cybergate | 12975bce5682b4d6a0849c73a8924f074e9fc12e9807e1773e3d80656851d1d2

Analysis

max time kernel
151s
max time network
159s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4D670AC64FAE74BD0C53F58673C6D826.exe
Size

422KB
MD5

4d670ac64fae74bd0c53f58673c6d826
SHA1

5fcfe71b322f91bc65f58892bb7024d78bb9b43b
SHA256

12975bce5682b4d6a0849c73a8924f074e9fc12e9807e1773e3d80656851d1d2
SHA512

f777331088ec03e39b4370a7958c4187410741ae430582943478cf7558f2c6e8152f4799f7dd121ef79abc0ae126db69ade14ea1227617fb2e50e362cb005427
SSDEEP

6144:WIA2TfeZd+WnuiCrnluCuSD/Tmd6et08DOUlNre2fUOi3Mw4NwoGC0vQhvxeexNh:S2G+WufnQQ/ff8DdNC/Oi3rBvQhUCjV

Score

10^/10

cybergate victima evasion persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victima

boxdmz.freeddns.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
COM HOST.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
gxwd
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies firewall policy service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

regedit.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" regedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	regedit.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	regedit.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

COM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	COM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\COM HOST.exe"	COM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	COM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\COM HOST.exe"	COM.exe

Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

COM.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{70NBI643-N58H-54IB-NF57-KHIF8DH40O3D}	COM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70NBI643-N58H-54IB-NF57-KHIF8DH40O3D}\StubPath = "c:\\dir\\install\\install\\COM HOST.exe Restart"	COM.exe

Executes dropped EXE 3 IoCs

Processes:

00.exeCOM.exeserver.exe

pid process

2096 00.exe
2880 COM.exe
1508 server.exe
Loads dropped DLL 4 IoCs

Processes:

00.exe

pid process

2096 00.exe
2096 00.exe
2096 00.exe
2096 00.exe

pid	process
2096	00.exe
2880	COM.exe
1508	server.exe

pid	process
2096	00.exe
2096	00.exe
2096	00.exe
2096	00.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\COM.exe	upx
C:\Users\Admin\AppData\Local\Temp\COM.exe	upx
\Users\Admin\AppData\Local\Temp\COM.exe	upx
C:\Users\Admin\AppData\Local\Temp\COM.exe	upx
behavioral1/memory/2880-33-0x0000000000400000-0x0000000000457000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\COM.exe	upx
behavioral1/memory/2880-296-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

COM.exeserver.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\COM HOST.exe"	COM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\COM HOST.exe"	COM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\win_sp.exe"	server.exe

Drops file in Windows directory 5 IoCs

Processes:

server.exe4D670AC64FAE74BD0C53F58673C6D826.exe

description	ioc	process
File created	C:\Windows\win_sp.exe	server.exe
File opened for modification	C:\Windows\win_sp.exe	server.exe
File opened for modification	C:\Windows\1-seguridad.bat	4D670AC64FAE74BD0C53F58673C6D826.exe
File opened for modification	C:\Windows\2-Alertas.reg	4D670AC64FAE74BD0C53F58673C6D826.exe
File opened for modification	C:\Windows\00.exe	4D670AC64FAE74BD0C53F58673C6D826.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

