cybergate | 144bdad475890d3da413d86b2a940148435c00ba5024a065eea7eaeedf09e92f

Analysis

max time kernel
148s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Size

350KB
MD5

a66fef7ec0e63e97d2467e54008ad19c
SHA1

d06708e3897c69553dba5d11345ce0c321881428
SHA256

144bdad475890d3da413d86b2a940148435c00ba5024a065eea7eaeedf09e92f
SHA512

faa5bcd2e72ce552cfefa90f0f4184d3a100ec28dd7d7ef9ed52dee1f9f50c643a94ecb8d97f0cbd71fe479eb93f078c777887a491a7cc05b294418c957febf1
SSDEEP

6144:KqCQqnf6+HIOgEccLbU7eyIDdIzGy3mvT7FPZHESYqP71dsp4GumLj:KjV4sbke3D6qlvXFPNESY/pz

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

127.0.0.1:100

Mutex

U1CE68474S45AH

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7J4N27RP-U06P-4474-XF50-78IA4S1M73SM}	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7J4N27RP-U06P-4474-XF50-78IA4S1M73SM}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe

Executes dropped EXE 2 IoCs

pid	Process
2632	server.exe
3124	server.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4156 set thread context of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 2632 set thread context of 3124	2632	server.exe	88

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1372-14-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1372-11-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/1372-10-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2748-76-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2748-106-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3448	3124	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Token: SeBackupPrivilege	2748	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Token: SeRestorePrivilege	2748	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Token: SeDebugPrivilege	2748	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Token: SeDebugPrivilege	2748	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
Token: SeDebugPrivilege	2632	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 1076	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	82
PID 4156 wrote to memory of 1076	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	82
PID 4156 wrote to memory of 1076	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	82
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 4156 wrote to memory of 1372	4156	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	83
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84
PID 1372 wrote to memory of 3236	1372	JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
  JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
  2⤵
  PID:1076
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
  JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3236
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a66fef7ec0e63e97d2467e54008ad19c.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
  - - C:\directory\CyberGate\install\server.exe
      "C:\directory\CyberGate\install\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2632
    - - C:\directory\CyberGate\install\server.exe
        
        server.exe
        5⤵
        
        PID:4140
    - - C:\directory\CyberGate\install\server.exe
        
        server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 548
        6⤵
        Program crash
        
        PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3124 -ip 3124
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
c54bdd28c45802c2cbd1a90c8dd8b48a

SHA1
8443d90ad8736ce6b17c6decafa040da486593ed

SHA256
946e46b5c0e55cec57f3a187f1b65ac94a93ba09962b6e8d4da055eef76d1a66

SHA512
13736bf7a6f69caf992d9ee94e8f95f9d82877dd521c96b4d80d3a299c1c37bad572b0502972d09d0f1ba77526e67a40f35c7431eddf59f1afeadd43f4392444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
36f20dd4c4227617494530db2ec17c95

SHA1
b17ab373e97f35ac295ee645575d49acd3ba496a

SHA256
30bf1c02934eaf94f33660b5fb798b6872644ab329ac1cb3473d639da7ca1ad4

SHA512
927cb0edc83a08aa9332c2d98a0c649a6ac09d17ff6f85433b209454c40215b526c2cfbdd9d20d0152f15b0ca0d761143bb7497b40955643f4e4e98a82659470

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
29c257e5335c6ae34be86ee47bc7e272

SHA1
73241443a06348adae42ff4e0bf50c52623094b2

SHA256
8adb9d9f67481b3406f8eba0e33a263f57cdea9d4811ae2a10a783e158d3ba89

SHA512
ffb67d88159b080537a7d789aefcae85966554b095a78f8a844631747e65f0d6af7dc1720a7acf9c31eb0c9fabdf69749cde9c00677d3c896f129ae37901ec76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a1ad43fc3ae4ff6ce85b1f4c88c1bc0b

SHA1
78c0dde55871531f537a933e0e3ae939a882ad95

SHA256
117605549e4bf15f61f8b307c7facf44258d99294226cbe521de624be54fa02a

SHA512
2ad3cf4528f173ca58b8bd314e8a0ecb9575f37ab3f3d218d91a67ffd57adc32b742ae40ce739fd74ef29cf387287db0047a2227d4af8a925142fd03956664b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6913e7c940ecc2cb580e1845017fdf3d

