cybergate | 1fa58e46d6f6eb8b3f020f9715d1f909695b1ebb3625cd1deeb8d34026a7c923

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Size

417KB
MD5

53cece3849727f63f8cb55504f78a7ad
SHA1

7f2e9dbf706a82b01cf717d55c452ef5280e604b
SHA256

1fa58e46d6f6eb8b3f020f9715d1f909695b1ebb3625cd1deeb8d34026a7c923
SHA512

9dc2cb45df1a4d31728a42e1a06da71bf45257e5d3d187936a808728ae9512fbc67f88a9da26f650554b3ba0232ea97b9450f50f7ab1ef389223c89a2012d7d9
SSDEEP

12288:9w9oA8xa7DdAIFEGmprmBv01+mOib5u7JurpG2gRTu0G2O:2GA8g7DdKrmBs1+mOiywVz2O

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

mohmed113.no-ip.biz:82

Mutex

6B65861SIQL84U

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_file
system 32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\system 32.exe"	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\system 32.exe"	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3WY012H4-4U4E-70JN-D0Y8-2HM84T735U4N}	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3WY012H4-4U4E-70JN-D0Y8-2HM84T735U4N}\StubPath = "c:\\directory\\CyberGate\\system 32.exe Restart"	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3WY012H4-4U4E-70JN-D0Y8-2HM84T735U4N}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3WY012H4-4U4E-70JN-D0Y8-2HM84T735U4N}\StubPath = "c:\\directory\\CyberGate\\system 32.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe

Executes dropped EXE 2 IoCs

pid	Process
1400	system 32.exe
3168	system 32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\system 32.exe"	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\system 32.exe"	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 1400 set thread context of 3168	1400	system 32.exe	87

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4324-11-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4324-15-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2428-78-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1888-148-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/2428-171-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1888-172-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4728	3168	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system 32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system 32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1888	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Token: SeBackupPrivilege	2428	explorer.exe
Token: SeRestorePrivilege	2428	explorer.exe
Token: SeBackupPrivilege	1888	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Token: SeRestorePrivilege	1888	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Token: SeDebugPrivilege	1888	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Token: SeDebugPrivilege	1888	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
Token: SeDebugPrivilege	1400	system 32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 2520 wrote to memory of 4324	2520	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	82
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56
PID 4324 wrote to memory of 3504	4324	JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2428
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53cece3849727f63f8cb55504f78a7ad.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1888
    - - C:\directory\CyberGate\system 32.exe
        
        "C:\directory\CyberGate\system 32.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
      - C:\directory\CyberGate\system 32.exe
        
        "C:\directory\CyberGate\system 32.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 180
        7⤵
        Program crash
        
        PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3168 -ip 3168
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
0ec061eed7fa46c43bc3b2e8ed5afe49

SHA1
27cde91f5049e50b5fb94038393d097b135eb588

SHA256
b1b2685cf7c24e02c45ff25a74271c6e50fe91fb151995df288cd70998eace6e

SHA512
081ebd5523fe7a232005696cf9208e49b5e979dda065faa9ff25445f64f4b693ff9f3c65d86544ff87af32de79bc1ce221ca6a4c4117f620110fe8c690d9eb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2dffc4cccb9d3ac0787df44cd6877241

SHA1
e21342a3a3f77cb532668d0ffc3b5282871926ac

SHA256
29e565bcc43ed28e658eb117a6fa1ef60d9a39829e24cafd39fe414e6a53d6ec

SHA512
fafe57b722ae4ee0787c327a787594436f9fbeab2c48010e242754a8de404ea2df7ddd314ee4f69fe73eb0806651ef1b8103218975a0fb29e48367f9e7b9a731

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6724ea9578baba083589e0d5a867f487

SHA1
5da027c4c1148a704641ed75f763f313c9538c5d

SHA256
97082f862b5b8ee6c7b135ea91d49377fdfff2b0b5f12395286aa488ec89d436

SHA512
7482ea1267a9cae2e734b19632097e5596fe0d1f19ea014423df5c4bf54d87af0d1a302829d6b71b9664ce0c562e08f3532b9e121273d13e0d41d90bb7f4ca42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9ed97fce24bad5153e70b7aaf8c26212

