cybergate | 8fec89bdcd23d8edb8e19f99d27f87ea2972146018616373d69dde89a7ceced5

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccfbbf955d200fb73cdede670bd27bfb.exe
Size

656KB
MD5

ccfbbf955d200fb73cdede670bd27bfb
SHA1

15a0f439c67a27668b810d68019acba2a82f5425
SHA256

8fec89bdcd23d8edb8e19f99d27f87ea2972146018616373d69dde89a7ceced5
SHA512

17af5eeec8b6b40f9b066fe12460d86dec4b1fab605ed4f4cec5a4878a1eb5581a4a49d0eedd85527e9ac8bbb2343d99dd1275ee4da295244712051af8bca486
SSDEEP

12288:/9dcA25yU5AN7a1GglVW15fPf3sXttivvF3CaGK3UAWmYy32oiLULA0GsChP0Iq8:F32CEh70nf2ttWp8db/gK

Score

10^/10

cybergate victim persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victim

p0rn.no-ip.biz:60009

Mutex

0RT2BS87E14YAA

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
win32dll.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
loveuse

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\win32dll.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\win32dll.exe"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5R02H5F-1HC2-W514-2465-C1QYKE3436BO}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5R02H5F-1HC2-W514-2465-C1QYKE3436BO}\StubPath = "c:\\directory\\CyberGate\\install\\win32dll.exe Restart"	vbc.exe

Executes dropped EXE 1 IoCs

Processes:

win32dll.exe

pid process

2100 win32dll.exe
Loads dropped DLL 1 IoCs

Processes:

vbc.exe

pid process

2656 vbc.exe

pid	process
2100	win32dll.exe

pid	process
2656	vbc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1284-23-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/2656-391-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2656-1303-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ccfbbf955d200fb73cdede670bd27bfb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ccfbbf955d200fb73cdede670bd27bfb.exe = "C:\\Users\\Admin\\AppData\\Roaming\\TODjrsqvgahLY\\XnrulLaTDkmIk\\4.15.41.8308\\ccfbbf955d200fb73cdede670bd27bfb.exe"	ccfbbf955d200fb73cdede670bd27bfb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ccfbbf955d200fb73cdede670bd27bfb.exe

description pid process target process

PID 2104 set thread context of 1284 2104 ccfbbf955d200fb73cdede670bd27bfb.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1284 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

2656 vbc.exe

description	pid	process	target process
PID 2104 set thread context of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe

pid	process
1284	vbc.exe

pid	process
2656	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeBackupPrivilege	2656	vbc.exe
Token: SeRestorePrivilege	2656	vbc.exe
Token: SeDebugPrivilege	2656	vbc.exe
Token: SeDebugPrivilege	2656	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ccfbbf955d200fb73cdede670bd27bfb.exevbc.exe

description	pid	process	target process
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 2104 wrote to memory of 1284	2104	ccfbbf955d200fb73cdede670bd27bfb.exe	vbc.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe
PID 1284 wrote to memory of 2588	1284	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\ccfbbf955d200fb73cdede670bd27bfb.exe
"C:\Users\Admin\AppData\Local\Temp\ccfbbf955d200fb73cdede670bd27bfb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\directory\CyberGate\install\win32dll.exe
"C:\directory\CyberGate\install\win32dll.exe"
4⤵
- Executes dropped EXE
PID:2100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
ecc3b91fcbb54d719b9ae3cab7d9fc9f

SHA1
c0a94105c4ab89269d51e1d2c0d8988023cb1ba8

SHA256
718682493b8be4e64dac236b5cef8a201eeae5a5c7a9f0525360a2f69118a88e

SHA512
3daa88d1c92c7813d9878b32f40e90bc419ce0e00cdac670d78234545d0fc5a5da59d2513576adf4497c331faa225e03956fcbb672075819183bc72f32646215

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
bb1c98cd9de0690fcd855d8673aa6dcf

