Malware Analysis Report

2025-08-05 12:38

Sample ID 221106-l3ax3ahbar
Target a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1
SHA256 a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1
Tags
cybergate dscr_spr_220214 evasion persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1

Threat Level: Known bad

The file a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1 was found to be: Known bad.

Malicious Activity Summary

cybergate dscr_spr_220214 evasion persistence stealer trojan upx

CyberGate, Rebhip

Modifies visiblity of hidden/system files in Explorer

UPX packed file

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops startup file

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-06 10:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-06 10:02

Reported

2022-11-06 12:00

Platform

win10v2004-20220812-en

Max time kernel

172s

Max time network

172s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO}\StubPath = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO}\StubPath = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO} C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashPlayerPlugin_11_9_900_175.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashPlayerPlugin_11_9_900_175.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\542a49tpb3b73 = "C:\\Users\\Admin\\542a49tpb3b73\\51281.vbs" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\542a49tpb3b73 = "C:\\Users\\Admin\\542a49tpb3b73\\51281.vbs" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\542a49tpb3b73 = "C:\\Users\\Admin\\542a49tpb3b73\\51281.vbs" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FlashPlayerPlugin = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
PID 2996 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
PID 2996 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
PID 2208 wrote to memory of 4080 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2208 wrote to memory of 4080 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2208 wrote to memory of 4080 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2208 wrote to memory of 4080 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2208 wrote to memory of 4080 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4080 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe

"C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe"

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx

Network

Country Destination Domain Proto
US 8.238.21.254:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 20.189.173.7:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp
US 8.8.8.8:53 clippico.zapto.org udp

Files

memory/2208-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\542a49tpb3b73\eFZsGeMgsklx

MD5 70150e173740fe5fe9b00285b47b60de
SHA1 91b7699f142f5d41bbda9c24468c0cf4b75d7426
SHA256 dc9e977713016621a4d09cbac7809ca1b9d6c3c2fb63100f6b8857f01bcd1196
SHA512 e225d4c24b07b8b43a72b369efbe22085991114a5c3ee33fed65d017b8ef9c1c9b3ae75be0701c4283681aa311a09f26bf378c7f23cc1f5f777319874453e833

C:\Users\Admin\542A49~1\IUfBHT.VPT

MD5 9c160bfbdb99f4fce6e270936b46b7d0
SHA1 a250c33e8f5e590a369b5406a8462817ee11d14d
SHA256 449ad064deabcd2cc96e131527accadafe685103724c4365127468a58ef81bbc
SHA512 36afa7693e648d954ccc72c423dc7c3fa9c05503c6eb3632410ae566897f60192bae87c8933875954e6f3baba28284e29d260fd90fbe1f8accec5bc6168932ae

C:\Users\Admin\542A49~1\RRBJLL~1.ALR

MD5 a397e3dfaf6c4df090004c47d2e29d22
SHA1 8e76f79d34c2498c761fbaa00eb6fc14d56ea813
SHA256 991a74e23f24d62660ff47b72435145fcfc438b5e69c14ae5d1c518ecfd83eb4
SHA512 8bbc17fe03c9060a32773590169684249a6d035fa0f976c10de4f07f3bfdb60e09261be7d548ac5b2dab8f0054cbcd7c43d9ec3d79778d137e1c5ee919c6d89c

memory/4080-138-0x0000000000000000-mapping.dmp

memory/4080-139-0x0000000000B50000-0x0000000000B9B000-memory.dmp

memory/4080-140-0x0000000000B50000-0x0000000000B9B000-memory.dmp

memory/4080-141-0x0000000000B50000-0x0000000000B9B000-memory.dmp

memory/4080-142-0x0000000000B50000-0x0000000000B9B000-memory.dmp

memory/4080-144-0x0000000010410000-0x0000000010480000-memory.dmp

memory/1504-148-0x0000000000000000-mapping.dmp

memory/4080-149-0x0000000010480000-0x00000000104F0000-memory.dmp

memory/1504-152-0x0000000010480000-0x00000000104F0000-memory.dmp

memory/1504-153-0x0000000010480000-0x00000000104F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 91480253b7d1de28ccde41e8cbb1da10
SHA1 4f0db59cf4cfc47e6518fa8a79900c01708fb326
SHA256 b3a07e078667558994034ecce19b995c583b45c6332008e7f466f53ad42ea38b
SHA512 99341ac9e688b1b33d9358481d22c87c22bfede820ad8fe4f7587dc7d6b3b5732e78555a1c52454c84392285e90001c77ec07d3acd4d9f3b8f0f51b6e5ad0d4b