SHA1
b17a8e9dec4871354fe857a9bd7be49c4609516e

SHA256
a22b58351cf299799fe536316d45676f08ae65fb9a0050cd566cc8eb0fe7100e

SHA512
6c16883b328dce1fa80cc407a87e89c28a4361e7c1366ff97e2895c7ffcb903fe557e6fdb45a18df91512be3a8a842de3aed3275beecf65a81f476e2875085b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
472110dd87182394e5952c9a26589680

SHA1
2bf99748c46cbeea1343b0c34107b4e352993bfa

SHA256
7d3a247f1c5df8c70ba02788fd989a1e0e033d462d10e7d3aaf5d71122a2941e

SHA512
8b6fd23e0025ec31db8f0babe1c207193f52cb644c43a1031fa04bf6fda974051e610640870d2eafce3f7af3f6bf2d97314e9f83fd2b2dc326d005d9db002595

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
df9cc82775661de8fdf1d73a2775d4dc

SHA1
6510f2934c4f8631c592cc33911f664bfe3388c7

SHA256
1e01c1730ffb2add52c4bebf01b5afcc759c4d1da16a8ae9ecf7a86043fbf99c

SHA512
a84b82d880de6c5a840abef6957a5afbc21d8adca204faef0c99a9a3b70f6fc4ac9695583b31cc784b984f1cb37e0d444a81d81c0c576857172c4a6dc2ec7473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0c8480efbc3298391782e9d4fa140914

SHA1
583e8521456d3ce8814e08cce1a0f0c245de55b6

SHA256
c945d918947aad18444f0fc6dee636dda4fab9313aeb96d2ce14b374407273d0

SHA512
b9aec05998383a5fcb694a7f5699a8a4589b82ba75d1b90863013ff80cf1ffb333fe6ebd1ec8adf1cf913d99f3407b896f0dd51457bc85c8414cd2a9586215a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1770d6be60d6fefcbdace026b171e850

SHA1
0f740fce236bb02ffebe6cf863c85e19ad42c35d

SHA256
c0861d4a6472fdf83f4151b34f178c2139e4d69a6bd6a147c08325ee0de01767

SHA512
7e451b9f99d2fb8db14e3ee883334790167a0de110c9a9aa0ab1223d02b04fb4abae7f6dbbb6035ab4c23e23e6f6ae04fe4490fd2b91d7c5569bc7c62c7e5938

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d4c0c8aa213d60d0b2a26e64c3bab054

SHA1
c6b20382a962991fe7b3382a497c77b6fb09da40

SHA256
be006111a319aa9295b78525b94040059d96811a182cfd3f44edb509f2ae361d

SHA512
5e21c8be06f5545e12c36c66058eb07ee40a1793d27ac1901ccf5a0370fe92bffa85b8a51502aec2f3dfaa283dca2e72b8194076ca9a5af0b458ac6ae85ee76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
afd0a4b94e7636990cff2e3624c81524

SHA1
9c23440cb39558c143fc2ff19f9934e30bb71bbd

SHA256
43128ca581eb3f161d37d9f25007a3132dd6d523fadd972135f0ade61c9e3db2

SHA512
68a316b7549f0ddd7a868ea7fd603eb5da8316171989371d60f1466fc9431cf66f17d2be9d593d9d13e7884def40ed6ff784fcc7d5cb984882d5ad9b05788224

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e5b699c81cd4a833eac3e6c5f4cbe2cd

SHA1
9f5aa2a719fbdb05f8449ff8a06b2273b245b858

SHA256
4251e497653a47bf49f5ced043da18206569a525127ef0046001c78c6b462666

SHA512
d3f4e6e537d3f0df297e76c194498965fd681ed7ff63319c9c2aa1b74b89b79d8b1ad7fdbb3eb337080db6ba29e72f04119bc924a52b3d83806b30a8d03f51db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5337c326f615995069239dcd95dc5fed

SHA1
e57c938a133b6ee88c760a785772da61ca720d8b

SHA256
c7e25529d60b6f0dbd927414b8bf234db7c41092683a66cad484452b44c5cf1d

SHA512
bdf54dabf6d2464c6460778382a948d4aa1265ecbd275a14155afe4ee22e0949fecd0d21fea57e9efb3740059dc620bd64153b98f12b79242456dad4e8f31a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4391f4cbb32b5f7f78118c077dd41143

