cybergate | f57d303321f8d5429e757128e4eaadbf07d0081257ad3e4fa85dede1202a28a9

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Size

274KB
MD5

44bc1069163a24c7436cf35a93bba611
SHA1

afe484069c1fbebb0af9bec7d8f70955ecbe8f40
SHA256

f57d303321f8d5429e757128e4eaadbf07d0081257ad3e4fa85dede1202a28a9
SHA512

2bc1da13760a5c60e18761bb88bb9455d37eed0e3c87e67bc83a4cf2c9af7f0d0f4017f863b06d35c6ec64ec404b010d216c3967fc67f39020664febdb9c66c2
SSDEEP

6144:nMIpu9NhNyEYw48acZccSU+U4pN/EHqGs:nbpSbNrjbSUdk/DG

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

anjan123.no-ip.org:85

Mutex

MD2K4Q7O3P681M

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IR8FERVU-G56M-MDFN-C505-L33URBR2233E}	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IR8FERVU-G56M-MDFN-C505-L33URBR2233E}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IR8FERVU-G56M-MDFN-C505-L33URBR2233E}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IR8FERVU-G56M-MDFN-C505-L33URBR2233E}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe"	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2828	server.exe
3200	server.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2936-0-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2936-3-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2936-23-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2936-65-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1276-70-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/files/0x0007000000023c74-72.dat	upx
behavioral2/memory/948-139-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/2936-156-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1276-161-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/948-162-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3200-164-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/948-165-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/2828-166-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2828-200-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4992	2828	WerFault.exe	90
4956	3200	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
948	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1276	explorer.exe
Token: SeRestorePrivilege	1276	explorer.exe
Token: SeBackupPrivilege	948	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Token: SeRestorePrivilege	948	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Token: SeDebugPrivilege	948	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
Token: SeDebugPrivilege	948	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56
PID 2936 wrote to memory of 3524	2936	44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4564
- - C:\Users\Admin\AppData\Local\Temp\44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\44bc1069163a24c7436cf35a93bba611_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:948
  - - C:\directory\CyberGate\install\server.exe
      "C:\directory\CyberGate\install\server.exe"
      4⤵
      Executes dropped EXE
      PID:3200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 544
        5⤵
        Program crash
        
        PID:4956
- - C:\directory\CyberGate\install\server.exe
    "C:\directory\CyberGate\install\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 576
      4⤵
      Program crash
      PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2828 -ip 2828
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3200 -ip 3200
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
40d7f6712191fd100466520d831afc92

SHA1
bc3c943f51125470c9b5f8ed3315b2089efa35bf

SHA256
0bf18d78a203b129345e33ca50445c8cd0f3a9a269bba95737cd363327253bc7

SHA512
c1ae703d7768139e7373d214a020311b16c92be183f295e010b586af72453e70acecfc6f089360f29a131f936335c92da0d71cfdc0c45e0854ce29a7eb955afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c8285120f086d85ebd567d924077df37

SHA1
857f45ea4aceb11d6236a6dcd535c6570a4336f3

SHA256
0a8b5121369c011c2c7f628f7bf85f8e82991a8618915990494e83b93e92771d

SHA512
7246bfb03e6b88b5066b1f9eecd667857f8a2d695456d94167b85f622e4415b2efdf80b35553f2e8305de5bdc3f522cd95a8a6f813f0014c57ada7e510a5e2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2db4f5005edc9a274f3d02c5e1cb8443

SHA1
ff01e66ff3be4d69795f0bf922510016cb65ae41

SHA256
e1739ec07aacf9cd968ed82ba617b47e4673576a0b74f7440be66c5524ce8bd6

SHA512
001e527c068b0ea37279223a48c8dbbf22990ac050ac34e2c39a4d20391d3ae25e478a9369631e1a03f9451f1504eab1e5a45211e244fe5b323e330c3c114368

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2c7f4c1c9b34c674f4d09d00d3134358