SHA1
18f2353c92a4479181e8f864be7159d847be4fb7

SHA256
ced6d0a1663484bfe1cf0b5b670e09aeed07b9ae187c368f37c19fc90dcae109

SHA512
eb131e50162f58fb32a7d195acff450d2726ff89ebaec572e4d7959d7d6eb1c33de485c920603655ac0a696e520f28ffa55b9740bf4f6312188025911d3abc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
b34162b8d5962a0a4f8562ab8d5d0086

SHA1
5d5c5d05abb017ea468bccaa47ba1ca83417e2f2

SHA256
1c411869186db643984db93c09f7c028f8a5057f0afbc5ed6583aa127a8e015b

SHA512
88976126ad230f05e2a5611979c8688309bd303b907979c36ddf22eef424fb94c212c200816489da5e4918a66e09f49d8122fda9749bba5b5951db160096fc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
06f3fa1fbdc53c9e760607919eb1ac17

SHA1
1f12a801c4edca6bdb183305ead80790f95fe352

SHA256
5585ba49abb6ad1ebb42b39d5c8e5c4ae4dc21011e6ad97050b5748d3242aa21

SHA512
52c0f4d94c200e4725c0b59a12549f60f111957dbf28b56afbbb6cd0b2423ff5cc46be306f6baf5e3acf27d6f2baf120dce54cf0f07ed5836696ef290533c363

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
0aba3d3d651fb1b2351e98fc0c604575

SHA1
142931e058894b021b438197cde88cd30121dfeb

SHA256
de8b77f88993b8b2e25550f947d912d4782dce45186e2b7400f751d2292e2ff6

SHA512
a665d13d2640defb5875f2b00b2a7473ddb4fe0c0a6755b2afe74ff4eb9f4e2a8c7dececf46589417b6fa05e0554c6761b521025f7e7ec66d0961064682832ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
a087934d0f63c3ba5096f880d1c937ca

SHA1
10728a0b989a643ebc72f7b7580985052c0fde2a

SHA256
57504ff0a3db0ee2bcd665949bd7a739f1051066fc3aae9f0d3e55e4c89ee587

SHA512
6e13baebeff305531c40de9b16a82c818a445eb153c02f22279f37781ff1307d7623d8fe1509b30c0503503d3a4b88fd30acfabecb0b4056903c0729932a1656

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
c710ce0cf3fbfbcaa61730721d10d567

SHA1
72195a9665b3684cd51bbf37aad1b053277ba0b5

SHA256
df4d5c467295c219a6d99a6d2c78b8b74141591214fa3bbdd7f2582014fb1901

SHA512
f8ccf23a8820c13172af1f82d1bfd7dc2c0d44eb5c8496e91f3c8b40d63e87d68401c29e89250b5a6e6e6870d00a3fe1f2ef4c2c554fc4c89cc5039928c80258

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
2c230baeb9c1e7980d7e5200a21a9d8b

SHA1
54ad58e3770970dd8740895c3c1893bc6320271a

SHA256
ccc934f1e68369b4861e54e5c431513d909c2b96d0b59735722f0269151db891

SHA512
06772e8ffc4b0440cb73a76170203ffd15f049faedfa75b3238d27a53dd968446141129213fdad0dde92107922dd663179d0952e1b6c2c4679c58e76128dfb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
673462694ddfac34e8471c1d98c07b8f

SHA1
805c0f9e21f1117b122a8968c61fce87b75682f5

SHA256
9451bc823bc19e101a61caa273845986366fee61adbb9fefc040758045926b53

SHA512
f98b4bf82347eba110d0838ace8fdb8896ae4e76156811009e6113c100c1d3bf0f57f0c0efc3c93912a16428b8879a1309e6ca94eb4a83f958c92face9aa701d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
fe8650e686cb4655aa4a9cc8f7d94437

SHA1
8c27ad5c7c1f4e9796c25b371d530081d0daf170

SHA256
af9e4a7d37eaa539b4673200de6c596300e547580a820f83e0851a3153db827c

SHA512
bdbb01e55b20dd792adf9c54b4a4b9187ca0eff1be4cf18c0d9ee70b0f734594f64f13c043595e0592f310dc915ecac2aca54247a3f181c2fae8ddbbec6c5bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
8a4b56a5ff15c8a0b0efa5bb3c5131ba