SHA1
8fc427dffe867c62435909b48a36f4ae3bf640a4

SHA256
87c90008c13cdc8a6e9cc7454010cc38d1d39c525201766a7e362d550746ab5d

SHA512
9c1d72c0de12d5fc8fb20d457cd4852e1b7bf544a26928420576c6a32fd2b9e4b1833fed81147b2c32a12be591f5824ef0a8d4b398487bc9df9330bb93d34651

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
14704b1ae829f82623bae0261e52ec63

SHA1
369f1790e0cdae3b616db5c4b603b6da8ea8b1d8

SHA256
1cea5f2381b6d7404bd8ffb0c63416ff30f5ebe0746ad92299dff9ea3e1d6fc6

SHA512
76b2b7c5d867ddb3d3dbf445ef4f7175d12ffeaaa28f221055394a3d30eeb0be08f2b0d73487adcf7cdab30b9d7ee4467a6b2a4488e5c94d1ba6cd1e2612fa0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
abe4cf0d14c7dba1a0f0f35336cdddbe

SHA1
1e7cc419b7dd5b14356ccad4277427d55db27c1f

SHA256
189dbad31e3fcff60f3ccd99140c7a856d8d6802652b46d3be9e682611ac3c83

SHA512
3bc27ccd7769858a9b3cd602743be8887b1f7e6bde54eb65acfc1a9db710af897dd08604ba088b652f3ea4cc76d6d99a8405825fcf97749ba0f1024a856ce407

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fe279ad9c7903ee3ed8d470c7a284eb7

SHA1
e4a03fcd7db41d940e000c50b7ac749b756d74b3

SHA256
1c3974223e660ce4a4e92161a89958e1965293e3279e53c7b2cdcb88043dac03

SHA512
141d01c38a1822b5985c2768d567820a0b7570ab2c92d05602b3790715cbfe251eefb318fbd158872c2b6bc18cae655b6b02254fecfb57c5765119b10f17eff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
66808c72f0d616c6917abfe96b8d6ae8

SHA1
581825166d25ef416fe4ebd3dc489e87c0ae5dc3

SHA256
e0b9410b2bd9a1858578b041bc62f0e25149ca2f5e66f5562b5869d70e5ae2c3

SHA512
12f2a7e1e40e24007ea7a96d5395eed07421389e64ccb8a78223638d9f92e9eafb6e24552053f815c7b81d77f81bc2ad16eeb980374145c32e3cbeb82307949f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
871b74c9d934889c240b63b1fa5ee595

SHA1
fc555b6d470b2a5e13c9289efd326ea511c8b199

SHA256
313ed63abcda2fe39e1311bb019e305cca51aa60ad6362b368e647c91c46abd0

SHA512
58c76725a91b30ff1c4fa14a7fda680d11ee3df67cca0c99bdefc9c158630576a744f9084eeaf758dc13c3163b24ab4ef1847ccb437a714bd9bbcb3d69aa17b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
528da5e18ca7d25393e19c048792c50c

SHA1
5b2db0c18a06a89d39a0a4608ca6b551b75c37de

SHA256
dcfa03b7e11ca1ed6835b4dbb9b3c32bfc05579d3aa46f4327db61734f2f23a6

SHA512
23c2bdfcb7a109c15e1d2231ae410ec9216f30e719a628e73aeee4a2b52be3ceed842fc0aa8236a654c1f0df9160f418e66de0bbcb6b0da4539900ad1a11f248

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
776f35a1d811175c83b36e6bcc90edcb

SHA1
973572c0514c1ceb9b4aac52a890daa089e69366

SHA256
2a70d473fc2ebac02ce41bf383e8132c497b23a4468b942049a6634aae4d772e

SHA512
ef8c2881858a6292fd1ea6114ef63860b806fc275d8b7821e6f73393c680559e47b92068704a12015ddf7eacd838abdc8a27eeee5cabfcaa3214933e9967dd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
09486b1f210d2f7b257027ae8f1f6760

SHA1
feaccbe31000bfbc364e3b90e78476cac0bb9f9d

SHA256
7fb739db9a42a9a50ac9bf2d40320298dc2de4f8788e8400f37e07dcdeea3354

SHA512
a05c9ef6442251b96026c617162ecb782c2c06055fb91eb85fdec83f9ba89e952e94dd5ba0c7a7e8b252957eca17f6d137a68db3a292975321ed9950ef5d9ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
451d736ff1e733990d7e7fa54308a480