808 regedit.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

COM.exe

pid process

2880 COM.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

1508 server.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

COM.exe

pid process

2880 COM.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4D670AC64FAE74BD0C53F58673C6D826.exeserver.exe

pid process

740 4D670AC64FAE74BD0C53F58673C6D826.exe
1508 server.exe
1508 server.exe

pid	process
808	regedit.exe

pid	process
2880	COM.exe

pid	process
1508	server.exe

pid	process
2880	COM.exe

pid	process
740	4D670AC64FAE74BD0C53F58673C6D826.exe
1508	server.exe
1508	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4D670AC64FAE74BD0C53F58673C6D826.execmd.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 740 wrote to memory of 2204	740	4D670AC64FAE74BD0C53F58673C6D826.exe	cmd.exe
PID 740 wrote to memory of 2204	740	4D670AC64FAE74BD0C53F58673C6D826.exe	cmd.exe
PID 740 wrote to memory of 2204	740	4D670AC64FAE74BD0C53F58673C6D826.exe	cmd.exe
PID 740 wrote to memory of 2204	740	4D670AC64FAE74BD0C53F58673C6D826.exe	cmd.exe
PID 2204 wrote to memory of 2868	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2868	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2868	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2868	2204	cmd.exe	net.exe
PID 740 wrote to memory of 808	740	4D670AC64FAE74BD0C53F58673C6D826.exe	regedit.exe
PID 740 wrote to memory of 808	740	4D670AC64FAE74BD0C53F58673C6D826.exe	regedit.exe
PID 740 wrote to memory of 808	740	4D670AC64FAE74BD0C53F58673C6D826.exe	regedit.exe
PID 740 wrote to memory of 808	740	4D670AC64FAE74BD0C53F58673C6D826.exe	regedit.exe
PID 2868 wrote to memory of 2304	2868	net.exe	net1.exe
PID 2868 wrote to memory of 2304	2868	net.exe	net1.exe
PID 2868 wrote to memory of 2304	2868	net.exe	net1.exe
PID 2868 wrote to memory of 2304	2868	net.exe	net1.exe
PID 740 wrote to memory of 2096	740	4D670AC64FAE74BD0C53F58673C6D826.exe	00.exe
PID 740 wrote to memory of 2096	740	4D670AC64FAE74BD0C53F58673C6D826.exe	00.exe
PID 740 wrote to memory of 2096	740	4D670AC64FAE74BD0C53F58673C6D826.exe	00.exe
PID 740 wrote to memory of 2096	740	4D670AC64FAE74BD0C53F58673C6D826.exe	00.exe
PID 2204 wrote to memory of 2692	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2692	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2692	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2692	2204	cmd.exe	net.exe
PID 2692 wrote to memory of 2708	2692	net.exe	net1.exe
PID 2692 wrote to memory of 2708	2692	net.exe	net1.exe
PID 2692 wrote to memory of 2708	2692	net.exe	net1.exe
PID 2692 wrote to memory of 2708	2692	net.exe	net1.exe
PID 2204 wrote to memory of 2812	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2812	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2812	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2812	2204	cmd.exe	net.exe
PID 2812 wrote to memory of 2568	2812	net.exe	net1.exe
PID 2812 wrote to memory of 2568	2812	net.exe	net1.exe
PID 2812 wrote to memory of 2568	2812	net.exe	net1.exe
PID 2812 wrote to memory of 2568	2812	net.exe	net1.exe
PID 2204 wrote to memory of 2584	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2584	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2584	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2584	2204	cmd.exe	net.exe
PID 2584 wrote to memory of 2180	2584	net.exe	net1.exe
PID 2584 wrote to memory of 2180	2584	net.exe	net1.exe
PID 2584 wrote to memory of 2180	2584	net.exe	net1.exe
PID 2584 wrote to memory of 2180	2584	net.exe	net1.exe
PID 2204 wrote to memory of 2592	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2592	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2592	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2592	2204	cmd.exe	net.exe
PID 2592 wrote to memory of 2468	2592	net.exe	net1.exe
PID 2592 wrote to memory of 2468	2592	net.exe	net1.exe
PID 2592 wrote to memory of 2468	2592	net.exe	net1.exe
PID 2592 wrote to memory of 2468	2592	net.exe	net1.exe
PID 2204 wrote to memory of 2228	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2228	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2228	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2228	2204	cmd.exe	net.exe
PID 2228 wrote to memory of 2976	2228	net.exe	net1.exe
PID 2228 wrote to memory of 2976	2228	net.exe	net1.exe
PID 2228 wrote to memory of 2976	2228	net.exe	net1.exe
PID 2228 wrote to memory of 2976	2228	net.exe	net1.exe
PID 2204 wrote to memory of 2732	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2732	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2732	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2732	2204	cmd.exe	net.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\4D670AC64FAE74BD0C53F58673C6D826.exe
"C:\Users\Admin\AppData\Local\Temp\4D670AC64FAE74BD0C53F58673C6D826.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\1-seguridad.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\net.exe
NET STOP "Dispositivo host de UPnP"
4⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "Dispositivo host de UPnP"
5⤵
PID:2304