SHA1
04779bd6a35b638ec440d998e1dfb8ffbfb479b8

SHA256
d4ad44a7663348b3c6fbb77770492e615826da4913e6a4f2b92e4853534065a3

SHA512
c6325126988d1a910b5f5ede65681ff6a00815445a62c5f6fb41a277b8dd175f0fcffa4d7dacdfce7e75f1dd57eb6051026fd9247290dc2c302e812acf0be089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
57ff3ec0ff3eff09a1d66226c1297e68

SHA1
3eb4b6ea219a6037f9eec14cbc40ae92dd638311

SHA256
aabc06031b24aca945473a367837533765aee4a25dfe27b4bb9374dae4263901

SHA512
ff01089ae6e5d0f2e3c4700be8f751ba1fa405ae897ed4d3fdc09e3c4839a982bfc84f25f9d2377c596ef5654a4316c47cb415112783d951ce41ceae53c62f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
055da5db4f2bf7fc1feef2dcedba24d6

SHA1
82239f841469cf68ff51472cccc256d4ebb761d1

SHA256
3f23b4839c60f91450a18a01d9feaedb0b4d57bda1c286ef8504428da8ab8c9c

SHA512
d505e42162273200c7ce444f3a3e1eef93d256b40f96dad35cf20ea18e8077bcd5b85efdcd26d66d268534cc3972a8fddac00664955910bf9aefea4b4c3b50df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
732cf1a07b8908decd7c1fb37431ded8

SHA1
a1929b4c9a51115244becb5683cede134b62e721

SHA256
817de8f47a3b53811b8ad1d314311073dea9b064d4fde2ba600def47ec88f849

SHA512
2a4459cf1226a21002bdaec6ac6db9f92fa2db113151499443c22ad320eeb283a872521554b13b7a54d15e930ae7ac2675ded4f3577aa006d13e57d37ec9d85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
66d50929e7e18069f5c8a60c934908b9

SHA1
4510607545f4a565c571cc281b0c0c7c7b802aad

SHA256
a44ce2c55683ef966f50c8cd309d2729e48d41eac0785f75c5dc0e19125f7449

SHA512
918803d67c7aecaec1ac48b004c5dce4b27d0bec5299963453b8ecf39e43d5792dcb60ea22b90f1e012e3765adab53dcb2a3e7b42179d8e0d0b695d502710558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
ab84228e4fe5909678c160f707c5e3d5

SHA1
3f34d97cfebf963d100b77f4c6dcc885956e53b7

SHA256
7fe4da9a1cd7396051670f191caf5599c940280aba43ed77e11bcb6cf18a6bad

SHA512
75c0bba9d5c4ac1f766c4f9a5b969851068289d24337eb1420db48ac7fcbe6351e4d86ad72d5356b0efab81187a67428bb274923a19596cc806c79263effe681

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
d15abfa70b83f616516e568820ba94a6

SHA1
949248e2a6f00cb5aabf641e9ad0c7fb4dce754b

SHA256
6ba4a290386d1e9d52449543decfb8a81c3fcdff3cfb344d4d4c9fea52eee2d9

SHA512
d20970fb516691555f9c6d671043c152658eb102458d4b89b81afcf6cb4ceb775ad23b3c917ebfa9f56b8c2e1b517b5070fdf5fad5dc1b57c9cf35cb52267b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
5c96e776ff543a6f8479da2348a7f4cd

SHA1
32ed7604dadf336a3d67896d816c4c13845d65be

SHA256
da806ee9d4b70d9a3f5a3ba226c9c464d95773e2b25f73160181d18987c617ef

SHA512
2c567748914729d5a33fca9b626cab4ebce6bdf848a27c2dff54517b5dd066a8c9e53e4e960f848e445dbbc44d91166a7dd19abcd0c808b90a6d406b6d52065f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
cf859453d8227bd666634d13649f08f1

SHA1
421b050fcbea0d7b73163af53154ad4ec2ef8fae

SHA256
43ac790ae2b41f508c34efbd43bb99885c4c00a611027ada34d1345f1938dfec

SHA512
b8f1af1ae203327836684a0168f13077d61e48dd4c78b0bb1a69aa10fc0d0f9e46f83ff11fa69b120dab9c49710da8ca8275661c042f22839890023e90ffa6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
4bf70bb09c5fe863a35ee28f32dcc49e