SHA1
c5a822fb80e606fe71f12af4dc73e100f23fe269

SHA256
ddf989358d95c4bca449d2470f03fab3a9bc35f19a1bdd7091e4f441d6d4e6a2

SHA512
b8be2b572f18a8357ed7ee70df511caecf1bbd0e89ef5f6b789d9396938b6102a4666d57c48f684737881336b6e14732e41a461124317b6a75cb0a6a99265884

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
01d6f08b1d6367efb6cb4d3af7183e5f

SHA1
37a218f7ba80d06953b8b13fca381143de4b729f

SHA256
e36937836e79c30364440d71a68ee37787b7c41346008f15cf07bb9c7f374889

SHA512
962fd39c460c936f646dd3366d36392f8bc1596b6b73b79d2d41d9ad3b8368e35db3ae68dd82c93392c7726e3ddc4eaae8b7ad25a0957880add3be2eb911397c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
709cacfe7e2356320dd0fc840b506193

SHA1
c0d049215a7cda8fea379dfaf80082a008764f2b

SHA256
fd8d0b583e52b97e5b413a6186dc3f6a9b1ab154ea35fdb115d880d4e7efe6f6

SHA512
3794533c3dda2094e0c1fc7e20dc71546fe6df46e617dea06a0050450ee0148e90f79c61b0cc2e34450384dbea4438ebef9ea3198d4470171ba417c67af7eb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3465b8fe46befdd3e18e66a9c2c8ecd5

SHA1
f79b4abb6e53e5f0da60ad63bb0dbd30d3253398

SHA256
bbe0ba0b0373d05413203325354511431af32c2a77a313b3ce4e786b871e5ea1

SHA512
8d0bd3b7d9c0d2fe140bdd776c650a18c3cadae2ebe6464697a79bb27d8473a6b1807e6111416f04fc01fc2e4640c2a905b2b8bdab714a9247287141eaad9020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1c44e412377a0568c925b4f3030e9bb3

SHA1
c685bd774813afb8fb03b1b0d5c06f16f52d77ff

SHA256
dea9d474b1780bba38ea8083be37ae47a1277b4cce12c5ca906354893a7ff5fc

SHA512
28f6130585ab2b7ee4b2d872a91efc1ec28a930178bd57b38aa3e1d62fc55bac030ef6df74585f11908c4c1a44ddbea77d6a4c380934ae38251c459419547c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3cc2605df80af829de53f76b0497f025

SHA1
75936b98b4d63d65f8c399c168226cb92f10f1c4

SHA256
cc0e4789b08ae66b839c9379d2e9cde34ac2ef173914f3b5eaa7a0cbcca31fe9

SHA512
e9594ff6c2cf6c4dc4047ea113d9eca86e529ec0b4cc7e444914e837f617e78d287bb2f4f7f8ea8d2feab3af8f9aac07339883ef75069b675278bec55f7216c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
526df6f57e7793cfaa3d96e0e43fe0bc

SHA1
02cc44b30199c0d781f5b2611633b223957a48f2

SHA256
4fa13a702bc7e73c805b9425384cc7cf59af3b1c6e3d69016dd2f0ee90777b08

SHA512
e9a762d9a755e97bdf150e59c10b09bab29517c30a598c1da7d9892a90173629ff14a1a7380ffc4986dcf92670ba255692a39b51af51ece55c86e604098e7738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
71a8b6e3ef6d8c516295c78dfdf61359

SHA1
32e9d980d1a77199e44bc5125bef2630ffa5c7dd

SHA256
7e26364e73ad10488ea42a62a20ed218670d19ba551241d6ef00f7a3c45f533a

SHA512
f9fa033fa38d2a709950c0d2f005a0baf1af9ec464c1fd768835fa68c71f3c82acff4697e5936d8605f17019a2bbb30343973a522efe846cf29ad96a474d3897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7730f7050efe8acfdcfb150e5cc60807

SHA1
19b72853a40dcdee1694e13961f085de245fddb1

SHA256
42c037814acca55f1477974fb3bef9ad0f4449ea8b5942437ff6517955e0e738

SHA512
c1438bf27a9164a63df06a9ce46e49fdceb66df76811d97b63c2278f33cfc4ca11c1982082ba9b7ddcb6771e2b42b23ffd3cc2590b92607e4df134bb82e47e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
851f5a951e989cf0aecace6c23587a45