C:\install\FlashPlayerPlugin_11_9_900_175.exe

MD5 3a77a4f220612fa55118fb8d7ddae83c
SHA1 b96fa726fc84fd46d03dd3c32689f645e0422278
SHA256 2cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f
SHA512 33a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d

memory/4080-157-0x00000000104F0000-0x0000000010560000-memory.dmp

memory/3488-161-0x0000000000000000-mapping.dmp

memory/4080-162-0x0000000010560000-0x00000000105D0000-memory.dmp

memory/3488-165-0x0000000010560000-0x00000000105D0000-memory.dmp

memory/3488-166-0x0000000010560000-0x00000000105D0000-memory.dmp

memory/4080-167-0x0000000000B50000-0x0000000000B9B000-memory.dmp

memory/2656-168-0x0000000000000000-mapping.dmp

memory/2532-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\542A49~1\run.vbs

MD5 c735bed0f11b2aa8c978be1417eb4503
SHA1 b46cbc79b2dee40c44c72fe3eca7d45e001e2eb6
SHA256 cf87f1aa3122701b50570303d6663bf313c9dc5b1418785c0c44eb2d4409510a
SHA512 8255176e00ab93d1765b3ed4197c5a7e17cd87b62b57bca458068df2d7d3ba5510b0e0673373605cce4ad53168bcbcb7ca5744ba276267a64473250a71b7706e

memory/1504-171-0x0000000010480000-0x00000000104F0000-memory.dmp

memory/1256-173-0x0000000000000000-mapping.dmp

memory/5044-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/3488-176-0x0000000010560000-0x00000000105D0000-memory.dmp

memory/4272-177-0x0000000000000000-mapping.dmp

memory/4272-178-0x0000000000C20000-0x0000000000C6B000-memory.dmp

memory/4272-179-0x0000000000C20000-0x0000000000C6B000-memory.dmp

memory/4272-180-0x0000000000C20000-0x0000000000C6B000-memory.dmp

memory/4272-181-0x0000000000C20000-0x0000000000C6B000-memory.dmp

memory/4272-182-0x0000000000C20000-0x0000000000C6B000-memory.dmp

memory/4852-183-0x0000000000000000-mapping.dmp

memory/4092-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/2812-186-0x0000000000000000-mapping.dmp

memory/2812-188-0x0000000001100000-0x000000000114B000-memory.dmp

memory/2812-187-0x0000000001100000-0x000000000114B000-memory.dmp

memory/2812-189-0x0000000001100000-0x000000000114B000-memory.dmp

memory/2812-190-0x0000000001100000-0x000000000114B000-memory.dmp

memory/2812-191-0x0000000001100000-0x000000000114B000-memory.dmp

memory/3984-192-0x0000000000000000-mapping.dmp

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/4796-193-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-06 10:02

Reported

2022-11-06 11:59

Platform

win7-20220812-en

Max time kernel

150s

Max time network

100s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO} C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO}\StubPath = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe Restart" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{KQ46L5FY-1LC2-867Y-K4P2-V8YX8G2QNWBO}\StubPath = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" C:\Windows\SysWOW64\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashPlayerPlugin_11_9_900_175.exe C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashPlayerPlugin_11_9_900_175.exe C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\542a49tpb3b73 = "C:\\Users\\Admin\\542a49tpb3b73\\51281.vbs" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\542a49tpb3b73 = "C:\\Users\\Admin\\542a49tpb3b73\\51281.vbs" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\542a49tpb3b73 = "C:\\Users\\Admin\\542a49tpb3b73\\51281.vbs" C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\FlashPlayerPlugin = "C:\\install\\FlashPlayerPlugin_11_9_900_175.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
N/A N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
PID 1764 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
PID 1764 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
PID 1764 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
PID 1764 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
PID 1764 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
PID 1764 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
PID 1900 wrote to memory of 1824 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1900 wrote to memory of 1824 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1900 wrote to memory of 1824 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1900 wrote to memory of 1824 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1900 wrote to memory of 1824 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1900 wrote to memory of 1824 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1900 wrote to memory of 1824 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1900 wrote to memory of 1824 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1900 wrote to memory of 1824 N/A C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE
PID 1824 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe

"C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe"

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

"C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx

Network

Country Destination Domain Proto
US 8.8.8.8:53 clippico.zapto.org udp

Files

memory/1764-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1900-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\542a49tpb3b73\eFZsGeMgsklx