SHA1
d4bfaba72117c96600c6b1c871e740c8053e01df

SHA256
3d263b54e1bb1dbd92e2c2f5d1efce7381cfbf8326daab60a56497dc96403dac

SHA512
f0e3fde4326abc31b462a417eff69efeca30bad7c726d4f867efd8f17c8a3cd146e2a327ab3c4bd166e67eca174ef64c51c6112a648afe5164c61e08055c5da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
eb5d2da7602df656d943197ed1feb588

SHA1
1e607c55ee8f0df76af861fb1cfa2adeebeee74b

SHA256
b596dbf72c6cf161b726557faa60e9d75a081b8369c06d2dcb33872a77113244

SHA512
4194ce1edd6502a112bb36f8c3dcc4757b71c7f21651ef6d7e1222ac28e28a39fb55ec386808261b9bdc66c3319902b6eda4688834ed4d876156096ae283e8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
43461bc0669da4daf070270601cada46

SHA1
47520b15ea2aa3d1913eab8e8f1f754828eb9c80

SHA256
eff4679010bb717855991c280fe81757991363998aac2e1abfc7a2e68c1b1bf8

SHA512
7f1eb8934aa5683748edc2672ea4ad27758219db098cf7fbe172780573ef4fcf17a948550112fb1d961130a3cf9757e9c67bffa1752432fb6b75ca7f9344b408

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
0ba5dfae924623e354e4a185d98c5a51

SHA1
77e2c3d0ebc11f4312e6c9e55b45756493851f43

SHA256
49867a3f6f7886feecaf60082bd37559a26d75b0e9dd6c6e117b2def295d09e0

SHA512
2e5002dad71b7ada19c16900afe2f1e1680e2ec0798d3224fe8b0e4e3fdd6fd3cd90cb6b8b54c277e5c5d41c0316182f6bef9d17aae5e034136c71dc6faf9f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
ce43a236faf15c55bcb84666b679612c

SHA1
e49fb6ce3ec95706769c1ad7ad8eb8bef596d6a9

SHA256
f3f6333a39cb1c4380d2dd9fcaefd8f1b3a992fe89327b013a1a0e793cab38a2

SHA512
3701ef21199662294f07ab00c09b34d7432d5540fc8f1de9d638270e5bb14f45aed91f736d406bd280e36d3878a50451840b476076cfb9fc0849eabf9eae809a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
ddcab01ceb0dc888560c9fa3ad13c172

SHA1
ae568e4c4ca7e932f0805715f476c977d6869e36

SHA256
91558d8bd6f1e6875dc61e63863a2de46b377a962eb6b4c7a2c000a52981a16d

SHA512
e1f453bf64371a2b77e3b422b056574ddbef9fc142aa62c8031ef25915127bce39e77854f95fbf1d6d0cc0da58138c84e402e2c7d01993a57a505e516d57ca39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
2d5695cc7cba057c0f7e879530c63bad

SHA1
98911a7f4819360ad3fca193496c04646278e9d7

SHA256
9c0702addd77cf3aab7b9feaef25da7a648c02d15e398a278c094d511ca8072c

SHA512
c42924ece462d2fc2382f1ac04d64ac7e2a5bd7c9707634eeff2f19ffeb0def1e2852d060c14854257fa19bfd87168106be8393310e8904b8c1a90647bd0bddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
db5aa4bbb03cbcb069eed94bf472dacf

SHA1
a68940bb5bc91fac64bdcbfd50769f29a5cac5e2

SHA256
3d800d63eb07c91d4dca224a3953c394202d8a67e852895aeeabd205559342ac

SHA512
1f827778ee141ecc2fa3b15ffaae8c5a978a61586d217c66f44d909941caa7d0d7fc1d745ac0aa25fa5fe2916540f79fb12272b0c1659e98a284c2b5bc0ff3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
97d42f587c24bbf4b32545b7919bd705

