Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
20/03/2025, 04:59
Behavioral task
behavioral1
Sample
JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe
Resource
win7-20241023-en
windows7-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe
-
Size
344KB
-
MD5
816ac199375ddab6a4fe6ae65faab5f5
-
SHA1
f266c4d3a92f4a1eb2bde021aca7b8a3788eb58f
-
SHA256
96d896e36f29e0ab7810d62ade596240e1cbcb42eec34af42f3ca647cae7d630
-
SHA512
bdca672acd31d657df1f4d8483d28bdca3ca40592a615429cb757248297a933bed38efd15963f88a10f6f02cf72bbd87cc2cc275d3206b900cd1ff9754e06754
-
SSDEEP
6144:L/G0N63UDkF+yGHGb3BtBxVrADqTxIC1h76QsLUXISGN1A3aWzns:rx6zOgPBx1b7X7wLUVGQ7s
Malware Config
Extracted
Family
cybergate
Version
v1.00.0
Botnet
remote
C2
122.3.6.90:9000
Mutex
CyberGate1
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD4RX68-5SF0-7V78-S86X-814KN8QIJSOK} JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD4RX68-5SF0-7V78-S86X-814KN8QIJSOK}\StubPath = "C:\\Windows\\install\\server.exe Restart" JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD4RX68-5SF0-7V78-S86X-814KN8QIJSOK} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD4RX68-5SF0-7V78-S86X-814KN8QIJSOK}\StubPath = "C:\\Windows\\install\\server.exe" explorer.exe -
Executes dropped EXE 29 IoCs
pid Process 1224 server.exe 2280 server.exe 2788 server.exe 408 server.exe 2552 server.exe 2664 server.exe 2464 server.exe 1668 server.exe 2460 server.exe 1716 server.exe 1752 server.exe 1600 server.exe 1420 server.exe 2496 server.exe 2956 server.exe 2728 server.exe 2452 server.exe 2516 server.exe 3048 server.exe 840 server.exe 324 server.exe 2508 server.exe 1564 server.exe 1328 server.exe 1988 server.exe 2216 server.exe 2064 server.exe 2444 server.exe 2620 server.exe -
Loads dropped DLL 30 IoCs
pid Process 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe 1792 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe -
resource yara_rule behavioral1/memory/1792-524-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral1/memory/1792-534-0x0000000024070000-0x00000000240D0000-memory.dmp upx -
Drops file in Windows directory 30 IoCs
description ioc Process File opened for modification C:\Windows\install\server.exe JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File created C:\Windows\install\server.exe JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1224 server.exe 1224 server.exe 1224 server.exe 1224 server.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1224 server.exe 1224 server.exe 1224 server.exe 1224 server.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1224 server.exe 1224 server.exe 1224 server.exe 1224 server.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1224 server.exe 1224 server.exe 1224 server.exe 1224 server.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 1224 server.exe 1224 server.exe 1224 server.exe 1224 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21 PID 1980 wrote to memory of 1196 1980 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1224
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2280
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2788
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:408
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2552
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2664
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2464
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1668
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2460
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1716
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1752
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1600
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1420
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2496
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2956
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2728
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2452
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2516
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3048
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:840
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:324
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2508
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1564
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1328
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1988
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2216
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2064
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2620
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237KB
MD55f6cd69e641085107c9e9f273fd72623
SHA14b5a3e5d699696f2a73ddec5c39a93e3d120a762
SHA25624be1d02175e885dd864e69afdea73629280d7913aefdbeca7683b49799f28db
SHA512169a3d029c242c459915505b4c6881dd0db307fc502749688a76759e98fc28078235d330ed6dd0cb7bb258a596adc3bf49faf63a31a28441371df126c4899827
-
Filesize
237KB
MD5d11d644d97e855ab0a35488e77223e5d
SHA13f4a21b0232abe2c94222387d772de47841931d3
SHA2563d42182201feeba48941db4bc34fef3f489ff88aa70b26dbedd1dd97f51598ad
SHA512a2f1225f8d79abf129997662c9de97541d8b2f73da30eee602758ed9ceadeb36970ec80a3711c403d7d5f980f4d231bb81748bf9af05e5244f57bd0e22bfc155
-
Filesize
344KB
MD5816ac199375ddab6a4fe6ae65faab5f5
SHA1f266c4d3a92f4a1eb2bde021aca7b8a3788eb58f
SHA25696d896e36f29e0ab7810d62ade596240e1cbcb42eec34af42f3ca647cae7d630
SHA512bdca672acd31d657df1f4d8483d28bdca3ca40592a615429cb757248297a933bed38efd15963f88a10f6f02cf72bbd87cc2cc275d3206b900cd1ff9754e06754