MD5 70150e173740fe5fe9b00285b47b60de
SHA1 91b7699f142f5d41bbda9c24468c0cf4b75d7426
SHA256 dc9e977713016621a4d09cbac7809ca1b9d6c3c2fb63100f6b8857f01bcd1196
SHA512 e225d4c24b07b8b43a72b369efbe22085991114a5c3ee33fed65d017b8ef9c1c9b3ae75be0701c4283681aa311a09f26bf378c7f23cc1f5f777319874453e833

C:\Users\Admin\542A49~1\IUfBHT.VPT

MD5 9c160bfbdb99f4fce6e270936b46b7d0
SHA1 a250c33e8f5e590a369b5406a8462817ee11d14d
SHA256 449ad064deabcd2cc96e131527accadafe685103724c4365127468a58ef81bbc
SHA512 36afa7693e648d954ccc72c423dc7c3fa9c05503c6eb3632410ae566897f60192bae87c8933875954e6f3baba28284e29d260fd90fbe1f8accec5bc6168932ae

C:\Users\Admin\542A49~1\RRBJLL~1.ALR

MD5 a397e3dfaf6c4df090004c47d2e29d22
SHA1 8e76f79d34c2498c761fbaa00eb6fc14d56ea813
SHA256 991a74e23f24d62660ff47b72435145fcfc438b5e69c14ae5d1c518ecfd83eb4
SHA512 8bbc17fe03c9060a32773590169684249a6d035fa0f976c10de4f07f3bfdb60e09261be7d548ac5b2dab8f0054cbcd7c43d9ec3d79778d137e1c5ee919c6d89c

memory/1824-65-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/1824-68-0x0000000000099860-mapping.dmp

memory/1824-67-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/1824-69-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/1824-71-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/1824-73-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/1824-75-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/1824-76-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/1824-78-0x0000000010410000-0x0000000010480000-memory.dmp

memory/1204-81-0x0000000010410000-0x0000000010480000-memory.dmp

memory/1820-84-0x0000000000000000-mapping.dmp

memory/1820-86-0x0000000074761000-0x0000000074763000-memory.dmp

memory/1824-87-0x0000000010480000-0x00000000104F0000-memory.dmp

memory/1820-92-0x0000000010480000-0x00000000104F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 91480253b7d1de28ccde41e8cbb1da10
SHA1 4f0db59cf4cfc47e6518fa8a79900c01708fb326
SHA256 b3a07e078667558994034ecce19b995c583b45c6332008e7f466f53ad42ea38b
SHA512 99341ac9e688b1b33d9358481d22c87c22bfede820ad8fe4f7587dc7d6b3b5732e78555a1c52454c84392285e90001c77ec07d3acd4d9f3b8f0f51b6e5ad0d4b

C:\install\FlashPlayerPlugin_11_9_900_175.exe

MD5 d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA1 2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA256 97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA512 47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

memory/1820-95-0x0000000010480000-0x00000000104F0000-memory.dmp

memory/1824-97-0x00000000104F0000-0x0000000010560000-memory.dmp

memory/1292-101-0x0000000000000000-mapping.dmp

memory/1824-104-0x0000000010560000-0x00000000105D0000-memory.dmp

memory/1292-109-0x0000000010560000-0x00000000105D0000-memory.dmp

memory/1292-110-0x0000000010560000-0x00000000105D0000-memory.dmp

memory/1824-111-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/1312-112-0x0000000000000000-mapping.dmp

C:\Users\Admin\542A49~1\run.vbs

MD5 c735bed0f11b2aa8c978be1417eb4503
SHA1 b46cbc79b2dee40c44c72fe3eca7d45e001e2eb6
SHA256 cf87f1aa3122701b50570303d6663bf313c9dc5b1418785c0c44eb2d4409510a
SHA512 8255176e00ab93d1765b3ed4197c5a7e17cd87b62b57bca458068df2d7d3ba5510b0e0673373605cce4ad53168bcbcb7ca5744ba276267a64473250a71b7706e

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1668-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1292-120-0x0000000010560000-0x00000000105D0000-memory.dmp

memory/1996-124-0x0000000000099860-mapping.dmp

memory/1996-132-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/1996-133-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/1800-134-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1932-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/108-144-0x0000000000099860-mapping.dmp

memory/108-152-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/108-153-0x0000000000090000-0x00000000000DB000-memory.dmp

memory/828-154-0x0000000000000000-mapping.dmp

\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1624-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59