cybergate | e15a985d5a4f252145354a07b6f49a2213cc2b3a0fc9fe29cad04c7cd2b5083f

Analysis

max time kernel
148s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Size

274KB
MD5

61082949c7784f589f7b8e308ca10910
SHA1

e89f4043cd428262cf6012ccd56c7b306fcb8e0a
SHA256

e15a985d5a4f252145354a07b6f49a2213cc2b3a0fc9fe29cad04c7cd2b5083f
SHA512

e5f9716269e45fa598b7454834ae041f8974a23e53bbe25b1ceb2964400e75341d0420cd9c3c6321a9c1def1473f53c9ce1fcd9aeb4cd3c87ee8ccdca6812795
SSDEEP

6144:LMIy/qCS4G06LZP4igjG153q/ZUzD/GSxOZ:LbAqSG069421536yLGvZ

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

127.0.0.1:999

Mutex

3L0DN44J3SY4EY

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
.//
ftp_interval
30
ftp_password
iuploadyourpws
ftp_port
21
ftp_server
95.141.27.30
ftp_username
rat
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
.NET Framework is not installed !
message_box_title
.NET Framework
password
cybergate

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{IUPK4CY3-03N3-3IXY-G522-37064KLO628E}	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{IUPK4CY3-03N3-3IXY-G522-37064KLO628E}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe

Executes dropped EXE 2 IoCs

pid	Process
2844	server.exe
2896	server.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4956-0-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4956-7-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4956-4-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4956-22-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1640-28-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4956-66-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1640-71-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/files/0x0008000000023c03-91.dat	upx
behavioral2/memory/4956-96-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2844-101-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1640-102-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2896-105-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2896-258-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3752	2844	WerFault.exe	84
3248	2896	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1640	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1640	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Token: SeRestorePrivilege	1640	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Token: SeDebugPrivilege	1640	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
Token: SeDebugPrivilege	1640	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82
PID 4956 wrote to memory of 1832	4956	JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe	82

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61082949c7784f589f7b8e308ca10910.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- - C:\directory\CyberGate\install\server.exe
    "C:\directory\CyberGate\install\server.exe"
    3⤵
    - Executes dropped EXE
    PID:2896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 548
      4⤵
      Program crash
      PID:3248
- C:\directory\CyberGate\install\server.exe
  "C:\directory\CyberGate\install\server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 580
    3⤵
    - Program crash
    PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2844 -ip 2844
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2896 -ip 2896
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
aa95e959538b8069300f2a731a8664c1

SHA1
2fc4194e4f03357af93a60915f02bb9bbc7b5e27

SHA256
fc46e4bb9da536458365a2e09be40422ce66baeb6a6aad700d15f44c071fe3be

SHA512
35ae67cfacc7d5debaf4476b087b56e59c08ca9d2b676948188434fff4801e40f5b2e2e424b543cc9e8b8dcd90525ec27ca3720d4fd846ba216ce0544657d294

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6094490036543b5f59fac808f9dd719a

SHA1
1b064c23c028b7b3ae7cd647c9efa36aeaa50114

SHA256
2d5e9c64fd24524c97e154a34b1835da8e357896f53686b96aa9fb34cb2dcd14

SHA512
8a4115c526cbcf208ef333b4213ee55f57522e86b447cd317ad2be1c8d47f70ba26e741258169827b4bc07c90f1d9a40a211bc52b14ecdaf0d138a8cc2defd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dde8c8f01deef5bc5ca272c88ca2aab8

SHA1
c1c236123f7f1f375b55daebcb2b38cbe52aa2ad

SHA256
1c75b40113d8d0adac4c618af596dcae3c179caf7e07eb08f440b6211c73816f

SHA512
93d28b94b59a9c5c7890c976eb69335e1370faaeae4cf7e93eab1522458253ec1521bb45f9701c27cdbd23dc9cf57ab7f44cc893400bf227397b5d78aff354ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
935ca194620d056827eb0f1285d3d15a

SHA1
08270680b09f2d63050f03b61d50aca4c5a8b99a

SHA256
c080d5c6cb07ec1e1be4ec8806ef6e6c000d524b8aceaded314d1301ed8c1a92

SHA512
7f7b157e40c4732ede733d99fd8df3272581004f0dac9c32bf7d037eed606b34d94e8363f80b95fd63fa265906363f7bc1f11877ccf2426926dc505321df4cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
22032bc1bead5cd01d5fe10893755c88