SHA1
3ffd9d20d20976ae84a7cdf58e4a1426a9384639

SHA256
528cb8d05789386913baa0e6bf523160c35289dc00d36c449817332e25b28421

SHA512
eedfe1724e0eb8060e27c965389ec7b2814f38d7208768e55a8fca7292d3fe4b6c1294fb900c971cd6b8aee56a4e7334b6dbcd59171e89621aa8178dd87d8877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b0b349d032bb70648c8bc5ad4225f9a1

SHA1
96d41b7a0a19609c01701c6f4c9e2fa1a43ee6be

SHA256
75a2bde3216024cd0d34c627d3c4142ed03c7aa834a8e1f331f94e9a14a55cfd

SHA512
acde3c2f761246622c5682059ae2ad037d6372a82998c8843ee0b2a44b2ab78dee844307fd33d41bcb53ff8a4fdf0ec0354169515d313a2f9728a2363218ca5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
220e51cb922717d940a183b3275dad4f

SHA1
928a1c572fa8d6b587e75e0f50047a84976c3813

SHA256
767b8a15f32523d2c81bf01824368d67b1bce5cb3d563f1b9b1d54791c66b1d5

SHA512
f400e637616726da5fbd6feb68196b57ea122cc61f671d1c4b9aa8cee4a1499f7a7557bc31fdf2a10fcde9262c518eb8c2e44edc2d7ee643d050b2b91ff34f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
80dc9caae40e29ba336c88a8b28e619c

SHA1
22a6c03b22e22ff1642bd8ef5ee92e133f0ee015

SHA256
b96771adaf3dde41d7197eb57843b9f58f4ee1a64bc6f1037187044963e9c5b7

SHA512
e5609340824bf029b5db364484cdbd0d4c496d70b27d872553f1dc538bb9dc5ea7b2790ab8209ce7d238bb6432776488b0247ad402b1d4c00b29935aa72b2f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
23081e84974843f2f749152181991ac3

SHA1
931c083ceefeb030da671126e48cbf6e5fb66d5e

SHA256
8d0f37450bc44dfcc3a34b0103ed1d527cebd7ce09f6f29f2bdbf63eaca8b377

SHA512
e1216a9763702b2b3e7dce714dab657f6b2b937e03065d96dda570bf10663f4a85cb20dfce1d9e9af75a1b17afe4f822fbe7418f83103ada517a463e1cf77b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a5f8c8b3549a92a84426a0ec11dee856

SHA1
48b8f4c4fa0b88ae56f4d95256498e3e189a5cbf

SHA256
e56a989a9982009c9b02d780dba2cef938a4c53661785830c42cc273a51d5855

SHA512
8af21ff74aded19e27929747b68e678579d08dec369dc1aea1f38d7c2c5770bc2b65ebf77db00a2c4b525c89f04340d6c63c5fa1fd9140f7ab5e4148153f18d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d1a8f46877f03d2b94e8329c54cc272f

SHA1
e965704afa566355dbd2a3099c762630de05d7c8

SHA256
9b0315785b17d1f17fcc6caf83f115e810bba4669132f902f0fbd0682100de95

SHA512
f10f51a68a45d390867434056a65390d26b0e7b80a91735b68a56251c2f8fc09545eb1c228e7967acbdf93170564a25307f74db855c12b29cd388201e41daee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
751aed7b5c2971f2ca02d97585d19db4

SHA1
b21c79f2408c3c89b6ce563da5631a1bfbc0e945

SHA256
8e8900ad39175ffb8ad22c117e6220d0cc9535d0083b7be1dc084d5b57b17262

SHA512
937645f6509b4ab22cf4e3f46fe5e0b4f9d038242a61d4b162f09ed2dee41d505b80cf0434e35231c28b860344d19ae830109e82b26f0bde1f4cd28403472fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
434b0637a4507dbdb5c60e740ce5de06

SHA1
fb393a7eb8d5abe9d7f7b42796df98374bf62ec9

SHA256
1cdc362c2efbbaa9e118e2bbce820df7ed1df16a563a7e3beeeae00f8d4200c3

SHA512
d72086bbbe4ca8ab764822ceed383fcc7f5822bab149bdbcdeaf91ffc9cbb73168565337c631886b6dcd04a51996e167f866e0e03ffaeefdcdfc25a2337d2871