C:\Windows\SysWOW64\net.exe
NET STOP "AntiVirService"
4⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "AntiVirService"
5⤵
PID:2708

C:\Windows\SysWOW64\net.exe
NET STOP "PDAgent"
4⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "PDAgent"
5⤵
PID:2568

C:\Windows\SysWOW64\net.exe
NET STOP "Telefonia"
4⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "Telefonia"
5⤵
PID:2180

C:\Windows\SysWOW64\net.exe
NET STOP "Temas"
4⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "Temas"
5⤵
PID:2468

C:\Windows\SysWOW64\net.exe
NET STOP "Centro de Seguridad"
4⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "Centro de Seguridad"
5⤵
PID:2976

C:\Windows\SysWOW64\net.exe
NET STOP "Windows Defender"
4⤵
PID:2732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "Windows Defender"
5⤵
PID:2640

C:\Windows\SysWOW64\net.exe
NET STOP "Firewall de Windows"
4⤵
PID:2240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "Firewall de Windows"
5⤵
PID:2496

C:\Windows\SysWOW64\net.exe
NET STOP "Ready Boost"
4⤵
PID:2660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "Ready Boost"
5⤵
PID:2768

C:\Windows\SysWOW64\net.exe
NET STOP "Busqueda de Windows"
4⤵
PID:2484

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "Busqueda de Windows"
5⤵
PID:2652

C:\Windows\SysWOW64\net.exe
NET STOP "Windows Update"
4⤵
PID:1744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "Windows Update"
5⤵
PID:2632

C:\Windows\SysWOW64\net.exe
NET STOP "Inicio de Sesion secundario"
4⤵
PID:2628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "Inicio de Sesion secundario"
5⤵
PID:2572

C:\Windows\SysWOW64\net.exe
NET STOP "TapiSrv"
4⤵
PID:2644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "TapiSrv"
5⤵
PID:2456

C:\Windows\SysWOW64\net.exe
NET STOP "CryptSvc"
4⤵
PID:2452

C:\Windows\SysWOW64\net.exe
NET STOP "WPDBusEnum"
4⤵
PID:2040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "WPDBusEnum"
5⤵
PID:1460

C:\Windows\SysWOW64\net.exe
NET STOP "BITS"
4⤵
PID:2384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "BITS"
5⤵
PID:1992

C:\Windows\SysWOW64\net.exe
NET STOP "seclogon"
4⤵
PID:1588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "seclogon"
5⤵
PID:1484

C:\Windows\SysWOW64\regedit.exe
"regedit.exe" "C:\Windows\2-Alertas.reg"
3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Runs .reg file with regedit
PID:808

C:\Windows\00.exe
"C:\Windows\00.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096

C:\Users\Admin\AppData\Local\Temp\COM.exe
"C:\Users\Admin\AppData\Local\Temp\COM.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2880

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP "CryptSvc"
1⤵
PID:2480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COM.exe
Filesize
276KB

MD5
8c3c042dc1acef4d449684c2ca72c801

SHA1
4dcdfa3a99f873f9434743b4db0ae084c1d8d3ff

SHA256
44dbcb5ef68916b91e16cbe932a1116f2de4e04b8be9905912272156d90187c4

SHA512
70bf770fce85285908f55fa782ac0082a4b1d4e204931b8563b72b8930416997be3e7712a97b060f02bae86dffba97414cb9cb7d762cdb5c45a5c990e072278e

Download Submit
C:\Users\Admin\AppData\Local\Temp\COM.exe
Filesize
276KB

MD5
8c3c042dc1acef4d449684c2ca72c801

SHA1
4dcdfa3a99f873f9434743b4db0ae084c1d8d3ff

SHA256
44dbcb5ef68916b91e16cbe932a1116f2de4e04b8be9905912272156d90187c4

SHA512
70bf770fce85285908f55fa782ac0082a4b1d4e204931b8563b72b8930416997be3e7712a97b060f02bae86dffba97414cb9cb7d762cdb5c45a5c990e072278e