SHA1
51639d40af5b0edb812117e362c48af5df4ba2ad

SHA256
4a6fbf98ec60308fe46ba6797e2d7affc8af131644ebebc0966094a67882124d

SHA512
0514729ca0d594fa63abc6b049bbc188685eef98a6289f636319bfb41376208d46aa30bfa3fdf6046eb64acb5c558090b41d8166fbe0e9f7b57fbf5966329239

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e042be88185506091d303f6049a6fb97

SHA1
b4c89dd9bf183fbb30bd654a96c3915dbf82faf6

SHA256
3e1d6f7e0c2caa4790c097a43038e460914955af4d8c046e4c13c276a8fe0680

SHA512
5edd7d004621209e04e444057638e9c328e5c9b7460fb4bebd27dbeff6a2ae4a8c92d895d65a9741e3925e9a20788373538ffd57c8966b25b06f1c5c29ae3bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
28893b4aad42d1dc8bda2d64aee3d35a

SHA1
ffb93fca522735e7c9600c5a51a888686ecf44b4

SHA256
cd2e7f23470cd12c2cddd0f81b32751bb9903f338edeae5b2d79038ee8370c2d

SHA512
3af5a25234052bb886dd13b33abbd259accac2a370517e120715a2ef86414b3ffb286a3a00ec5a51e7ed9c3f79a719621947456a6d3a21e3b55d36067582e271

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c07cc606d7dd5b4abb36f2fc70aa4eda

SHA1
2b10457f6c00311b782e2e66305e78c0b2feaba4

SHA256
a4896a18bc91c19d2f2ff0b196b2e9b1bf15a253aa9bd36d26a3882c3ef27e1d

SHA512
f68c9de34a3d0565c5d6faa08c629b7cc763c61a76cd1e5ece7f7d634d9c9ca3b41fe0552e2aa94f5d997335c763683fb24d4942e99ec2865809f27a7fd41040

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2f97c85dc14e88c81ffed11828b6f3ed

SHA1
76b67bf52db46d21a95be9eb5a6eedfca385b57a

SHA256
85726cb7cf9c50ca5e5b1436e63b4e2b94e49ff1d136a23938591f23e6126d16

SHA512
1a77fa844af249ce0447cfbb9ed7654f3944bd1e264a33b9fa83cfa1544e6a93654844399335ce5c025a4c4f4be559da7a20ed9e2036005616efb45f576ab8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
21ef9115abf300ac3a0e63f3df73dc65

SHA1
78f2aa1d4be09a61f9a087ad1e4aeeac5b0eee84

SHA256
1dedba0a82046526f718f77e179b49f77b853ee5a748ff5e6d17986da6f886b2

SHA512
06e7baa637383b69697e1eaae4da8a63e1bb0bb321bf42216d4808efa75cbcbb05066ef8297c925041d91a7f05a39c549fc9d91a089e21bf58301cb355fa3285

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
11408cfc5a1fe1e270bd4bc5cf1050e0

SHA1
d5aa9107022043598f7f96ec4882c55b20b32628

SHA256
87b321077b23b93d1124439107f0603b35c58fc99a1dd96d427ed6b555003fa3

SHA512
7e2841cbd9bd2a4a9319ed1c1421167a06220d9e55262b13045ef16515f1f10c3c64bbf6066243d3cb8b664af2eda4ceb4759542949f053862c73268ea16b0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2cef53315718381cd4345f7a91f33922

SHA1
e812fad0501609fd12b6651abfdd4da91939da55

SHA256
f9b72c33d5aebdd88d5f8d8b1acd719e403bce7684905bba93967aa352762fef

SHA512
aec6dda73c50a733a3db817c5b811380dc2fcc2123fbdce7aca3834b2c65825d14517dd8d1dd3b20f137afb4e94b74dca8f0f78724020a0ab2ffc692c2b6c4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7aab2545cf23e43825f1e172c821fee7

SHA1
a6d4b9ffc2509a7a525f29f6b67d13a07ebe64c1

SHA256
5ada098dda4df3682d289bcc8d98837facb47e8cf040e0cff2ffb60b43042da8

SHA512
26702d87cff63399ef8e96c2078e1edd62087bb660d58a03d5b1039073e0a85a2e4165a6bc93b27108a966a599923e8e6f9f54e64052527d83a1d0db375733a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e174c4826ad607e4f7af6644b043b790

SHA1
bb8e0a4138f21c9242155dbf22a7139240b07a6e

SHA256
78fdadb56e150b213d401f9981fb37e1e75f322ec3b442e6e5d8281d7b2902a2

SHA512
3693f65d5da4857295ab7eac3b2ebf25c9ad351d95baa52dc573adae0859d312bbd81ee95ba57455d90dea0501d308139662ce128c27eb4c3def139035091dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
49aa4c4bcd6ec4a7d76ef2660ad5768c

SHA1
6a02e0df0cfabe9e85a8c89d017b3cda135bf94d

SHA256
6bbdea3567b78a0a4996bdd1e4889c81325acaf2cb15bada09bbe8751f0a394b

SHA512
410ff67c1d8355d3fe1e684948f8dd3717f03504648c755b41f38e59ec2d15ce343929ac237a045a34537cf6ddb12635659db088c43662b41625e8056ae8a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d9b2cf9ca21fb63b3ca310cab3b60675

SHA1
bb780ab875824033f07f37613803246bd878fa42

SHA256
61f2e5c0aed54287045ed886f3c0d41fc94abefebcbfcee5aebd88eb9497e72a

SHA512
c906c3de0be44e2b0a192f8945e0624d9364226e4a5ca53ee5eb5a88e78a07fea912e87dc9cdf53dcc7eceb5612f505056edaeaff192b588ca1ff15bf3763ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0f5b5bc4273551eed03b39a56303ff1b

SHA1
d84a053b980eb6f3e105892ec50beacb08d4ff7d

SHA256
5686efd55f3d329e7b33df57ad50b6714a216efd44db84c1fb5b9de53450b175

SHA512
6a977cd7f9b293cd63957948c94b649f0b0a2dec398ac497eae6f2cfbf2d62d2246faa86501cce60521e86fc7db04efb7e364229de99049941585585543d9dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
38fa51ad4bb8565f6f9802c6072fad8f

SHA1
ed7fb03daa1a43bd2d3deee86c4cf94d6c3da607

SHA256
a01cb53d2018cfb16aacbceb41778749ebcb0e32a02f09838840861fa5a8c36c

SHA512
25406549fcf3e5740bb5a25e2e96ca88a090b23db8fd20c3b95853a13df6b39a37c29d7daec6cf9ddc3d556ed5a21d7a8b090b1ed7695f909360939349d7e9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9ddf4f8b7ffb72f99174731d711be87d

SHA1
be0befb304e77dc90d10613ec95c09d3db67e6ab

SHA256
8d5bab06f40171c679c2b0f170b7480a85e20c589c0eb52530fcfc99ea215371

SHA512
8686013e8287fd10387d9f90bdf37fd5c6fb73faa21e9613c8590fa05438c063627d1e247683236188599a3edb44870218725ecb3b8dafefc9b96cdd467219c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f463761b030e6c31cf62b238c03167c3

SHA1
5d8dd81ff9ab5eeef909d9769a068037df2384a3

SHA256
7f7428a6cbacec74de0177a40d9c2eb6e3d9f187ea1089f601ad683953c6baa0

SHA512
99208ede502653e90b4ff76cf0964d12844f7888714f0ac343493067e6db3f1de2ce0c38d7877f05388ab4c8fe2f9419dfbdedad4584924e304aebefe868e2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7b9d8e90654b355e8a3ceeca5ddba2c2

SHA1
e12a4228d02294aa6f269d3c090807850b966c2a

SHA256
617c32c1a61705ec0195d6f806929c11fafe380263f68900a8d2cfeffcc0e451

SHA512
991d8fee7fe3af2bf197e782b27ba15f7f76bd724ff858a3ecddc22aa7b0985112aa4f8d8df89f409365eff96507f2759847735cb8b0bea70a5bba0413a2a7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
88f826b45129c0b35a1b2ceab051421a

SHA1
ea863d93e642bda121c0897b46a0735cf1c6bf26

SHA256
cf3c673f44c7004d33a438fe9d8696aa4c0c54cc8b23a689bbea659050e05e63

SHA512
fdba59a63f53b74cbf2d3fdcd26febe846e27e57f4dce070b8baa5624ed0768971bbfad0267fb2d5e94fe4c356b1b71abeda7b1a76ca3ab6d44e49d782f45f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
91cc3fa573182aff65d0d14d7f000830

SHA1
87c178525e98ed087178a68164680362f07b811b

SHA256
7ab510a43953910c666a3533b22634731e8349fc3aa9ce4758a4ffc7cdb38002

SHA512
1a9e1db40e4cdf3ed9a9ac4855d62da0634ddcb57e8da0d4938299d5a9200441a602b2a21e8d7cf998404a238a7c553e2996373178cecbfeebad1452084f5084

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c89c7e1ea8513dda254f5bd6af754cfa

SHA1
83d72ea32e5e779c27a2628585a96bcbe57fae4a

SHA256
81de396a0e6018a4724669f15e5547a026e3ce7d9187b4faa116e831bab91cc4

SHA512
92600caa91ddc82aa3314ca776455f5b57d171183dfb22348304e62e5a74fded8f63ecc7d8bb84afb10d4ab931a8a5087d69b2b95e786ce8eab1c3b31473e7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9fcb230cefaa573f33022dc7b71f96ed

SHA1
12922008f3efba93114e49c2075c7c1c6f262ce2

SHA256
0b721c9d60fd682a407ec0b56d522bcc96836af5a775e7d3c8617b1614834920

SHA512
119474159298d165e61d43db56037f10a3273f81f83444504e04070e80b87d3e9341a4dd22befa98e31abe017abe4f2f8179fede159b6b8dec6adbe78b56356e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
536a5cf630486db90edad771092b699f

SHA1
3710a693bca68f6fce3e7127b6cc4f759dc9289c

SHA256
8fddc99644fc9df81573d6300d348d8026416a29d694364819062240f5cca055

SHA512
83319ebab81f9893fe2f0133d8128f347e879f6c3446ee0b7fb37ffb4e2d1b9d6f75dffc7f5cee8d063313a593b2cfec2d48a0133a291cc66f56e0064e9d1ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
86bdac5cacd1cce20793a7fdd6a263cb

SHA1
d74b5715b3f5f2b5a12b50579633a3afa985306a

SHA256
586bdd7076b41e5c093afbf79c28ef576b19fa70f63d9f5c2284314ebd84e3f8

SHA512
a1bd09449dbd138d0341ccd0edda13c2e7f0cdc130d8e0897260ca3398ea02134a18c9540e785db2f7ec578a7b091c16965d88bb2b4424c7c9c8e8cbbef7d70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
42a1af8a02b2f009383a5383f3d6ca6c

SHA1
4db3a5d718e16afefe1658728ae619b213acac74

SHA256
5c90f5d6828a72ad684408de38fa0edcf46ce7d33458e1eb312d3408a7b433ec

SHA512
e79edaba3b206f3ec95e59476f96150c6d2bd9e2e7a29a5d601dee0558e05aa8db87979ed04cf11525a38814414220775b2c5a6eae6304a6880cb5d9af685f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
43d527ae0c87902cb5d8fcaaad1ed325

SHA1
7600bda04dd2b73d3518ab45c441327e9b989f63

SHA256
72987ac0d25f42df0d4ee02c09f7f4a4130323cfe791c6b544c8e88beee88dfb

SHA512
b7ad018fd4bae917e6784833eecdf61101f43e0d5e2dcd93a471bdf7b8745da60d4413d2fdb73054f835d74e70c76a2f41578abb0e3daa703079bdefc3018726

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
55987345f8e3e273dbf6fbbec4ad3aeb

SHA1
d08536317951e25535e592cde09cd3ef2851f1b4

SHA256
baf6ac60faf7c0323b128de6ee9396a36be0b6e329fca1abad9cbe5763899ed4

SHA512
d72dcc53fe27e3bb3baab001015c43d719ddfe50ab7383ef25f216ebdd22e86ea2178700708d5429ae65769d40f3d9929aba51112018caee52213f2d15c9f476

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
afe0145ce54a5b2200c10faace220538

SHA1
d851e93e766643410ac0129050fe8a9f9b815707

SHA256
d51c97ee782efee2015c42d15fb92eb7a5dfe97a6fe01406786095955539e480

SHA512
a4f36e882f3d09af00724fd09d548b95f1e0f45cd804effb94a42351d0c8b14f9e9a788f1a2fe1016a59dcdfe0ca71526295d36326d8ad22efe0c460f698c339

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
846767ee949797fc3242aeb745fa0c21

SHA1
79942f079d215dc01022f170c4a0c2c8712c2580

SHA256
e43c38c0ab90b6a084e19e487d65fcb60a947a891422fc570b2917841d3fc58b

SHA512
5dbd4b60b68c86b8a5b63505e913b7f6330f814a2eae0ab603610d22ea6c691f00c07bddc872a736f1e8a786d4dbfac968cc9417b6bf861fcdbc4a880e148f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
da14351988d75786d5ff44b2218cf6ff

SHA1
6e6277cb342d64dd2ab8e6690443d8b9d3494f13

SHA256
e83422833484b0d2acc7003125b254dca50dba324288be74977ee93a2c01ecef

SHA512
8d1db28abe550a60ac4a80b9f0264c2516adcc798174fdf50fe9d721f877cda631e9c28c3def480f66a4c93842fef0f9495483619fd279219890bf5cfef3f723

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f8eab117a4fcc822be44a9818ff99273

SHA1
8ba47ac667cc30e817cc21589c297a9c0cc585fa

SHA256
d89c9feecbbee5051347720a38ce8265e4dff75318cd9de9093b265a2d6e3f44

SHA512
d39fc6641d19d0e426ba5fca4959436e393b1c3c54474e6ce960d5dcd6b17be0e67fc11dae16d17020af54f8a4abf973f6f2da72075dc9f9f1e53429320bebeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b661681aa06add71ed56e0e18453a00e

SHA1
8add5ca196128a6a9dfd10adb458de957e555c24

SHA256
771f2ee64aa17392c566e519ec491fb472466c72f8f38868507a26adde93b2db

SHA512
bc9962eb28d2a9c03b601c9bce300940bb8c7a5538491e0960aeb75b1f36809726257cbbc2479393ae683980351009e650257d84c338f177c0a23933f6004faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d3f5ff5e8d783c79f22e40982380e6ff

SHA1
516c0683bdf22a7620acb9295d8968da7d092f13

SHA256
715b57ab7176edefcff8fc0c394035da35f05d7d751463327d07c635900630cb

SHA512
b292445bde4d3d807b7a6a1a7eaacd47988f6047b9dbdff3639140c21cfb0a9a9fe85dd34682621725d183c096754b921e6b64068689c7570a398cb6a7e8bc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
674bfed27dbe018cea8aed8dbca0ce12

SHA1
038bddcc60d7754aeb04f73a81b411e5b266cdbe

SHA256
aa4a911f266385889d36cfb0090109751be6f10a5e7411c6df3682e803f971bf

SHA512
6782ae83a6e96bc93818c48ffbfa4aac58ddf24d0334937dfae9e0be5d600f1755e6e36716c3194b3479b5d8f6c3075a10882bc795650a6081d5a57f0fffcf1c

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\directory\CyberGate\install\server.exe

Filesize
274KB

MD5
61082949c7784f589f7b8e308ca10910

SHA1
e89f4043cd428262cf6012ccd56c7b306fcb8e0a

SHA256
e15a985d5a4f252145354a07b6f49a2213cc2b3a0fc9fe29cad04c7cd2b5083f

SHA512
e5f9716269e45fa598b7454834ae041f8974a23e53bbe25b1ceb2964400e75341d0420cd9c3c6321a9c1def1473f53c9ce1fcd9aeb4cd3c87ee8ccdca6812795

Download Submit
memory/1640-102-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1640-28-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1640-69-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

Filesize
4KB

Download
memory/1640-71-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1640-9-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1640-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2844-101-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2896-258-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2896-105-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4956-96-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4956-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4956-22-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4956-4-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4956-66-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4956-7-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download