SHA1
753b1e8c4269aecc9622a3915e6693819b6ebe3b

SHA256
77d4c0ef34ab8d5e85b8bcf729d4aca6fb927a21e935627fbc69f55f844fb38b

SHA512
29b25f995b4ad02c401a7fecccdbee6b3813b543d7bc0c7b7a4ed827d86d9a7aaf6b74f988fc15621926c16bb1e45cf9be3a23051c4f047c75f11e279266c3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3c7478707db4000de80e8aa896f5b654

SHA1
45e5d0f9cf0870ca9b94d33e8f3109ed7cc6e344

SHA256
24b3028299f537e5e4b5d3ae78cf0b70a796820373fee2f008ece46e7ff1fddc

SHA512
a3af8c178bdbcf83b8d956ac5a04ae2c483295a15bde41d98bb06e763a4cf8c21ea68cab23466f586c59a2c9639c359cbf6c41cf240b6f2f40214dbc03afdcc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
681854ec1ca43de1686347c03a9e6a4c

SHA1
5e78b37b22d58f91669bfb6800d4bda96bcd8c52

SHA256
fe7204d7c7ccff198b5b11c79f7106d5a2eac65d1a71116c7cd2ccce76656a23

SHA512
1586c1fd47cfab72401b24e72ded1335a47764ba1a52ad0bd2f96bed4d8c3a206d97088bd0c05031b177a08edfb66c6d60e25d4101954d64557b4667ec40a4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ee975d507cc1ca2b42a6ea4308364fa9

SHA1
38b364a9637c605f705841a38898b3e643141093

SHA256
bf452112efaa1e6bca6854d02063ecdd8a08c1fa0e46afe4da613795581e2799

SHA512
a3e243bb1d29136b881e1f79a23818bb99c4cfaf54c443e776562836568427843f8316c7afbfd22c8be1aca8c7b5553560b63ee033ea9d57c85a80d1279f4bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aac85b14bb0c088ff032d1bd52332d21

SHA1
309b30c7cf84d5e998cc627fe2572b6af207b2fa

SHA256
3a66df2537471cff99b352799ca56ffde6b247dfb7399ee441b84d0471daa23f

SHA512
2dde07aa3e09366e7efe5ebb06974e2afde55080bbc6f3f31d18f5536069b3ce78a4f350f1abd1a0d202fd9cd909caa0adb43d95e8b1e894335b6f5f3edd77ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6dd6241b832af860279ebc1d4bcc2d6e

SHA1
dc8585e50a3c550077f00c0f07a05ce13a536b27

SHA256
d679f67e7c0b79f8950ceca7f6065ce835e507aa0b516810888c949b3f1bd0cd

SHA512
c1301db158b01e1c4bebbace86fd284abe80a2ac70cc46e8f31819f6390444d32ccb886521acc4fe73ba753a8607f3d6a1fc5156e19bd25167c11c093aa65021

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2d1dc862fbeba5bb85672bc460cf84cb

SHA1
572748a54bbea9e7be6014b8c712a2a1047a1702

SHA256
ed190bf0c4b0befebfe48b46c24a52f06079e6a693f07a1e92d23036b750ba75

SHA512
bfb2f477d120d37be745ed1a880a5a98773142e0515282a8ff7e4c38ebd6153dd869917e4c66566a15f3366736aeb27d180643877313f3cc976893acc7d19b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d606c74bd9fdb1ab8f4dbe2847bc2826

SHA1
8e6eb219e70ed3671caf758e6c16f9f07c15fbbd

SHA256
44e8d9161e25d74c59193cc4e1503fb16186284022aa34d84e31bea5d738df41

SHA512
617e917a52bd6bfb5eb9d236104ce50bddf6031c6eb8cad5ee9acca05ef8c5e8c5d000781ad821d0a611326f9270d7c562b5ea6ff14966d43ad7c3ca215fd6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
954579288690dafa529a8b0ca260d41c

SHA1
f3e83e5e6b492868c2f3a5918ea2a7753040c322

SHA256
b836a1995aa8723f4c6915407004ec8fc372f7dceffb704552b910406fd51f42

SHA512
8ffcc50a61fcf30b6d77c8fcbc7eb191ccdcabac996547468fe0fd53af3199f1507628c1606545c123f17cca20f915704acdad78c0c5f5caf83872bbca309661

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f94dd3ad774604178b19a5eea2172494

SHA1
d4a242980a7a44bf959abdff09ab2ffb6394db76

SHA256
769e51e3b93e2c5ceabfa4c412adbe302d7c32260230e20e48bf0ab15fbb4fd8

SHA512
1a7ce33cfb37529b2f74c707b7452ded6ef54054db40b69dec02f20776a8144ce995cb87b5a4272d41d02b72984b1d5895d36d2be0863d23d2f74401f6e94e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3f0f0cd732674c9fb1867460184d7529

SHA1
fc949365bd152fcae3d958472ac87a3270ec9a77

SHA256
db01f77bbf491a5adf5ac120f5d1f885ad1431f98c9b6a3e25eec3eabcb8b731

SHA512
c1cc38fec54ae91af99e9bfbed2ce2066924ae5267b0f55b04c2f7ed2b3b0afc144b83647bf4ae88591da3bb97f08385997a28795ac60147d1f36f6206e40aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a302ada23b616a5fabf51bb2fb27c493

SHA1
0a1b3745c91e8d35eea03a0be1258fcf9ae3ed5f

SHA256
d921f0c4962ccece16710270ec6895c89eeb5a5fe953588f85dfec9235aaa304

SHA512
b50cd39f56f63415a581ffe2b69ad3d512db56a31b153522b618735b0d1a55af319276aeb7d4ddbba931d2b57d4cdca69b1f4015f7e0d31bb3848c3362fff3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9ab8e51001385110dfe3715b53fc989e

SHA1
0e809097227f876e665ebe7122efa04057b40b4d

SHA256
11b061e9a79d06406b1fddd1dddbb7c1aa8e27e02a8212134d980a3b359bb60c

SHA512
30b6cefd42cbe8d506628c259a28e85b199ad4bd5824bbe6ab66c0f76c54a1e03c9b8b7ff1a6333b9a3e09e626cdce316ca2e9b9e53299ccc2b69781e534c4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a77bbc4eb7b85af52e82fd0958ce7141

SHA1
1bbfaaf1795fb381e95b7ce31e65de6297d0bce0

SHA256
7fbbdbc9742f9e9df7cd24d51a2ae9cce0b5a73c01074581af245150b67796b2

SHA512
f453bca800ed6aebf13af99a1dbc7623e9ed2ace4a1b517d71f940d47a697e1baff837c49159045495d80909aa1fc222534211d1049eb9d64c5737874d5219a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ae6ba99cd669eb934cb2eddd7db9ed5c

SHA1
cbe029da6b44ec425bdc854dfc35d4c1933748b9

SHA256
669d20b590e5678918018b511c7a6f873663fe4d3bc353bc5a4180e933abb20f

SHA512
8ad78c6170efa01469528434f8b8714d076a6721ef16a415f8767db82f46c2e8182a8633c02c98894fdb21f1acb1a57699159e47485fc1805ee131193e5c0155

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
df0a5b6d1b999826d7d6c2978e428005

SHA1
6399f2876798d884a690f03ecc6346ce34c28056

SHA256
11028c7178d147ad487072888a6ef3be12a6519b0946b55a6bcf770a93625aa6

SHA512
873acea2a22b4b21a11b9004d626005c00c37e333b581773b3b3056ba672299fa3c49c8ccd5c923651bf39ab9ac5b8054c5bc98ffbedade19021a3938cfbefc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a553c7dc335f8b7dd52643640e6b0854

SHA1
5ff9dab9be964b4afbe18c30e7c6c4ab92de8847

SHA256
7ca6d4f3b7611da01e21013c1d171872e9303fb7ee57e1e9567b472baad68a4b

SHA512
e7f30e25be83440d7fb32dda4d01a876de1659a1df0ae75a52272a3243a4b3e0c1f0df8e7c61bffd8a367cc8872668acd49274109c6016d8e572a41774f239f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
87c605938b9f073187c5fc210ae20336

SHA1
8e8bceb058dace1c16caf2d146e7043dd181cab4

SHA256
12b18c5b10e9d94270107167277bc0be93e4f4a0222d0ac8e7b67eaf57d72b1d

SHA512
79a59b47448d34536f1952fdd7021aa321196c0c248ae28efb08efe059113e4cfc0c6c7a8ccc825521b94fe29ff427df7738efd620705c2e33a9a2c611943575

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b1a581122805bd34100feaeb69d09e02

SHA1
512d854ea46f4e0a714ccd1fde448ae736507ca9

SHA256
671ad1369ef407f737304a6dc2a1c9d9f3fc17ee9f3034d317eeae3ba8abf456

SHA512
003d38df010b00324629969451142158263e3561bd2ad0da9ef1fa975e5b822bb6b32a02f8de0823ff19ea4198598dda5d5ab53315137b98b8e6fed15c825651