Download Submit
C:\Users\Admin\AppData\Local\Temp\COM.exe
Filesize
276KB

MD5
8c3c042dc1acef4d449684c2ca72c801

SHA1
4dcdfa3a99f873f9434743b4db0ae084c1d8d3ff

SHA256
44dbcb5ef68916b91e16cbe932a1116f2de4e04b8be9905912272156d90187c4

SHA512
70bf770fce85285908f55fa782ac0082a4b1d4e204931b8563b72b8930416997be3e7712a97b060f02bae86dffba97414cb9cb7d762cdb5c45a5c990e072278e

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
140KB

MD5
a00fbc1815a7d3cdcd23306479e39abe

SHA1
669de9d6eff2e3f0902803af84cea2bede3d574b

SHA256
aad774ae320e01c6c7bce53ded9714d53142f784ebe090da64fbea832ad6ce6e

SHA512
d79966ec41c57425a4c646d00b508daf80befcb5e81127b4c141b5c5031ae75bece59abe6aba775dbacd13cce06bd4d7e5dcb146c42a4c1a41bcb3b7641bfdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
140KB

MD5
a00fbc1815a7d3cdcd23306479e39abe

SHA1
669de9d6eff2e3f0902803af84cea2bede3d574b

SHA256
aad774ae320e01c6c7bce53ded9714d53142f784ebe090da64fbea832ad6ce6e

SHA512
d79966ec41c57425a4c646d00b508daf80befcb5e81127b4c141b5c5031ae75bece59abe6aba775dbacd13cce06bd4d7e5dcb146c42a4c1a41bcb3b7641bfdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
140KB

MD5
a00fbc1815a7d3cdcd23306479e39abe

SHA1
669de9d6eff2e3f0902803af84cea2bede3d574b

SHA256
aad774ae320e01c6c7bce53ded9714d53142f784ebe090da64fbea832ad6ce6e

SHA512
d79966ec41c57425a4c646d00b508daf80befcb5e81127b4c141b5c5031ae75bece59abe6aba775dbacd13cce06bd4d7e5dcb146c42a4c1a41bcb3b7641bfdca

Download Submit
C:\Windows\00.exe
Filesize
425KB

MD5
08499bf7ebbf11f3408c8e7d99949b86

SHA1
2c860fd0b9cf8afc05e5b03c0830da57d97d0436

SHA256
62717294ff87c7f3cf74bdd2b4c2948bd492d72e9d2bf0f27c868cffec9249c5

SHA512
05611ec377317cc6b186ddf92d66187066cc0ab2a3ce5d7f133d7d3b32b4540d0081e6c51c22c1e2e31dd60b9b498b0b6f55bfd24d1eaefdfc5c1fd893ef693a

Download Submit
C:\Windows\00.exe
Filesize
425KB

MD5
08499bf7ebbf11f3408c8e7d99949b86

SHA1
2c860fd0b9cf8afc05e5b03c0830da57d97d0436

SHA256
62717294ff87c7f3cf74bdd2b4c2948bd492d72e9d2bf0f27c868cffec9249c5

SHA512
05611ec377317cc6b186ddf92d66187066cc0ab2a3ce5d7f133d7d3b32b4540d0081e6c51c22c1e2e31dd60b9b498b0b6f55bfd24d1eaefdfc5c1fd893ef693a

Download Submit
C:\Windows\1-seguridad.bat
Filesize
440B

MD5
3480889014c6ab1d72ebe13df6c5f2bb

SHA1
5de690e8d732de74542ac78c007ec307ef28d3e8

SHA256
e44a336e4a891bb6e253c12b64e99d7bcca369948bc80cde967c0a3fe9892820

SHA512
442af2778b3debd4372123b08cd02e4dcd14b14fa7a3a77b3691fdd2ea9fcb31af2a6425fb81d1aa34b00dc35cec72deff68472593b327eae55fb2c77d70870c

