cybergate | 49404dfcb053e96b856980e8adeecd3a9ee763cd52d69de9cf2eea137cf1daea

Analysis

max time kernel
148s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Size

296KB
MD5

643d591378aaa1a955d0e6d4498349fe
SHA1

d819f1434199b5b05fbc261575c8f90db58fd615
SHA256

49404dfcb053e96b856980e8adeecd3a9ee763cd52d69de9cf2eea137cf1daea
SHA512

7d6b4d03da3118f79fd1ce50e0db32049c9e8a17dd2efba52a74be239f73f97f73b34ae1b08711492ed896b74e47cbd0b97412773a50532f0e7859ebcbccc1e0
SSDEEP

6144:POpslFlq6hdBCkWYxuukP1pjSKSNVkq/MVJbJ:Pwsl5TBd47GLRMTbJ

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

hackthisshit.no-ip.biz:100

Mutex

NY0K2N3E40KI2R

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0H0428E4-L020-F3G6-Y35I-Y66BEO03L0OP}	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0H0428E4-L020-F3G6-Y35I-Y66BEO03L0OP}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe

Executes dropped EXE 2 IoCs

pid	Process
4804	server.exe
2376	server.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/896-3-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/896-6-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/896-63-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/5072-68-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/5072-94-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3112	4804	WerFault.exe	92
3688	2376	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5072	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	5072	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Token: SeRestorePrivilege	5072	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Token: SeDebugPrivilege	5072	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
Token: SeDebugPrivilege	5072	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89
PID 896 wrote to memory of 556	896	JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:556
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_643d591378aaa1a955d0e6d4498349fe.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- - C:\directory\CyberGate\install\server.exe
    "C:\directory\CyberGate\install\server.exe"
    3⤵
    - Executes dropped EXE
    PID:2376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 548
      4⤵
      Program crash
      PID:3688
- C:\directory\CyberGate\install\server.exe
  "C:\directory\CyberGate\install\server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 580
    3⤵
    - Program crash
    PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2376 -ip 2376
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4804 -ip 4804
1⤵
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
d8dc15e495817e8dfbb4dfdd921ffa49

SHA1
1ed0194ba3626c2b5a07cfc2ef7cc74724d8f342

SHA256
5eb80103b7543b8fda8115c36cda103d00aa5db339c5588262b304ebfed8804c

SHA512
afe32446039d4835989f2e75a5e29cce9187faaea61620aa4a999e8697fa3e9d3d8d82ca696e751ff7e547588bdae25d2742d8db5d3e8c8b615721cffbcad638

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
01ed74da74d8c3b6a8672618b8c25022

SHA1
99b791f71938ad9112b9064846ab0347984d67db

SHA256
8688dfb170bc80a038d92bab376b5f33b08e78c2358224d2ef8865d2c833ca4f

SHA512
eb1568f3bb516e07000f6202264d6f234c480b2fab4c9a8bd2d690af69c3b5ae95e50ae05d9b38e1c7ad192a4e81efafc97a28e3febfcd7a5b945e4887d964be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d42ea205afc265035a75211a58ebc0b4

SHA1
d690c1a51088e86e95e70b4c06c4b23bfc586873

SHA256
2484e71fb8e8c77689f3a11d5ddd8d58c383379ea9c0c0af293daaa5a43157f3

SHA512
6e1ce7abc9bca8876cffaef5fc2db52a731c1459ae2fdc00d908033e40e10955fd7c6c1cd8984ba310969429264097238ecee3ac9a1aa51ddffb2563cb36a8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e7bf557f78d41d86750dd21c2ac3b194

SHA1
da3276e8c473e981cce3447d4b6f0f225eb73b74

SHA256
602c3be6b0b616f731ffc5bc6c744ae3ea5816ceb94e76c94b08c0c5166001f3

SHA512
f5222e93feadbbf480ff368cbe58b5d15a5ef193cfdd0d731d816046b53c57823d780042ad39044845f14a7d27b891fd7f9fed60a2c85ad1902674fcf8a3fd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
26221ca6b79b1f1005dfe20c7dd554a4