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a7611be82a93ecd3870cde01d9267f34

SHA1
66d708ab7198c4b4b4e4b6082c16cef5564eb222

SHA256
3d73918ecab29f013a35e159c02fd1961518dc8b9aab33dfaca3df6ceba3667e

SHA512
425f0f643730f1ba3139850171d5b33e3c5a5d51287272a5da2c2d2d8244a3f43dafdac4c734deea4972e9c198085ed018ddf2da923b76f97feea6b047912eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d24ffa338bee6c0dfe2815d97839189c

SHA1
235f141f942a6dbe91f0929b66d2b50f8faa8d1a

SHA256
33926b41bed1db4a6cfa894b2de58c601f2aa2afe3d7e5fcd6a7ebd7c8d44975

SHA512
a9055c3fe58162eb105675a81ec4d804fab765db5761b3337fbc124b7134c615394637c1d9987a50c01a9a4fbfe2cf72c1328ddef1b5055d3ffbd72bc2392c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
32aed68527cd1581fa85ac1ca5891632

SHA1
44cd7ae9239f389d2b2a04f614a1f3fa3be04cbc

SHA256
8cf927311bd3112febce90733a0fe0ee7101d1ec4cb957c8ea74052c75d814e2

SHA512
9df37e4c289f5eaea26a092008857abb5024802fe85d5c8a24bfffac6a4015c05c0e5add454b7a5ed66d689f13a331c91fb25a82f10e66edb47ce138a13905ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2ee850ccd64186b6f1e828a8be4144f9

SHA1
2ebd820efca85a83d8c45ed87d667f66e361fe55

SHA256
0f839782cc24d97bf6f31f3b7023be44472dbb4a1e29ee3e50fc6eaf63aa616a

SHA512
10a2d0094de7adf4ad1fa4935ce1d38410ea47d0290fa3831bfa84faa1cff9e5bf55eef503f87d40eb19f49fff99563725456ff6962975d0ff1f1490b62ea81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cc8b74b695dde9e45680c22a78bed0f5

SHA1
1ccb2bc3c9373974bc7dd4101753bcd724895ecd

SHA256
186b9f8a39c643d930d4309ffc7156bbed0ae59b9baadc00cb709abb7d3c7cb7

SHA512
4d65fb19fc8055e9a241e060f1bde2be94f4413005fa7bbdc98dbf55a4ff89b48b2f2a6fffb1d424f3d1bc493966e06497c72146287cc768ead87d62ef6b858d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
62778471030b1ce8f1c1e0de39bdfa2b

SHA1
5e0af4950bed2aba09228d17ea3a9516780b0d9b

SHA256
69dcfd2b740226ec455b767378b30e89665af12bd142b91e1f9e810375ef6baf

SHA512
b584326ad814df422c6dbf3d041e91b3d7ff4a48f27baece0469eb48de05693c54b5b0e34206996b700dafbd8c1770ee937fde50349270f41849722c788603e9

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\directory\CyberGate\install\server.exe

Filesize
350KB

MD5
a66fef7ec0e63e97d2467e54008ad19c

SHA1
d06708e3897c69553dba5d11345ce0c321881428

SHA256
144bdad475890d3da413d86b2a940148435c00ba5024a065eea7eaeedf09e92f

SHA512
faa5bcd2e72ce552cfefa90f0f4184d3a100ec28dd7d7ef9ed52dee1f9f50c643a94ecb8d97f0cbd71fe479eb93f078c777887a491a7cc05b294418c957febf1

Download Submit
memory/1372-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1372-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1372-10-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1372-11-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1372-14-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1372-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2632-105-0x0000000073380000-0x0000000073931000-memory.dmp

Filesize
5.7MB

Download
memory/2632-97-0x0000000073382000-0x0000000073383000-memory.dmp

Filesize
4KB

Download
memory/2632-99-0x0000000073380000-0x0000000073931000-memory.dmp

Filesize
5.7MB

Download
memory/2632-98-0x0000000073380000-0x0000000073931000-memory.dmp

Filesize
5.7MB

Download
memory/2748-76-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2748-15-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/2748-16-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/2748-106-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4156-7-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4156-0-0x0000000074E42000-0x0000000074E43000-memory.dmp

Filesize
4KB

Download
memory/4156-2-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download
memory/4156-1-0x0000000074E40000-0x00000000753F1000-memory.dmp

Filesize
5.7MB

Download