Download Submit
C:\Windows\1-seguridad.bat
Filesize
440B

MD5
3480889014c6ab1d72ebe13df6c5f2bb

SHA1
5de690e8d732de74542ac78c007ec307ef28d3e8

SHA256
e44a336e4a891bb6e253c12b64e99d7bcca369948bc80cde967c0a3fe9892820

SHA512
442af2778b3debd4372123b08cd02e4dcd14b14fa7a3a77b3691fdd2ea9fcb31af2a6425fb81d1aa34b00dc35cec72deff68472593b327eae55fb2c77d70870c

Download Submit
C:\Windows\2-Alertas.reg
Filesize
2KB

MD5
21b2a7b50dd2c5653e30877c94cc04b3

SHA1
61bae94b04566c8e0a31e87aedb13c02e8bfbf8d

SHA256
2024c7572789b9d4863895b721211ccc1a66063f204d9cb07ede48d848ff6007

SHA512
66d82c1e40c5c348ff768c695ffd58050b91cbfdeab1e1339e8b1da9b44bada11482d95aedac8071124a77187f160052ecd9200962776c1e06f7da152363e954

Download Submit
\Users\Admin\AppData\Local\Temp\COM.exe
Filesize
276KB

MD5
8c3c042dc1acef4d449684c2ca72c801

SHA1
4dcdfa3a99f873f9434743b4db0ae084c1d8d3ff

SHA256
44dbcb5ef68916b91e16cbe932a1116f2de4e04b8be9905912272156d90187c4

SHA512
70bf770fce85285908f55fa782ac0082a4b1d4e204931b8563b72b8930416997be3e7712a97b060f02bae86dffba97414cb9cb7d762cdb5c45a5c990e072278e

Download Submit
\Users\Admin\AppData\Local\Temp\COM.exe
Filesize
276KB

MD5
8c3c042dc1acef4d449684c2ca72c801

SHA1
4dcdfa3a99f873f9434743b4db0ae084c1d8d3ff

SHA256
44dbcb5ef68916b91e16cbe932a1116f2de4e04b8be9905912272156d90187c4

SHA512
70bf770fce85285908f55fa782ac0082a4b1d4e204931b8563b72b8930416997be3e7712a97b060f02bae86dffba97414cb9cb7d762cdb5c45a5c990e072278e

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
140KB

MD5
a00fbc1815a7d3cdcd23306479e39abe

SHA1
669de9d6eff2e3f0902803af84cea2bede3d574b

SHA256
aad774ae320e01c6c7bce53ded9714d53142f784ebe090da64fbea832ad6ce6e

SHA512
d79966ec41c57425a4c646d00b508daf80befcb5e81127b4c141b5c5031ae75bece59abe6aba775dbacd13cce06bd4d7e5dcb146c42a4c1a41bcb3b7641bfdca

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
140KB

MD5
a00fbc1815a7d3cdcd23306479e39abe

SHA1
669de9d6eff2e3f0902803af84cea2bede3d574b

SHA256
aad774ae320e01c6c7bce53ded9714d53142f784ebe090da64fbea832ad6ce6e

SHA512
d79966ec41c57425a4c646d00b508daf80befcb5e81127b4c141b5c5031ae75bece59abe6aba775dbacd13cce06bd4d7e5dcb146c42a4c1a41bcb3b7641bfdca

Download Submit
memory/808-300-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/808-47-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1180-53-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1508-392-0x0000000000400000-0x00000000004259CC-memory.dmp

Filesize
150KB

Download
memory/1508-44-0x0000000000400000-0x00000000004259CC-memory.dmp

Filesize
150KB

Download
memory/1652-301-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1652-302-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2096-36-0x0000000002520000-0x0000000002546000-memory.dmp

Filesize
152KB

Download
memory/2096-32-0x0000000002510000-0x0000000002567000-memory.dmp

Filesize
348KB

Download
memory/2096-41-0x0000000002520000-0x0000000002546000-memory.dmp

Filesize
152KB

Download
memory/2096-42-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2096-29-0x0000000002510000-0x0000000002567000-memory.dmp

Filesize
348KB

Download
memory/2880-296-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2880-33-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download