SHA1
d788aa73a27ff55d58efa7d862bd974007bee248

SHA256
22f9255fcf08023b9671e87bd4aa3355ce7387de81c111a4581621cc9e4888aa

SHA512
08b6fc94d3605b66b47c10a74a348e863f0b0d9ecc8de58285284c27733d351a451ce80235191295e887907fdd6afdb44c142df98f01d19361331b5f99df2a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3b14536af657376ac22492573f913aa0

SHA1
135dc774bb58822b346247e3ed55d09f202a5ce1

SHA256
e6efb9b095aa27ca9f82dd0dd8bb881ff04536d164e97ebbe961a3fc96e3b5f5

SHA512
0bc9c2232b1e516ac983516b14f40591e54fc00f56a7b748eeb7fb2c40370b0d4650e325712443c017fd5b8cdc7cc5a2300046b17246f258d98d5b1cc2102dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a863cd1cef9e65d234f5e7d639a2f14e

SHA1
bb14d22eec9b242f56bf8dae230bff15063235f7

SHA256
db57b64a84ebcfaf74402d9cdbcd3366657c9ccdf7823cd018f415ff5728a92f

SHA512
c8d7b72aa8e6401ea89e9be48593b618fc2308aec1aa07363454d5db0e41f0ac73002354cf49e9a025d545e8392664350ec2fe950094c056a155fb0f516cc991

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fe8801da3470426fa806f42f064f064e

SHA1
19af1906b4f7f05fb5ea082f7d509bcef08eb503

SHA256
c6b39fcbc6144e65784a9901c0b0621067bdc378a5f75385b63e3b9ea966e0af

SHA512
0e30eb1642e3bfdc4e17a58baa3eb2103adad9651afa9c542c7ec2e2e854cd74de01d8305d1de8bb5c5967878a7591715427678b17e222f0ace9326001539263

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
660fb43131bddbc1a4022ab49dcb8dc6

SHA1
26ef959cf8cc7cb343beb86770828f73078cdde5

SHA256
5206150d6c38966f173a63913fdbb3d9e24ead8801111acb9987f067c263678c

SHA512
da01de7cb946d7d6e1a4ff9f4e74d9eab1c4acb6658cec4eb4232ca2dbaaf2726a5f7916e94dfcd1f97ebf76eb25fd9decc2470f793ab3bc71d7e37ba550686c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f017a898550bc3d9f49fdfdd7fb5b789

SHA1
62cd8f8ead11ae44e9116b3b9387a31e1e5d32cc

SHA256
3cb5f5aa0dcd4fd0292d9bf0ab3b6ccbf322b2fca59233fc7ed37afaa941a1b8

SHA512
39d5983c1d9b965f485b84dde8f41280d2e30f144148dc90b827778069f675ca7bdd17c92cfd2e77107680a9c4b27cd415578fd9dd8ee75218d03a6e736223ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
00678693e04ce9d9b0511229e0bcd58d

SHA1
b5559289c7d5ddb13aaeb6179e5996eb102f4cfe

SHA256
d4bb9923aae55a81082648202501f23b9e8ed449cba4027ad29d88668234286f

SHA512
6c8a3fdcdf74b7336624aa74ad49f53ec9e0a332459eb95d7234470c740c110901eae77b2caf07be84a6a6dc5d86408aa37721793e357d05ac3be85584355d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
93a2ff7ea510ad7624399ee12e20511a

SHA1
9712eeeab9324e902dd710ab343fe5ef5fd7c812

SHA256
7f1d1066f05b5ec7723ff3adea67f918535654b95b0b9e40be5999ed17439c62

SHA512
cab6b3e7ecce0336e9b53714996d649ffbbbd590fcf76f6628612e5531400fe04b6b12425057b0fa81fcf9f08c385a009a8e347d491fd18312f7927aefba3cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
592e79029dd60c76f25395b472e5545b

SHA1
327025550a383450fc661b1ab9595ae0c4eb22a7

SHA256
0156d7d9b410407b99b0ca39dfa9a3c405a4d0c805cb7c464bda72272fdb904e

SHA512
2fd7d411f5d5976455b13e32a31250f1169f4b03b34df4928a0c0f63fbaf11530152b032ea70e2873dcdc1bba6f41a6c04a503638f9eb62c29af00bd739dae11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e720bd38232834fa1b08e2dbc89ddd75

SHA1
1173905d04693ace0d752ffff95184ec7a93f6fc

SHA256
1eb0d951bd0cad3f0d3eda76f48075cfa94de0019d8348dc7d34251210fe9cb3

SHA512
a55561607e0764779302c2126f627303dfe81d8b9d351c4e4576e4b1b77e49b05a05875387eea726aa197d7a3d68ddbaf3780786f23c56316184782b3b35d442

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f38982ca5099920f67fc8faa967810c6

SHA1
c7040750667a458bf13a2e360ae63eb802a24783

SHA256
9daa2c34e73fd03ea461c995210dce8677141ba8bf6278c4d341cabb23c870e2

SHA512
4a5141a8bec10e0b72dc3e3c37a8bf4eb862bf1260629a42a02136e8dad21500e56a6b369813249e7fdaefbf2d74fc1264d2c429ca5e36799d37296d8bc805fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
34bfcf09a6bdee6672a1209773e1cd1b

SHA1
7f38fb560754e5e1c5cbaf4738887a5f6474da16

SHA256
c8310bb00cd1fd2701731da1c91a4102a4d139994d1f55362134434655c7eeb0

SHA512
57e72ed20298338a826525b98a5fbc330540ad7d54d295e6815858d7ced50576ae9e25363e6843fafce27388106e6a189c8a8f2cc5dcfe0c5765b12128f96ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c5e9b825867c22ac5db168a3e8839726

SHA1
e11360fc6d83583b2020a5042635fa79a5760933

SHA256
48a17029545fc410c3547cd5f742f45e2dd953bee5ce442cd095f5a28a18e83f

SHA512
2ca98bf87201b93521fd9092f6780a2cd668e06bc3c2927f1c33406f979026d92bdcdef55180c586a075ea9251472bf8b0d72900d122b83e78dbd3d6de88c5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
be5c8d75cf07638b040b694ce1436f35

SHA1
22072cf3be1684c8c325eb9e7bd0967b60e92c93

SHA256
1007b81f14ffea2bbf312bd476b87746d4a619c222b1be977394424455b603b1

SHA512
e2029e3e927ec7153d37380ef91f7c0f75fd083e67e0d00f2e86a199121b7b0cc20ae5fafecdb3dc7c355453499f134f9844ca8948eb3e27412f6cff2f8ba32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
11af4e8c53d9d14255bcc23bab8182db

SHA1
bd4709dacfd70f96d8ac47e63b84729fa430b373

SHA256
ff4bd730264a436f240c1c4963705b7a1e86dbf54efbdc9aa8f371c3c91fdc33

SHA512
c2f19583fc55ffce854d41945aab0ccf0a7dacfbdc5dc3a9d34cc92eeb0b89892d19e9fa25149fdcd28948f1601957ce178e7644c8f64221bbe498e823c5730f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3099bcbc974b119a06d58d57ee83e2f5

SHA1
6b755f40e3d4e06e3e842f411f82429a25ea7a46

SHA256
7a7a5168249c39dff021c2dc655bbd8f6dce3bd998b20f447c19d85808abe7ee

SHA512
424e294f81b5e43c78ab4b729a42fb44d762340ab19209763ecdda31b04a80fcadac7e953e04894a292c9900eaf9af5f64b4d6d78adf7c819ef36c26543e0668

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\??\c:\directory\CyberGate\install\server.exe

Filesize
274KB

MD5
44bc1069163a24c7436cf35a93bba611

SHA1
afe484069c1fbebb0af9bec7d8f70955ecbe8f40

SHA256
f57d303321f8d5429e757128e4eaadbf07d0081257ad3e4fa85dede1202a28a9

SHA512
2bc1da13760a5c60e18761bb88bb9455d37eed0e3c87e67bc83a4cf2c9af7f0d0f4017f863b06d35c6ec64ec404b010d216c3967fc67f39020664febdb9c66c2

Download Submit
memory/948-139-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/948-165-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/948-162-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1276-9-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1276-8-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1276-68-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/1276-161-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1276-70-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2828-200-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2828-166-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2936-3-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2936-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2936-65-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2936-23-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2936-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3200-164-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download