Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14-10-2023 14:36
Static task
static1
Behavioral task
behavioral1
Sample
4D670AC64FAE74BD0C53F58673C6D826.exe
Resource
win7-20230831-en
General
-
Target
4D670AC64FAE74BD0C53F58673C6D826.exe
-
Size
422KB
-
MD5
4d670ac64fae74bd0c53f58673c6d826
-
SHA1
5fcfe71b322f91bc65f58892bb7024d78bb9b43b
-
SHA256
12975bce5682b4d6a0849c73a8924f074e9fc12e9807e1773e3d80656851d1d2
-
SHA512
f777331088ec03e39b4370a7958c4187410741ae430582943478cf7558f2c6e8152f4799f7dd121ef79abc0ae126db69ade14ea1227617fb2e50e362cb005427
-
SSDEEP
6144:WIA2TfeZd+WnuiCrnluCuSD/Tmd6et08DOUlNre2fUOi3Mw4NwoGC0vQhvxeexNh:S2G+WufnQQ/ff8DdNC/Oi3rBvQhUCjV
Malware Config
Extracted
cybergate
2.6
Victima
boxdmz.freeddns.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
COM HOST.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
gxwd
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Modifies firewall policy service 2 TTPs 5 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" regedit.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" regedit.exe -
Processes:
regedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" regedit.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
COM.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run COM.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\COM HOST.exe" COM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run COM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\COM HOST.exe" COM.exe -
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
COM.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{70NBI643-N58H-54IB-NF57-KHIF8DH40O3D} COM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70NBI643-N58H-54IB-NF57-KHIF8DH40O3D}\StubPath = "c:\\dir\\install\\install\\COM HOST.exe Restart" COM.exe -
Executes dropped EXE 3 IoCs
Processes:
00.exeCOM.exeserver.exepid process 2096 00.exe 2880 COM.exe 1508 server.exe -
Loads dropped DLL 4 IoCs
Processes:
00.exepid process 2096 00.exe 2096 00.exe 2096 00.exe 2096 00.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\COM.exe upx C:\Users\Admin\AppData\Local\Temp\COM.exe upx \Users\Admin\AppData\Local\Temp\COM.exe upx C:\Users\Admin\AppData\Local\Temp\COM.exe upx behavioral1/memory/2880-33-0x0000000000400000-0x0000000000457000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\COM.exe upx behavioral1/memory/2880-296-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
COM.exeserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\COM HOST.exe" COM.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\COM HOST.exe" COM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\win_sp.exe" server.exe -
Drops file in Windows directory 5 IoCs
Processes:
server.exe4D670AC64FAE74BD0C53F58673C6D826.exedescription ioc process File created C:\Windows\win_sp.exe server.exe File opened for modification C:\Windows\win_sp.exe server.exe File opened for modification C:\Windows\1-seguridad.bat 4D670AC64FAE74BD0C53F58673C6D826.exe File opened for modification C:\Windows\2-Alertas.reg 4D670AC64FAE74BD0C53F58673C6D826.exe File opened for modification C:\Windows\00.exe 4D670AC64FAE74BD0C53F58673C6D826.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 808 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
COM.exepid process 2880 COM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1508 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
COM.exepid process 2880 COM.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
4D670AC64FAE74BD0C53F58673C6D826.exeserver.exepid process 740 4D670AC64FAE74BD0C53F58673C6D826.exe 1508 server.exe 1508 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4D670AC64FAE74BD0C53F58673C6D826.execmd.