Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2025, 04:59
Behavioral task
behavioral1
Sample
JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe
Resource
win7-20241023-en
windows7-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe
-
Size
344KB
-
MD5
816ac199375ddab6a4fe6ae65faab5f5
-
SHA1
f266c4d3a92f4a1eb2bde021aca7b8a3788eb58f
-
SHA256
96d896e36f29e0ab7810d62ade596240e1cbcb42eec34af42f3ca647cae7d630
-
SHA512
bdca672acd31d657df1f4d8483d28bdca3ca40592a615429cb757248297a933bed38efd15963f88a10f6f02cf72bbd87cc2cc275d3206b900cd1ff9754e06754
-
SSDEEP
6144:L/G0N63UDkF+yGHGb3BtBxVrADqTxIC1h76QsLUXISGN1A3aWzns:rx6zOgPBx1b7X7wLUVGQ7s
Malware Config
Extracted
Family
cybergate
Version
v1.00.0
Botnet
remote
C2
122.3.6.90:9000
Mutex
CyberGate1
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD4RX68-5SF0-7V78-S86X-814KN8QIJSOK} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD4RX68-5SF0-7V78-S86X-814KN8QIJSOK}\StubPath = "C:\\Windows\\install\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD4RX68-5SF0-7V78-S86X-814KN8QIJSOK} JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD4RX68-5SF0-7V78-S86X-814KN8QIJSOK}\StubPath = "C:\\Windows\\install\\server.exe Restart" JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe -
Executes dropped EXE 29 IoCs
pid Process 3680 server.exe 3904 server.exe 3568 server.exe 1004 server.exe 4816 server.exe 5432 server.exe 828 server.exe 4028 server.exe 3640 server.exe 1564 server.exe 5632 server.exe 5732 server.exe 1256 server.exe 5636 server.exe 5272 server.exe 1492 server.exe 5560 server.exe 4180 server.exe 6008 server.exe 4080 server.exe 5052 server.exe 1668 server.exe 2876 server.exe 3944 server.exe 6052 server.exe 4648 server.exe 5664 server.exe 4772 server.exe 2852 server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe -
resource yara_rule behavioral2/memory/2956-3-0x0000000024010000-0x0000000024070000-memory.dmp upx behavioral2/memory/2956-63-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/2760-68-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/2760-67-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/2760-74-0x0000000024070000-0x00000000240D0000-memory.dmp upx -
Drops file in Windows directory 31 IoCs
description ioc Process File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File created C:\Windows\install\server.exe JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 3680 server.exe 3680 server.exe 3680 server.exe 3680 server.exe 3680 server.exe 3680 server.exe 3680 server.exe 3680 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56 PID 2956 wrote to memory of 3448 2956 JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_816ac199375ddab6a4fe6ae65faab5f5.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3680
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3904
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3568
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1004
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4816
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5432
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:828
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4028
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3640
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1564
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5632
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5732
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1256
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5636
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5272
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1492
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5560
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4180
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6008
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4080
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5052
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1668
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2876
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3944
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6052
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4648
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5664
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4772
-
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2852
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237KB
MD55f6cd69e641085107c9e9f273fd72623
SHA14b5a3e5d699696f2a73ddec5c39a93e3d120a762
SHA25624be1d02175e885dd864e69afdea73629280d7913aefdbeca7683b49799f28db
SHA512169a3d029c242c459915505b4c6881dd0db307fc502749688a76759e98fc28078235d330ed6dd0cb7bb258a596adc3bf49faf63a31a28441371df126c4899827
-
Filesize
237KB
MD5d11d644d97e855ab0a35488e77223e5d
SHA13f4a21b0232abe2c94222387d772de47841931d3
SHA2563d42182201feeba48941db4bc34fef3f489ff88aa70b26dbedd1dd97f51598ad
SHA512a2f1225f8d79abf129997662c9de97541d8b2f73da30eee602758ed9ceadeb36970ec80a3711c403d7d5f980f4d231bb81748bf9af05e5244f57bd0e22bfc155
-
Filesize
344KB
MD5816ac199375ddab6a4fe6ae65faab5f5
SHA1f266c4d3a92f4a1eb2bde021aca7b8a3788eb58f
SHA25696d896e36f29e0ab7810d62ade596240e1cbcb42eec34af42f3ca647cae7d630
SHA512bdca672acd31d657df1f4d8483d28bdca3ca40592a615429cb757248297a933bed38efd15963f88a10f6f02cf72bbd87cc2cc275d3206b900cd1ff9754e06754