SHA1
87ee35a8bd2fcba59715e8f390412bb4d225c2fa

SHA256
20f7127d6b024b0116e795878858dbd093734af1ad86162f9e1c66ad0021cff7

SHA512
a041c1ca7b4c6a416d0a7c6a8ce35762adb004a77e4cbf2948686b3600bed9f73f802f08325203b9a6fb5572d2478c6494670cea67e599c601bb4edae0b9308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
652caf0759db87525947084b58163e6b

SHA1
084f37e6c72fcaddd60db096e2e25c5f445ca4d7

SHA256
74aa61abbda5f2c440a2d7e61ce9ad321c632dd5f35294357c757537377ca683

SHA512
e616748ddc49b0d39fa7aced8ede9dda3982a142fe90d666f2fe91298d187d235ae7a83e9d240d183a8c6740f8dd0d443415c58e914e801c618d457bb25e7e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
283e342c938db18414db446fc3150bb6

SHA1
505481d5683af6b862330a777ceb07b203f13696

SHA256
5cda7d41f57187bc99de8215641f9f32729a296d8b648e5eb3e9fcc96a24024a

SHA512
f286d98c857941f1c47d94318077416db3a53fbffefac81b52c9e20aaf48687cfacda7dd938ba241e69ec507b0d99d43b1e51528154430b0076a4bc5374367ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f2639f34f68f8ad469ad43f3dc27345f

SHA1
ea206468febd5b7adca9d046336edf4d84781374

SHA256
f303ccb1b8fce133cd28e2d12ecc1b2b68ee659ee02ccdc0c45bbf24096363e6

SHA512
05e252c0e1e596860b7deb81f4e916bf5e8061c21d47769263e9960a9436adf358ccfba97ea2db7c354612600b54d1189151cd8eef49d718bd6c774ec9163278

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8157c8834a22cbdcb5ec28a468281545

SHA1
39d2b8fdc1ee83943a0b9b14736b68b1bf274429

SHA256
e63e82c82988762ba7c987f4252c136a9285f79087bfa8392513dc6d2a7aaec0

SHA512
9d10099406f220d04b2498175356147b4df2a810d1037d15bd338f7d5376f04998d480187f6061aa49dc8b8b5b4599a2afe8b9da655ab3de1739535ea24943ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dc081f49021e0d2d0ea49f26a6eda78c

SHA1
af863bbbca5ff9193f73de99fcbc88f5082b41d7

SHA256
02c273ba44927d7ad4e20e0cba342b519899e0875139b140d387accf3bc2053a

SHA512
e74cd50dedee5e3c897df1d898ee755a65a8a6b3219e1f347270667a386819a661f5ffd5a3f9164f1231ebbc861870a5a0e7a0b3aba454fa7dd9244204f4d5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
126621e9b26c21c77a11e2bbea272100

SHA1
310545de552b7cd4d86c69dd8e3ed0d615880d45

SHA256
14a5f0fe5b8d30a4f8a108d46deb00dd178ab4724af9a33a93a968a1dff280bb

SHA512
25eb4c71f32c26d73e4bfcd44648667eeb5cf6315a4a2725a8c9617043188ec87ea450d61dcecab4d9293a6465b287f278b1a0f440a9676844bf0a50d65af22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
42a2ea11070644671c6ff0e7575ee8cf

SHA1
fe0b241e3f8ae16fa1199d7a9f45f632931e8081

SHA256
f9491f1fb4e815665ac490a32801803fb51c511bb3de87de3a2ebc5896d659d0

SHA512
0043e8ee347f4d3e6109ae20a3713a9ab36dcdad34ec8485cd3f0124b6670792bbe30c0fc9f4cbea94d6bff3a79e2ef872599b6cddcb54a4d6bbc4c6401675a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f90c7e00db7d7643d6b1f0253caaf6f0

SHA1
011d6a62a1a67782d26760aecfa626cce311d9b3

SHA256
01e709ac60eefc655252392c7e608cb7fa90cd30cc7d28772bb63710ed96ae78

SHA512
ef46f9a79ee70d01e157a7a4a6bda324db245d0f90afbefa278eb177a770dad128c1dd7bbcf9d8a5b75dc3fa8cc954f2334ae490ac8756208562ebd07190dc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f14dbb875d646d58b298805923715609