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 740 wrote to memory of 2204 740 4D670AC64FAE74BD0C53F58673C6D826.exe cmd.exe PID 740 wrote to memory of 2204 740 4D670AC64FAE74BD0C53F58673C6D826.exe cmd.exe PID 740 wrote to memory of 2204 740 4D670AC64FAE74BD0C53F58673C6D826.exe cmd.exe PID 740 wrote to memory of 2204 740 4D670AC64FAE74BD0C53F58673C6D826.exe cmd.exe PID 2204 wrote to memory of 2868 2204 cmd.exe net.exe PID 2204 wrote to memory of 2868 2204 cmd.exe net.exe PID 2204 wrote to memory of 2868 2204 cmd.exe net.exe PID 2204 wrote to memory of 2868 2204 cmd.exe net.exe PID 740 wrote to memory of 808 740 4D670AC64FAE74BD0C53F58673C6D826.exe regedit.exe PID 740 wrote to memory of 808 740 4D670AC64FAE74BD0C53F58673C6D826.exe regedit.exe PID 740 wrote to memory of 808 740 4D670AC64FAE74BD0C53F58673C6D826.exe regedit.exe PID 740 wrote to memory of 808 740 4D670AC64FAE74BD0C53F58673C6D826.exe regedit.exe PID 2868 wrote to memory of 2304 2868 net.exe net1.exe PID 2868 wrote to memory of 2304 2868 net.exe net1.exe PID 2868 wrote to memory of 2304 2868 net.exe net1.exe PID 2868 wrote to memory of 2304 2868 net.exe net1.exe PID 740 wrote to memory of 2096 740 4D670AC64FAE74BD0C53F58673C6D826.exe 00.exe PID 740 wrote to memory of 2096 740 4D670AC64FAE74BD0C53F58673C6D826.exe 00.exe PID 740 wrote to memory of 2096 740 4D670AC64FAE74BD0C53F58673C6D826.exe 00.exe PID 740 wrote to memory of 2096 740 4D670AC64FAE74BD0C53F58673C6D826.exe 00.exe PID 2204 wrote to memory of 2692 2204 cmd.exe net.exe PID 2204 wrote to memory of 2692 2204 cmd.exe net.exe PID 2204 wrote to memory of 2692 2204 cmd.exe net.exe PID 2204 wrote to memory of 2692 2204 cmd.exe net.exe PID 2692 wrote to memory of 2708 2692 net.exe net1.exe PID 2692 wrote to memory of 2708 2692 net.exe net1.exe PID 2692 wrote to memory of 2708 2692 net.exe net1.exe PID 2692 wrote to memory of 2708 2692 net.exe net1.exe PID 2204 wrote to memory of 2812 2204 cmd.exe net.exe PID 2204 wrote to memory of 2812 2204 cmd.exe net.exe PID 2204 wrote to memory of 2812 2204 cmd.exe net.exe PID 2204 wrote to memory of 2812 2204 cmd.exe net.exe PID 2812 wrote to memory of 2568 2812 net.exe net1.exe PID 2812 wrote to memory of 2568 2812 net.exe net1.exe PID 2812 wrote to memory of 2568 2812 net.exe net1.exe PID 2812 wrote to memory of 2568 2812 net.exe net1.exe PID 2204 wrote to memory of 2584 2204 cmd.exe net.exe PID 2204 wrote to memory of 2584 2204 cmd.exe net.exe PID 2204 wrote to memory of 2584 2204 cmd.exe net.exe PID 2204 wrote to memory of 2584 2204 cmd.exe net.exe PID 2584 wrote to memory of 2180 2584 net.exe net1.exe PID 2584 wrote to memory of 2180 2584 net.exe net1.exe PID 2584 wrote to memory of 2180 2584 net.exe net1.exe PID 2584 wrote to memory of 2180 2584 net.exe net1.exe PID 2204 wrote to memory of 2592 2204 cmd.exe net.exe PID 2204 wrote to memory of 2592 2204 cmd.exe net.exe PID 2204 wrote to memory of 2592 2204 cmd.exe net.exe PID 2204 wrote to memory of 2592 2204 cmd.exe net.exe PID 2592 wrote to memory of 2468 2592 net.exe net1.exe PID 2592 wrote to memory of 2468 2592 net.exe net1.exe PID 2592 wrote to memory of 2468 2592 net.exe net1.exe PID 2592 wrote to memory of 2468 2592 net.exe net1.exe PID 2204 wrote to memory of 2228 2204 cmd.exe net.exe PID 2204 wrote to memory of 2228 2204 cmd.exe net.exe PID 2204 wrote to memory of 2228 2204 cmd.exe net.exe PID 2204 wrote to memory of 2228 2204 cmd.exe net.exe PID 2228 wrote to memory of 2976 2228 net.exe net1.exe PID 2228 wrote to memory of 2976 2228 net.exe net1.exe PID 2228 wrote to memory of 2976 2228 net.exe net1.exe PID 2228 wrote to memory of 2976 2228 net.exe net1.exe PID 2204 wrote to memory of 2732 2204 cmd.exe net.exe PID 2204 wrote to memory of 2732 2204 cmd.exe net.exe PID 2204 wrote to memory of 2732 2204 cmd.exe net.exe PID 2204 wrote to memory of 2732 2204 cmd.exe net.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4D670AC64FAE74BD0C53F58673C6D826.exe"C:\Users\Admin\AppData\Local\Temp\4D670AC64FAE74BD0C53F58673C6D826.exe"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\1-seguridad.