SHA1
fbcbc146eee887502dc8112bf980b0d9a8d16bb5

SHA256
400c1757ac725e8942a99e7999d9666100feac03d7a049f7c7f755c514e2f3f9

SHA512
ede9e31d96e559105c33843728260061ccee872628d5896d07ba907fbd7ef3a2475210ed54380b9ded2559f3b28c8dfb207312aac726533fd2700c115bd2095e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
bac3d772ae22d88b3d7d051b4ecfebc4

SHA1
53962ee32b0a8b4209db077609d83967a690d5ea

SHA256
ea38372085f3a3a45e3fdc6eb1c1f2442651e7bc415d5bf4058f87c95215e459

SHA512
118213d47f4786173d620a5a95092dfdb013aad53cd7922f36019624585ded8d379596e12fc9229a85269a781165a6cb018cffce92cea1e711a13b8d2a844857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
ee55c6abcfcd63b92eb75fc946ebcbdd

SHA1
34622554d000a2bc2471f591c1d0885c91b231f6

SHA256
9734f39ba6f82899fc283ae17a8191146e17200bbcfe943255f35e0151c45577

SHA512
5d0d1b66f0a24e21c10f9df1a4f3f0aea7f2e745e0d84c774c4793f0b13506857c9471c444bbbf03f7a429f6e2b7e670b8b0505b082953514270163299bb0188

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
2728102570f04ed375b606a4d4cb7136

SHA1
3319500bc0f7c2a27170b070569edd190361c90b

SHA256
d5bcca833549599c216c5d745e875e065cd1d0b439a72e29070fd19cb65ba6b2

SHA512
62b20a8687a6c1bbaa61966cbb3fdea21df54423452cc1be02619e685e606e413e724eff37cade6e924ee0813d4536ed73b387d55aa6b5557156ededb0c8fa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
839064e428ec5f2b551d55cc8cf4772d

SHA1
f699d3c1989c82f14d1535132be4b4f41cb87c0b

SHA256
81cc68ed534ceb55cd84e1de55213678e99859d8497e8a17cd4a4adfc47c2a4d

SHA512
cc3e1e7a547671c9582a5093766b36abd675e6e8c93b8e2c695b3d186b1494fb1e45b547b2489e3a00f30e185338e03034c1416d0b7affe3bd93b039f99189b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
dbbe870f2fc72edc81b62f00b90de694

SHA1
3847d45d577ab48f75a5a12a3e947cb601899fa4

SHA256
d1d8676cb4c5b0be1d03b869fffee608116e9dfe42a95940ad8393fe04a31589

SHA512
284e9d8ed0d2885836c863f7deb871efda9ff13f6c547ad3425372d4da9b9eafdaa5439af2aefeacb1ae194f0d0cdd4c19800935182ff0d1904b69a1f58ef727

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
0975c05b51ae4fb36e9d7558c9445f6e

SHA1
46750f748b7d89e32df054e46462be1ba9fc71c7

SHA256
cf913849785225dc58db7a7a8a5bbbc5a01bc11f9aaf863fa96bb5867f0bbff4

SHA512
72dfd87ffb7f38fad69dcea197221cbf29bc2f68991a58e6273f4e4a7c1661941f7b1cd536791c2a802723bf3745ff334e59b50db2e19b4f1607e04079b6b40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
c69b09c18f62a418f619289d4031a03a

SHA1
9aab4b54d127e0ea140234038a1e235c1386d12c

SHA256
c2cd2b8f62d8ed3cf94aada8ff4a69f45e6c0b34adbe7efed96a20f96f7ab875

SHA512
15807311178057b61389d412f832ab5fcb0c84d23599b88f08ee910b2ab88741ca1e5d6267b6bd416f791175606f9709b48030ac5e946359d7b05b41906b8219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
5e0fe5af077fc5342625d51f890609ab

SHA1
98d698fbe27174a05645ed71649512c7513e9644

SHA256
6869e5052af521df043762a6cb5ccd17811de43e5d8eda4535a2fe40b2bdbd9b

SHA512
bda5d8c1a4aa90b04627eee694d079353e7548b629cca55c774d2e1903a7d7867e4a214cd58cb0a73c68d032d993f72f134e389c38cbed68964661f635c31fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
60982776443b00e34ee426655b2558f0

SHA1
8c97c17b0ee18ffaab373dd62739dd3b1abcb400

SHA256
b9903cd1d0253dd9d1f220b8f674ded49dec8899fb4a57c70d920c53f74b0ed7

SHA512
6de288a993d87f626505903bcd08261e825e0da69c422237a690dde246cd1ee3bd2fc274829492350da3f85f895fd4ac858ba20df4c1037f78b691632bf79884

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
ad4e5bde0aba7a9dedc8a55790a9344c

SHA1
c0721429290e928849fbcdb531766a93ae340ddb

SHA256
e5d92b5087ee61b0738e563b641c5299f5c35daece0e1783fd566dc94f3fbb3d

SHA512
176bb1a942f24596f525654d06bb38700d5aa0390d621f76f63f72ef9f8e040e72d60503d893fdfc268e84e4d0f51fb87236847ef62711fa38570bbad5ed4d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
d14a4bf993e15241b7e752d945e08c36

SHA1
3bca06017122c7937fe8f464a54f868b12531dab

SHA256
8a28db08e311f2a752b8db217478c2eb2d7ba57dd8fb290945a06bb48b0bba45

SHA512
9cf9fd0af66cb6770859265d45f763587eb5001ce70fe2613d733384e831fc95040760963ad8a5fe78847ac8ad72f5f7a320f7eb798b3c7aa6f31a1bcd9a65f7

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat
Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\directory\CyberGate\install\win32dll.exe
Filesize
1.1MB

MD5
5ff2482aaf89a0abae4bbc81d3472568

SHA1
39b9ccc060292cf4968e5154d8e6c7ec0c5b9596

SHA256
1489b71d830b774f0edf3e8d4422018c107e4505bbf7e71d199e42709ab45162

SHA512
87471d6f0f3503d064ceb5cf7df6d1ac0a24c537eed2b850eb2e48388253ebc11f2b05fbf77aa6328fcb9c07a3765489d2c0681e6a829f547e711195094f525f

Download Submit
C:\directory\CyberGate\install\win32dll.exe
Filesize
64KB

MD5
fad38e27c34fe8326760d0a671c90df6

SHA1
69704cd33db8fa242e41af632e7a4da46497e40d

SHA256
9fc9dd394fb27ddab47e22dbbc76b0a644043ad9a818fb4f339134c429cae394

SHA512
818a6833e1a57cd54e325a344cf1719311009853b506475eb319be951c56cbe5b9193446b3d8e59b6fd41d2bd37ee196bbeb08dba4b2980e727d2dcbc9e0f1f6

Download Submit
\directory\CyberGate\install\win32dll.exe
Filesize
192KB

MD5
9194778055e2fc72df64d0b36d9fc593

SHA1
c3201f6baaf0b6d0a5a2646ccfe577db2657048f

SHA256
99149023c72bedd8016fafa910ade0464089ad06557c4c7b430acb53a8152dbc

SHA512
8b7ae4d3645e088abb68f441eafab81c11117ec5b25f8efcb3d81083502ef0899b9a1e571bd8c40d54070fab39e8b4aa0a87b565532b9d8f1338ce7dbfe0e3d1

Download Submit
memory/1284-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1284-15-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1284-14-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1284-64-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1284-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1284-23-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1284-11-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1284-10-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1284-8-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1284-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1284-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1284-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1284-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-2-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/2104-0-0x0000000074CE0000-0x000000007528B000-memory.dmp

Filesize
5.7MB

Download
memory/2104-1-0x0000000074CE0000-0x000000007528B000-memory.dmp

Filesize
5.7MB

Download
memory/2104-97-0x0000000074CE0000-0x000000007528B000-memory.dmp

Filesize
5.7MB

Download
memory/2104-101-0x0000000074CE0000-0x000000007528B000-memory.dmp

Filesize
5.7MB

Download
memory/2104-108-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/2656-391-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2656-1303-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2656-27-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2656-33-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2656-39-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download