXn/GmVuXNTaGFtWJtk/WgGF7hK:0kd1GDJM13+dXNTvt6ikK

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

remote

127.0.0.1:999

op9.no-ip.biz:82

Mutex

L0J8X1U03TC2TJ

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
csrss.exe
install_dir
install
install_file
iTunes.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
12345

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\iTunes.exe"	FrostBot v1.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	FrostBot v1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\iTunes.exe"	FrostBot v1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	FrostBot v1.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{385Y7S21-A5XN-J72R-3D2G-268O1RI42787}	FrostBot v1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{385Y7S21-A5XN-J72R-3D2G-268O1RI42787}\StubPath = "c:\\directory\\CyberGate\\install\\iTunes.exe Restart"	FrostBot v1.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral16/memory/1168-0-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral16/memory/1168-4-0x0000000000A00000-0x0000000000A5F000-memory.dmp	upx
behavioral16/memory/1844-11-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral16/memory/1168-72-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral16/memory/1844-70-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral16/memory/1844-69-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral16/files/0x000a000000023141-94.dat	upx
behavioral16/memory/4468-96-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral16/memory/1168-65-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral16/memory/4468-98-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral16/memory/1844-1187-0x0000000024010000-0x000000002406F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2224	4468	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1168	FrostBot v1.exe
1168	FrostBot v1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	FrostBot v1.exe
Token: SeDebugPrivilege	1844	FrostBot v1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63
PID 1168 wrote to memory of 1844	1168	FrostBot v1.exe	63

C:\Users\Admin\AppData\Local\Temp\FrostBot v1.exe
"C:\Users\Admin\AppData\Local\Temp\FrostBot v1.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\FrostBot v1.exe
  "C:\Users\Admin\AppData\Local\Temp\FrostBot v1.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4468 -ip 4468
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 568
1⤵
- Program crash
PID:2224

C:\directory\CyberGate\install\iTunes.exe
"C:\directory\CyberGate\install\iTunes.exe"
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
219KB

MD5
5cb9357a7e2bc4628798c2fb20ef19fc

SHA1
4b301563f57254e6e14544319c2da4d91b5e0044

SHA256
5c44178a09b2c14310c89430ed21464320946569f5bc2f30399e212b5da5d7d0

SHA512
83940a26e9efafb80f4e6cedcf23019ab84849db4e0b769c2b7792df9b1431a0d8d5059f996189a416e977e5147330f13752af4fe68a91dc939ac5f1fd2ab37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0d241da75f4781b06bebc89e5609d5b6

SHA1
5620cde890a66072007ca95369f3315dd8379538

SHA256
ac21663db13c87bbb24c91721269ffa37110b6cd56e0c6ffdffc1203b89eac7e

SHA512
9d7c305dc58fbb02779bf21fe1f99383080dd6e53acab6cced55ec5713faee4c630bb01910bd00b85ad4def45e21e866332db350f4255093c562dbab3e3583ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2ae21b946d7ce2fc7e1c3aebd5f19b24

SHA1
e39f36ed3ab45cff1054d0bbe104394db1057468

SHA256
7a0512d91ea13c6aa9b5d34838bd1418778c528df7f0f2e090d7dcd08a6bc4a8

SHA512
53000bb37c91166220ea2ddc9869c4c408660f751bbf1e79c75f0b5e49ddb39217ea2b7279896c30b825a8f4a1d363e7fb50074c3d0a23da9d941fc86e160e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
17de780c9299e7844bbaa0f8ac88a6c0

SHA1
db3fd2a90b42441b6346b59f260287dfe773ae28

SHA256
a37bd073de2c6f080fcc8818971bea2eacbead43e994b67c0a3286334aae721e

SHA512
6806f02245e78faa92dae1be211e7e410a37d79ac0060762d589ef709cbd4ec246394498a496152047b8f89a43189ffe6437b03e4fff5b50788de03b4360d307

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
90c187ed665889ef4fe4da5f31b4da01

SHA1
c56c6e13b6fa7fb0d674fdf7c507c87e4fdf9837

SHA256
8b22818b615a7dce83608af286a6e5285779782068618581141f091e85246603

SHA512
8a89c20a048456c95da6d58427b28c329a3a25f0a12bb9f260c1fba1a6f56a549a4496f0281874c3b0f6d87de4aba8e6f5dcfaca99ddd6759ba2041d2a0ef927

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3c73b2ce96a3891e3314da21ab142337

SHA1
d370882cd85f5240d2501a3fcb7b55c8471233c9

SHA256
4f1c18587a99de4cafabd68e52f14c4a212525e691cf8f890ae5d72592a5985c

SHA512
0c0e7bb9fd525291419df738806e5be91d07a45cffa62e3f0130e9de83b2d99958fc02d1a9c588bd3c302b1748726b2a3e409a395fae2337014a5bcde87bae83

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0719bd92c85e3496ec0977cc446f98a7

SHA1
b613da77369a49199cd0c6ad2ce31443f2394f2d

SHA256
5c29d8a1f4f7001012938cd95d297d283b2240f7af40c8f6ce8110bdf3dc2754

SHA512
0cf789c07be6849906ee8604da642ad420bce68fc81d1b98aa8e2d3ab3289dfbdda5ff7d8f0d3515022eabdf2b9a014cf35d206f53372bc792d65485c3c152c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3077439b44f5947de51735f587bb9ca7

SHA1
35270a0feeef88a8dfec0034865f97365a1fc2e5

SHA256
85239a531d82e43ca538dfcb10bef1e3b4447803a3e8b26ad3814353c120388e

SHA512
acbceafee2f4008f1c86678efb4e7248ccd8dd34fa7695b7ffd7a1875d5c8e83b1f32bacb6b8d76bd45f2b553edfb858d04581f1985a7a74f35a413cc8805943

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
02e9baf7c85a537dff3a70da3df4972d

SHA1
ea6940273a1e73cbc48d54458bc9a870f79fe750

SHA256
05b5625875c1dcaffe454c542cb506d4a8f54f97bcf728d3193c8d529f9abd27

SHA512
985f2a451de73514de1c54158d4ef0bf707beb93a9f553184c78e29ba79e409c0d6d36aedf9ca27617990bbb50a0af2c2c0ee27f62895e6632adbe9a51a6924a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
86eca8800ea449715be20412d7a8d44e

SHA1
9ef634db32ef1de7b6a6e6bff2eb42a20b56b914

SHA256
850c407e87020002f418acc754ee82e8c787b2a3810db0c140dd7914d2323e53

SHA512
19ff7572bbaf3398cf8d34983eba5803c03257d998f614e379a19f1174b34659f7857c55d330889175136e3b4622f72dd0452ed4660684735e4e99a62e6e5cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
517a5e57397ef90caaf38dd5301c0e90

SHA1
352d5ed93da23965c0cfefceeb865d39961ae889

SHA256
9e57ce2f588bea3d91275ee6ac8738ed54ef4f258e59cfa2548089e59375833b

SHA512
ca8da8a038f5e30f71b9bb7e84cad2da147946b386b02f86afe84ecaee8ed7ae484e29c6d3fb211e0ff42766be6dfbb18a63d0df571d3d1426faf2adb9dd84da

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a9e6adbd97414acddf740ef7fcd511d0

SHA1
248380c566726c3517e23c35dfa402d3aec7c44f

SHA256
2d714a836c9c106a39566318b7a08d416b875297dc2079a15984e2c67b8b44ca

SHA512
809982a4f48e3f555a7f21122b8ca4d986f0306117a60e18ca4376255172fbf7bbd2e7ed2ab5c8139c4dacfb1fc3c10408e5db0003d3d2b9d332bc6b814a4816

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
04f073de091e247618b2ddf634d9a967

SHA1
17c67e12329aed4662b685025a363d42374f560f

SHA256
a524cf4521e7bdd3f7f387d2e66fa1252cec431aa6ddc64e724f607f79cf194f

SHA512
0204bf353eb85432c8a71e21da96899079fb54ae60b709ce7b184dd767db458183be38077439516c3467b94e745f44f78e4be3622525e58551f2377b940c74e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
541c6bdb2080f87eed4087a2037abe6e

SHA1
c41f02b6d87e8f08756c7b8bcd0bfecee2869034

SHA256
c08dfe5dacac2beceb902760bd8a2916520e79c7e5c3e24735278242da66de85

SHA512
be29db72f0d8492d903bd6170e5c34e1bda108f1cd60c5f425127de34ed141ca46f5098a2162731afc67813fe278ae7c6f0e5632098ba506390c7e5fab5b5105

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f49152e85778b700b428311381d5d819

SHA1
2c88e1f29b778b8ca3d5fd3827653b607101af19

SHA256
f447c673ea20c4a3d295a3b76f5aa153bf5f9f6661e5eff0a8beecaad355be9a

SHA512
d9f1c542b9066ae23a68e211a9170ed2d693b5a19fcf6689b54c3374a5e29fe05e56d3686fe3bc09b98decdfd66c26df2863dcd4fbb1265b29056bfc0ad7600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8b9d5a502f4bed1b8939e2221d0c52c5

SHA1
60ae20f1900b5a4ece671c84ee4cd8d54c7a4c46

SHA256
9e5b03cdb7e4dd484268d6020d0d13b50f3e71041a686a31e3f4c3b5eb3b1770

SHA512
f0fc2ad2647498f3dfb40bbbb68fd1b154900be8a93b7c58327bbae47b5b58570d8aaaa295472655d31e1a535a9fbaf97165baadc85f51009f793512ef98b6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e524e3d469e1ba8129c119b309c49b6c

SHA1
38c8beb9982d6149ef805f8e2364497e2f0b994f

SHA256
d84e2812d871a0ad9c1317eeeb9578df3e2df07b846d778c3662625d1817deaa

SHA512
b2eb8c1b3ec730604218f1f5f13b1d814fce5d3e28c8158d456dbaeda09729b9da57d2e9478fd5b1a05cf7a44297a8f06de0a2fd7ed9c13a82ca514719e34198

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f9d381c008b9f0357a9ed45e70566973

SHA1
4c51bc2951886967f40be445f7bd2f9e6ccb335b

SHA256
5b04ad5315b96ce41c253721e24655232467fe5bab0a7648e9695964665167e5

SHA512
625cd03523510287936b1f1c1c71be2e9982b85dbac564a5382472b8f31108cff2b7c9393f6c4995eaaf6b1657f92db01ea25f3ce8dae4e699749a3eb8da6bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c37aa5292f27b14ec09f406dc04ee114

SHA1
6e997d70033f3e7e68c252f23ce1c843401b7db9

SHA256
4cc6a0c8e0199fb24247e134e68e1fe8da00a65e6c3c34fcd28f3cdddf5e382f

SHA512
dd836d5b825b685a31ff8f2bc4e1ced9830930f616c357a68ae820ef4f6aa11eef36bcec50262e759bae3fadefbf73e0398e012ca158ea6d186b797fade069f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bf0a4e4c549aece83de2d31e89cee959

SHA1
da6c86c8e2c6628d658bef21740f7ea07c443553

SHA256
bc7776768abd3a7bef557e250977ffdd084939437d6bf4bc5642fd5714a4c1a8

SHA512
f270c28994f8776ad0eb30932b4323f2a11ea007054d37d3b87765968e14c7952e9aa57f0721c48bd27a0a583af9afc081c2016fd77bbd9240c0601056e28f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7a332a44f30043c32530ba07dcd1b8eb

SHA1
7958608f27936f0fdd383db85d4fa30191adbcce

SHA256
09784eaeee4d4db9dc14362ced093b6b8fa6a4d0fdaa2acf164d4b5d91d89b2c

SHA512
3766132148739617a272a55a4f16e6c9409663d7035eb014f0d361bb15be7356ba50f24f1dfc254f6cb8c50c5b2ed4916b124b67ea2d7bb1e0e91b056468a63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8c8ec27c45864081120055efd23c86ec

SHA1
344d1c5726533c87a9010a1f04c7f6b0bb089bad

SHA256
c86565949f9727eb9d7b4d3813ccfe79bf45bd9a9cfc7c90c0c3f19b4a45f165

SHA512
2bd5d1ddfb009359309ede2a20ca95969f1a13621ae460733cf148842fb57b6c157bef93eff42f6a2978c735e7bbf17900f0609b0c3b06a4f41c5aa080992504

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e23b7e1c6598aee31b72d86608672a9c

SHA1
902900004b88cfbeed11946c881a4c3090a82804

SHA256
b1b66ba44b666cc9792ca8b68b72568426ca37c591dbcb1f967ada50aba0782a

SHA512
00f113dd0650afda18a0e09a2f8849d1bbe3b8dfb365777b330d9322e95c4d8e0dbd53c96a6663ccf87dee5b058e7390fd1844785eb27a69986b84a15fe32ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9e10716e005267e04561bf39a09dd2e7

SHA1
b57eb4d978f415bdacdbe7a2035a2701cddf6fd2

SHA256
44535034f59442b123f91f76a19dafb457ee0fda63485b0b4b8009d451b3a3d4

SHA512
9d18f12c07dc85513b24df2410135119b1b12282e453f449100a48845dcb044209c9ec52ab06c147c8e10e6a9c022386819533133907fdb464ee214782cf319e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
73d8e0a71fc076a959ca09c66b87642a

SHA1
2769cad4df97bf20c8ab9c397d35bf613843ed12

SHA256
6d780dddb15bb426798e54d394bdfb57592fc1da4c6fbbc2f8f44db3cd90ce45

SHA512
d006ac223b5c61891ad117cb3514fbc985860c6e09cc611be870c235eca249ba7b23fd6b294b7d6e0f9c7759b71eb25d40aa94a28fb7326a9f86a596797e505e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
83da89df83bdca111ad9c81b31ef4505

SHA1
837ad068789175fe86fb4fc75e9552a3dfcb160f

SHA256
45203282e5f7be82bd06aee185807c355f2e93ff7e729ce1e57e0eaf9920c116

SHA512
ee52b4b53111230d3b1facd5baf98e23a4d12586d52d1e9e38efba1d1243c8340fc728d0051e0be7e9fbccf27e866d1013e155299e15e1e310cc4e3992fc2b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4da7d3d17840963de95c35d174722f41

SHA1
aa61333c187cf6fb5947dff5420248e952fee979

SHA256
e0ba85f9c2ce3e6ce967a6c824b8351ec05253628da9711301fce27913462bcc

SHA512
a16a4f050a39a97dc31392c69908d80f63eae9370580c72a18a066d8a7300cd2964bcfd0dd953284e1ea6166295fe93c0ebead647289025d6c54cb050b7f4faa

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\directory\CyberGate\install\iTunes.exe

Filesize
264KB

MD5
cf1bbacd8ef9fec5e72137d3da543401

SHA1
5cd65d1c0c3b8e8d69e9dd7807c1a19c7b277b42

SHA256
6c650bcd3dd6accac5cae23ed42af2a6f57d936329a8e51ee710cb9cd2e2f3f3

SHA512
b0c451f371f6f9e616211b0e9489c11c1a28b4a60f318f2f08889a85628f1e74a9110591da64a54a14d13f25cd8dca8ee0b587fca7649ac40321cebdbcaa0b94

Download Submit
memory/1168-65-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/1168-4-0x0000000000A00000-0x0000000000A5F000-memory.dmp

Filesize
380KB

Download
memory/1168-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1168-72-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1844-1187-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/1844-70-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/1844-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1844-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1844-9-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1844-68-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/1844-69-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/4468-98-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4468-96-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download