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeNET STOP "Dispositivo host de UPnP"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "Dispositivo host de UPnP"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "AntiVirService"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "AntiVirService"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "PDAgent"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "PDAgent"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "Telefonia"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "Telefonia"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "Temas"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "Temas"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "Centro de Seguridad"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "Centro de Seguridad"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "Windows Defender"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "Windows Defender"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "Firewall de Windows"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "Firewall de Windows"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "Ready Boost"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "Ready Boost"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "Busqueda de Windows"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "Busqueda de Windows"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "Windows Update"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "Windows Update"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "Inicio de Sesion secundario"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "Inicio de Sesion secundario"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "TapiSrv"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "TapiSrv"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "CryptSvc"4⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "WPDBusEnum"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "WPDBusEnum"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "BITS"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "BITS"5⤵
-
C:\Windows\SysWOW64\net.exeNET STOP "seclogon"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "seclogon"5⤵
-
C:\Windows\SysWOW64\regedit.exe"regedit.exe" "C:\Windows\2-Alertas.reg"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Runs .reg file with regedit
-
C:\Windows\00.exe"C:\Windows\00.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\COM.exe"C:\Users\Admin\AppData\Local\Temp\COM.exe"4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP "CryptSvc"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\COM.exeFilesize
276KB
MD58c3c042dc1acef4d449684c2ca72c801
SHA14dcdfa3a99f873f9434743b4db0ae084c1d8d3ff
SHA25644dbcb5ef68916b91e16cbe932a1116f2de4e04b8be9905912272156d90187c4
SHA51270bf770fce85285908f55fa782ac0082a4b1d4e204931b8563b72b8930416997be3e7712a97b060f02bae86dffba97414cb9cb7d762cdb5c45a5c990e072278e
-
C:\Users\Admin\AppData\Local\Temp\COM.exeFilesize
276KB
MD58c3c042dc1acef4d449684c2ca72c801
SHA14dcdfa3a99f873f9434743b4db0ae084c1d8d3ff
SHA25644dbcb5ef68916b91e16cbe932a1116f2de4e04b8be9905912272156d90187c4
SHA51270bf770fce85285908f55fa782ac0082a4b1d4e204931b8563b72b8930416997be3e7712a97b060f02bae86dffba97414cb9cb7d762cdb5c45a5c990e072278e
-
C:\Users\Admin\AppData\Local\Temp\COM.exeFilesize
276KB
MD58c3c042dc1acef4d449684c2ca72c801
SHA14dcdfa3a99f873f9434743b4db0ae084c1d8d3ff
SHA25644dbcb5ef68916b91e16cbe932a1116f2de4e04b8be9905912272156d90187c4
SHA51270bf770fce85285908f55fa782ac0082a4b1d4e204931b8563b72b8930416997be3e7712a97b060f02bae86dffba97414cb9cb7d762cdb5c45a5c990e072278e
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
140KB
MD5a00fbc1815a7d3cdcd23306479e39abe
SHA1669de9d6eff2e3f0902803af84cea2bede3d574b
SHA256aad774ae320e01c6c7bce53ded9714d53142f784ebe090da64fbea832ad6ce6e
SHA512d79966ec41c57425a4c646d00b508daf80befcb5e81127b4c141b5c5031ae75bece59abe6aba775dbacd13cce06bd4d7e5dcb146c42a4c1a41bcb3b7641bfdca
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
140KB
MD5a00fbc1815a7d3cdcd23306479e39abe
SHA1669de9d6eff2e3f0902803af84cea2bede3d574b
SHA256aad774ae320e01c6c7bce53ded9714d53142f784ebe090da64fbea832ad6ce6e
SHA512d79966ec41c57425a4c646d00b508daf80befcb5e81127b4c141b5c5031ae75bece59abe6aba775dbacd13cce06bd4d7e5dcb146c42a4c1a41bcb3b7641bfdca
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
140KB
MD5a00fbc1815a7d3cdcd23306479e39abe
SHA1669de9d6eff2e3f0902803af84cea2bede3d574b
SHA256aad774ae320e01c6c7bce53ded9714d53142f784ebe090da64fbea832ad6ce6e