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0639720cec97669611c03265bb15ea4a

SHA1
7188bdf8a3f370120832b92e12f2bccaed92288b

SHA256
3242273887f19af57336b29ad89d6f98e93cf37740f703e72e6bad4a0b0c2752

SHA512
b11c9f8c92959a778b35e733c29a9ac03b2b025953ee058d7d1eaa5a267a00e55fd29416e96c23e7932696fadf343db17d8f74258aa7d39cb7bcf51773fea91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e8b2cdef64722a1e3205a285d6bb918c

SHA1
9777f968912156d079a6b2252c4e1df59e49b398

SHA256
6f5a74ab46904faa3ccc9c5f310d2cad6534a17e63c5f33e13d4e6d7fc76d3c9

SHA512
3339fba9f6e4e9a0e7213fa06f267bc96f6399be1e420bda2b80860462c6799a8592b095468c570e5882cb5189066ffb76ddf831dd61955d53d074bf075e97bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c3169464335f589c8199a416fb094b28

SHA1
016663e7a7cc4efe667dfc71d9befcc1ff676101

SHA256
edc4a09f47190400aebe22fe0aee7af94457f5e78a60a10b6e1e8b28bbb1d7a8

SHA512
d1e0d9fb603db0fcb55d003c7773ed2ea2bb0af7d963687fa1f2ae138795260776c3f678b1b5dca86517296d2939e70f1bffa2688558af9b8dababe82af35960

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
48b05fca2fb6985c7cd1420f95bfaa4f

SHA1
516d79c431477e208abaff8fbc7b0c00c9b6553a

SHA256
40cbeb98a1c0c65c0c723244a19c361d92564ab62d1b95eaf545edcb4238f1be

SHA512
4141d946a53fa399fe3b0b0ede9b02025b24768fc5fc77705813b6604652b86b01640693b5ea75a18c34c37ad3ea5ea60a2c328917b752215e189f257fa5bda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
df911ac4f0261bfcbfad025b5134433e

SHA1
7176f3c79ce287bf75f5a419529e41ad3e610cdb

SHA256
579c61755d1606b3c849fd2bacec7bf971b11d8a42a79bfb4d799130c3cc8f6d

SHA512
da968645e7ab1c007a8cbfd37cb45127a9e92b8a886715ed80f49c0a444560507355002146ab5436c80989b509791efc6522761da6d79e704bb6fac1526528c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
445fbc443e178bd70145961fee4bc24c

SHA1
fabd208422544c6efd249524831f32c9b37353f0

SHA256
0a7ddbdd4700918d5afd0cb08a7bba90744ea1a352c4a5ca275064fdfe6d307b

SHA512
13e4ff43f7b6ee07fc7e8c66e684f6618b8c761a86479a46ee36f26bdca3b46f41a8b2ac9593a4e42e617d15c07fb8d279cd4d891e8b6814a8ce1507700754dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e52710a04f75bf7cfb72253c78ff9c88

SHA1
0cc31c55091f3ed30dd87b598ecd1052d69c6d66

SHA256
2a44a53b1f2e08d72de82c6b4df1207791a2fd7888bedea4ce3681b3848936d8

SHA512
fef4175b0adf0139fbb3b7619857034aa5bd8d0700bab6041165c7ca71dcfee5019a10f699369bd03c88816ec81d8dce4082105e0b177cbbeeac19a8b58e302a

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
\??\c:\directory\CyberGate\system 32.exe

Filesize
417KB

MD5
53cece3849727f63f8cb55504f78a7ad

SHA1
7f2e9dbf706a82b01cf717d55c452ef5280e604b

SHA256
1fa58e46d6f6eb8b3f020f9715d1f909695b1ebb3625cd1deeb8d34026a7c923

SHA512
9dc2cb45df1a4d31728a42e1a06da71bf45257e5d3d187936a808728ae9512fbc67f88a9da26f650554b3ba0232ea97b9450f50f7ab1ef389223c89a2012d7d9

Download Submit
memory/1888-148-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1888-172-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2428-78-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2428-171-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2428-17-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2428-16-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2520-0-0x0000000074A52000-0x0000000074A53000-memory.dmp

Filesize
4KB

Download
memory/2520-8-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/2520-1-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/2520-2-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/4324-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4324-7-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4324-11-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4324-147-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4324-32-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4324-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4324-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4324-15-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download