SHA1
cada39316173016b2b7c87e75030b4f138deb89c

SHA256
acb5de5835bd88024cfd30209ff4f2efaf8287a799f0899aaab93f813735286a

SHA512
83e440b2d53130e8ee32cfaa3ebd2a07a739bf1c2d40c095eddb90f2e8202a9c6bb9772f91e4580c9166b3fe9ec5a578eeee5c94e72bf576f9157e4efdb7c989

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
04473c537d447bd9fb2f522a6d9f2992

SHA1
93166867f64260f5cc69c172ac99d3ce994ae26a

SHA256
afa5d84bc32d97fab39b30a1e5465aa08bd7229334662ecde5378168fdd59586

SHA512
9c66a447e00827cc4d20260599629975f70695911af2d40afd33ba23840ad0a61ab5bdaa5174e2d739185afbd78aa571e852f6f3d91a43ddc507a554f6ba9957

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8459f214fbfc483b1aa1d2d559a20477

SHA1
9c6729e013997b9c864c7aacbfa3c6ada304dd7d

SHA256
ab48e1f3167f9ad42e3e2cfc7a93b7097cbbf8992602d2f5cb6e3269b318dbc7

SHA512
961a18cd824790c647ac2af9c1004b64fe5d98fe0782ebe13f928cd658cc9b0c30608462426792019cec18cacec1fe6222f073cae9b2ebcf0bd462c2732cea90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b193c99895753bddef794b9388a5d8e5

SHA1
40950a87767b05ffb7d8b190baeb35c423e22351

SHA256
7070f6e1f9dbdc0568f345c1ca1442f74485294a7a6166c7fa8d541d407344d0

SHA512
d58e6db3099542e6c3d55deb0a126008c46ac689a3969602027989c194a8d5976b6961cb4d546d74ad86101c2013db17691283ad6513a8c1677e264038ba4056

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
395dd0967e4113ec3f074ab58be7c125

SHA1
5cca389b07fbf69dccc201749213fb621348ee08

SHA256
dd7ed53c6c7f9005c2a534dee04657d795bc9b3ac79448b568643bd19c37df8e

SHA512
816e2dd0cc7bcf35c1932b3e05f1b1fab3107b8d7cf912611fd69e23371394bb15b721165f1b4356371a8fdb6b464371ae67ddf7c3821d43b21341bb886a407c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a7b014fc6b9487ea9286b2eeb567d8e2

SHA1
fd6ddcefdc2b3b3c874eb39acefe6fec8b576b32

SHA256
613d0d69477251daf370f0d362425905fbeaf9ac534dc927e4f3d1cc3bea5474

SHA512
cf427bc8b9d17444f841c3e3b818cd6f179b663df7d47109137ff8d49a3a25132ada0113c8d71cee1f12e7f2e54c867b1e6e4e0c4f25836b6cfd479fc6bc1cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9c897248d522f5ff1d818248e2307114

SHA1
68efcaba463935b1e2549d76ff8c9b9bf009e417

SHA256
f8cc6e33c1b88f7c5118270f66d456b7dd3dd1b71a1356b7b2feb9c6284db531

SHA512
1e3ac58f482f9d96331b0f311d03d1cf9f6872cb81c739e849da41d091d41d8d0dce0c1ab06ef5b5ad4f77ff1ef0b2305c7e67e6e304374bdcc0090b5428f624

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
edc0b25f9a73b405b8c66cf389a2291d

SHA1
f032132f10556a1ce7ee573048585fe11477b0e0

SHA256
cd3110eddd0f51092223be0f5cda5eceaa1413ecf307afad5b668a8ea8ad4796

SHA512
72005fb060969bba24d76629781c0ad5b80e65eabda1687e43fee0e7121c986f5dfe2dfd7cf66b4f2a4ddba4a9c3d5e7c9c81a33fd9cbaa47e779c1e3b18fa8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
323bfdbe72484fe6abe08234fa34dc43

SHA1
7d57d3d6be62418d6cf493016a548f840742b909

SHA256
df2a255dece8cd88c8dce6fe450ac729d30b35a5f473f657f2649ce81da99720

SHA512
ed89dd7dc2fde31c9a042398e86fd3e0b2430f0cc80d86fe954a8ef2e8e2c57eebae4fe8ace856d5f1121d43f1d219616ae4e0735314c24b57ef22c9b8e2635b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5e30cf252803748daa89de18fbd70288

SHA1
0b1abf65e13d421722a886e705df4dc62a4098cf

SHA256
fd8e70c63f93b537c6c44074994f6466e5908624bfd68143a004ea6a9871f85f

SHA512
df34af8b82a35ba84547a80dc3443e553062a4ee890ba732b909f16df2b8c4f7ce0be3c292d75f34166da35a4836c5d5241f62540a9cb6a993aeb940ab896d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ac7845b5366b5f96d0758888872a607a

SHA1
9ce7b7ab7629d8ab5925cc62b40bc82b55fb0a46

SHA256
60637e9e1e1fabb8d0f5c4b82050fd9075018c9a6d7a85e3c0950d741d7fe240

SHA512
8e3cb24ca1c2648330195d06bd7d4a84c48dc15cc460045337d390081885c1ad3892265999978986b1b20b3cd1b6191f02ca10b03cb096251f56d43a3de169f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3d4fcc2b694f437714f53cc59e13c246

SHA1
eb34f1f40de4d812b5393932ecf3896d23db5d2e

SHA256
18ab78817e511dae92eae8b58e507f763d6af15e6dfa259f2369052960921936

SHA512
4ba9b4fa8b29d8ce10de2ca51eb0081086b0a472708c8c427a9e93fbacc623e4b82f195487ab1954a42e536569c6bb1981f247b41ee8e8381607368064eb50cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
809ca4e1ba12e927b0e999b14e0e1369

SHA1
d43416e943c157d8899a558370395f1f45dc147d

SHA256
bd393ddcade314db4f2e0b123a2a4afab0a505ec422b942071ee0a393235434e

SHA512
1c3c7016249ae81c495416900e47afdbc2dde4590db9d775302a546d5dd7df3fc374174efa63ac2d02a0e86844dc6e9580f90e1070b7fe1d70dc2d2c8af7992e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
143599a2e747d1e41801c25f887c4f52

SHA1
e2250944c2a0d471dd406aa33dc030c429bac570

SHA256
0c80bf47fd3083f904a0a25d41706240da38b0e26b66ce055d4e5fa5e698c895

SHA512
8a56fcfc1881a11952b5fd12edb640d854a036b60fb5ba467e56adbcd2e0fab569cbfc150db47979d64d55842c06514867eb920c0ecd2a4556aa503975ae2f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
18677498ef6d637d6d8ab2266e2b7ec4

SHA1
065e2015e29f38012fc4d956861774396d75480b

SHA256
ff8414a904d76cb27b738ecff9de65d767afacd1f991765eb50c76939f011055

SHA512
fd99b2e799857a808cefc8276cc45059c8548d282b3960e1d164d271451d9ee78258d05a48bda4b7d50fc525db67fda761d7a93ac6b954b046c0c1dcf2f0e672

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d8b5230624f652fd915c91b79bfae082

SHA1
c64c5e55a77da4aabfa61d4f0bf88e0cfcac53ea

SHA256
16a5a23d3df302c3a90b841b94eeeb669e223ee077dfef7f39fb6369d6d6a85b

SHA512
184e7ea026712dfdcb83e2fb851bd0bf9d31b68bb68d39431706a91800b0445d5be0d07f575dfeb2172c11d81536302f89720b716b5a927eabd62e00b2c491ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
000dd928230fcaf984e781cb65868cb8

SHA1
a3bc8b55ceee456500c29081ba899cca19ca138b

SHA256
b545bc7c02cd3dbaed1e8905cf01ce430de26c5be19b366d98fe50e06d7cb74b

SHA512
07cfdee7efc72d2d194d0c66bb8e76e101b89aae15ca13380dbde2d78cf66b66ec2bfbad4de26959e6815194ffc0815a503ce57858c8921cd52e8cd6bc968067

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d7f96a98be96c13e9b720244ce44c36a

SHA1
7fd5d4030b16ed4096534682c53a0a44157c928d

SHA256
6e60d2bb64887b1a131240e4334223e13afaea2b52640951e739779ffb610b11

SHA512
8543e5b4ff7be0f52a42ea5a92e0b48bf027cadf306bccd216f727c31166134d4014a89c2da278a42a4904fe6add5cb498dbaf656bf5dcfe8a35fa21a431666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
de0861e445871c5a65a9deda27c32558

SHA1
7b96a6b59942e80aa1d0ca437b9d7e1654b4b0ad

SHA256
ec429460bcb9ec849caf1953a4bc387f712e33979554890e9e321e4451169974

SHA512
e4642e521a20ec0eea88c13c2afdf6762ee8719e0f1895d2b566042fb8081ea17f43ff61c571d9e7a532a81405cfbb18cf76165540fdfb17cf0f27ff2cec9f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b7e545d4a450f2915c364f8d8455cf05

SHA1
633a0c4e2066b8b170015bec43b8fce3bdde0580

SHA256
1836ab31c6ebffe696bd47760820851dceb8d939df6a8cb8315b8136b86c6997

SHA512
eba49d17b3d8abfd283c13b0ce8c0b1e06708f1bca9d686892a1623a048b8f2bd57e303cbf14b161aefb47370d7eb65bc0f21f45763c05372ee41e8c50110a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3aa607712c8cde0510cb9f87e11a7369

SHA1
c15df791d7fe59d665fa338b8b1359661cd8c1dc

SHA256
72ac178b155db28ffd2702a58c256fb8ec54c1c8caab610d6c6cd423ff6ddad7

SHA512
cb7bc59a9cd1fba4b3a8845db6d36c99c6adcb1d440f6cc86ffe283feda65b3a43f9ba312786cf6898b824cbb8fe667ce18f613a0183ed33a585635c6e08bc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c3753457fef96fbc1efcac9abbe65599

SHA1
9cbdf8eab0db0c3c83a050c2ecceb380b8383356

SHA256
b0a0a2f6294822fcf26d41ca6bd1a20f06698f29acb0ca6c63acc9453679599c

SHA512
ba94bf0bcc356e811eba4e87283e44e359fc861158add3c1ec16d7a7dccaa0c324220c8e377aee7c7bd284ec9cdc4f9d26159a7c0246b24e269be8e1e66230dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fbd5695bacbf9be700b031b097e824f5

SHA1
ef919176160c14f4ebdd07c834b676373b646931

SHA256
e6cb4e02e6c69ca76beed165f4af35cac8f411b63ea335ac705c8fec91cef021

SHA512
bd17a8482f9d1276ee4b529e400493382cc2df8d35be2d9a23071a54f3ba086d760a961281bcde00517038523afdab9e55674932091d751d391e2a942b81794f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2b607bc87acf1f9b558f9dd658ced8a4

SHA1
1341e5b31379a319a2d83bfd832346d6a58f9187

SHA256
e6b489f0a24d753d48ba288cce5708cd45f3e0cbf864fe7c9c2612d139a99754

SHA512
168606a994871145c569582652c1e53b04a6b832fd3fc48e0d3ea483098af9cc222bde474ac27ad772ca1af3229422f080f2f15b2fdec6c46a0889b5895e5cf4

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\directory\CyberGate\install\server.exe

Filesize
296KB

MD5
643d591378aaa1a955d0e6d4498349fe

SHA1
d819f1434199b5b05fbc261575c8f90db58fd615

SHA256
49404dfcb053e96b856980e8adeecd3a9ee763cd52d69de9cf2eea137cf1daea

SHA512
7d6b4d03da3118f79fd1ce50e0db32049c9e8a17dd2efba52a74be239f73f97f73b34ae1b08711492ed896b74e47cbd0b97412773a50532f0e7859ebcbccc1e0

Download Submit
memory/896-6-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/896-3-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/896-63-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5072-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5072-66-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/5072-8-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/5072-94-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5072-68-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download