SHA512d79966ec41c57425a4c646d00b508daf80befcb5e81127b4c141b5c5031ae75bece59abe6aba775dbacd13cce06bd4d7e5dcb146c42a4c1a41bcb3b7641bfdca
-
C:\Windows\00.exeFilesize
425KB
MD508499bf7ebbf11f3408c8e7d99949b86
SHA12c860fd0b9cf8afc05e5b03c0830da57d97d0436
SHA25662717294ff87c7f3cf74bdd2b4c2948bd492d72e9d2bf0f27c868cffec9249c5
SHA51205611ec377317cc6b186ddf92d66187066cc0ab2a3ce5d7f133d7d3b32b4540d0081e6c51c22c1e2e31dd60b9b498b0b6f55bfd24d1eaefdfc5c1fd893ef693a
-
C:\Windows\00.exeFilesize
425KB
MD508499bf7ebbf11f3408c8e7d99949b86
SHA12c860fd0b9cf8afc05e5b03c0830da57d97d0436
SHA25662717294ff87c7f3cf74bdd2b4c2948bd492d72e9d2bf0f27c868cffec9249c5
SHA51205611ec377317cc6b186ddf92d66187066cc0ab2a3ce5d7f133d7d3b32b4540d0081e6c51c22c1e2e31dd60b9b498b0b6f55bfd24d1eaefdfc5c1fd893ef693a
-
C:\Windows\1-seguridad.batFilesize
440B
MD53480889014c6ab1d72ebe13df6c5f2bb
SHA15de690e8d732de74542ac78c007ec307ef28d3e8
SHA256e44a336e4a891bb6e253c12b64e99d7bcca369948bc80cde967c0a3fe9892820
SHA512442af2778b3debd4372123b08cd02e4dcd14b14fa7a3a77b3691fdd2ea9fcb31af2a6425fb81d1aa34b00dc35cec72deff68472593b327eae55fb2c77d70870c
-
C:\Windows\1-seguridad.batFilesize
440B
MD53480889014c6ab1d72ebe13df6c5f2bb
SHA15de690e8d732de74542ac78c007ec307ef28d3e8
SHA256e44a336e4a891bb6e253c12b64e99d7bcca369948bc80cde967c0a3fe9892820
SHA512442af2778b3debd4372123b08cd02e4dcd14b14fa7a3a77b3691fdd2ea9fcb31af2a6425fb81d1aa34b00dc35cec72deff68472593b327eae55fb2c77d70870c
-
C:\Windows\2-Alertas.regFilesize
2KB
MD521b2a7b50dd2c5653e30877c94cc04b3
SHA161bae94b04566c8e0a31e87aedb13c02e8bfbf8d
SHA2562024c7572789b9d4863895b721211ccc1a66063f204d9cb07ede48d848ff6007
SHA51266d82c1e40c5c348ff768c695ffd58050b91cbfdeab1e1339e8b1da9b44bada11482d95aedac8071124a77187f160052ecd9200962776c1e06f7da152363e954
-
\Users\Admin\AppData\Local\Temp\COM.exeFilesize
276KB
MD58c3c042dc1acef4d449684c2ca72c801
SHA14dcdfa3a99f873f9434743b4db0ae084c1d8d3ff
SHA25644dbcb5ef68916b91e16cbe932a1116f2de4e04b8be9905912272156d90187c4
SHA51270bf770fce85285908f55fa782ac0082a4b1d4e204931b8563b72b8930416997be3e7712a97b060f02bae86dffba97414cb9cb7d762cdb5c45a5c990e072278e
-
\Users\Admin\AppData\Local\Temp\COM.exeFilesize
276KB
MD58c3c042dc1acef4d449684c2ca72c801
SHA14dcdfa3a99f873f9434743b4db0ae084c1d8d3ff
SHA25644dbcb5ef68916b91e16cbe932a1116f2de4e04b8be9905912272156d90187c4
SHA51270bf770fce85285908f55fa782ac0082a4b1d4e204931b8563b72b8930416997be3e7712a97b060f02bae86dffba97414cb9cb7d762cdb5c45a5c990e072278e
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
140KB
MD5a00fbc1815a7d3cdcd23306479e39abe
SHA1669de9d6eff2e3f0902803af84cea2bede3d574b
SHA256aad774ae320e01c6c7bce53ded9714d53142f784ebe090da64fbea832ad6ce6e
SHA512d79966ec41c57425a4c646d00b508daf80befcb5e81127b4c141b5c5031ae75bece59abe6aba775dbacd13cce06bd4d7e5dcb146c42a4c1a41bcb3b7641bfdca
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
140KB
MD5a00fbc1815a7d3cdcd23306479e39abe
SHA1669de9d6eff2e3f0902803af84cea2bede3d574b
SHA256aad774ae320e01c6c7bce53ded9714d53142f784ebe090da64fbea832ad6ce6e
SHA512d79966ec41c57425a4c646d00b508daf80befcb5e81127b4c141b5c5031ae75bece59abe6aba775dbacd13cce06bd4d7e5dcb146c42a4c1a41bcb3b7641bfdca
-
memory/808-300-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/808-47-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1180-53-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/1508-392-0x0000000000400000-0x00000000004259CC-memory.dmpFilesize
150KB
-
memory/1508-44-0x0000000000400000-0x00000000004259CC-memory.dmpFilesize
150KB
-
memory/1652-301-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1652-302-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2096-36-0x0000000002520000-0x0000000002546000-memory.dmpFilesize
152KB
-
memory/2096-32-0x0000000002510000-0x0000000002567000-memory.dmpFilesize
348KB
-
memory/2096-41-0x0000000002520000-0x0000000002546000-memory.dmpFilesize
152KB
-
memory/2096-42-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/2096-29-0x0000000002510000-0x0000000002567000-memory.dmpFilesize
348KB
-
memory/2880-296-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2880-33-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB