Malware Analysis Report

2025-08-11 01:26

Sample ID 240229-gyk51sgg84
Target addfc1ec8a277f7692892fff20e5490e
SHA256 ad2983c9d385ee2e332d76e417818e7c86a74c753255541631290e917e1e4db6
Tags
aspackv2 persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ad2983c9d385ee2e332d76e417818e7c86a74c753255541631290e917e1e4db6

Threat Level: Likely malicious

The file addfc1ec8a277f7692892fff20e5490e was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 persistence

Adds policy Run key to start application

ASPack v2.12-2.42

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 06:12

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 06:12

Reported

2024-02-29 06:15

Platform

win7-20240221-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Windows\system\sgcxcxxaspf080615.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nyuserinit = "C:\\Windows\\system32\\inf\\svchostc.exe C:\\Windows\\twftadfia16_080615.dll tanlt88" C:\Windows\system\sgcxcxxaspf080615.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\inf\svchostc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\inf\svchostc.exe N/A
N/A N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\inf\svchostc.exe C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File opened for modification C:\Windows\SysWOW64\inf\svchostc.exe C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File created C:\Windows\SysWOW64\inf\sppdcrs080615.scr C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File created C:\Windows\SysWOW64\inf\scsys16_080615.dll C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\tdcbdcasys32_080615.dll C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File created C:\Windows\twftadfia16_080615.dll C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File opened for modification C:\Windows\twisys.ini C:\Windows\SysWOW64\inf\svchostc.exe N/A
File opened for modification C:\Windows\twisys.ini C:\Windows\system\sgcxcxxaspf080615.exe N/A
File created C:\Windows\tdcbdcasys32_080615.dll C:\Windows\system\sgcxcxxaspf080615.exe N/A
File opened for modification C:\Windows\twisys.ini C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File created C:\Windows\system\sgcxcxxaspf080615.exe C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415349062" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Windows\system\sgcxcxxaspf080615.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9EBA5C01-D6C9-11EE-A30C-E60682B688C9} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe C:\Windows\SysWOW64\inf\svchostc.exe
PID 2196 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe C:\Windows\SysWOW64\inf\svchostc.exe
PID 2196 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe C:\Windows\SysWOW64\inf\svchostc.exe
PID 2196 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe C:\Windows\SysWOW64\inf\svchostc.exe
PID 2856 wrote to memory of 2416 N/A C:\Windows\SysWOW64\inf\svchostc.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2416 N/A C:\Windows\SysWOW64\inf\svchostc.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2416 N/A C:\Windows\SysWOW64\inf\svchostc.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2416 N/A C:\Windows\SysWOW64\inf\svchostc.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system\sgcxcxxaspf080615.exe
PID 2416 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system\sgcxcxxaspf080615.exe
PID 2416 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system\sgcxcxxaspf080615.exe
PID 2416 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system\sgcxcxxaspf080615.exe
PID 2480 wrote to memory of 2952 N/A C:\Windows\system\sgcxcxxaspf080615.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2480 wrote to memory of 2952 N/A C:\Windows\system\sgcxcxxaspf080615.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2480 wrote to memory of 2952 N/A C:\Windows\system\sgcxcxxaspf080615.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2480 wrote to memory of 2952 N/A C:\Windows\system\sgcxcxxaspf080615.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2952 wrote to memory of 1544 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2952 wrote to memory of 1544 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2952 wrote to memory of 1544 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2952 wrote to memory of 1544 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2480 wrote to memory of 2952 N/A C:\Windows\system\sgcxcxxaspf080615.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe

"C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe"

C:\Windows\SysWOW64\inf\svchostc.exe

"C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080615.dll tanlt88

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"

C:\Windows\system\sgcxcxxaspf080615.exe

"C:\Windows\system\sgcxcxxaspf080615.exe" i

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Windows\twisys.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Windows\SysWOW64\inf\svchostc.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Windows\twftadfia16_080615.dll

MD5 4b0a833136e7db417c3553674fae561e
SHA1 8cec9a200575227bbc45566b7f16d688e2dcedda
SHA256 7502fe8ead3a2d449643981fc9aa06370675ea4c3348161f1926c6bdf0a563cc
SHA512 b945ce854f58857d6d7f2624a6f98aa5fa3e6188e9f3baafa91ee920fb0818e486a9e521179f15500370a8b18ea07ab7ad33683165af154d3a962090cf16dcb6

memory/2196-46-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Windows\twisys.ini

MD5 0fb7f4692482afc5f6f3ccbf08f62948
SHA1 a534f4dee03ce489c32bb2515d2324a03c0ef24a
SHA256 6190340f935e87c36666da60370fdddac8ecefc482494ccd5aa56803a51a20d0
SHA512 f6f090fc7a1848bd4ca4553ef3751b478b4f95d171bd48d55e6668c1381f37e4fe4cee88e26141a9687a3a086aa21d558a658330a1438ac4aef14bc3393c18b0

\??\c:\mylstecj.bat

MD5 da1246d60fb14fd94892aed08d4efdea
SHA1 9cbb3efeb757112bea4538923727eb6aac9d852e
SHA256 676b0f775d503b049bddbdc12898718483b6a4dfc692fc4c3d9fc07fdd0be234
SHA512 0d6ecbc5ed71133ba1ea3b83fdcd29162d6972edc3524bcc47c233c394f24c6b1c09a7b3cbb00cda10ce9497610ecfcb5b8714f0eb8a7750e953b084e623cdc9

C:\Windows\system\sgcxcxxaspf080615.exe

MD5 addfc1ec8a277f7692892fff20e5490e
SHA1 583c8d6eced0c465c2dd2a9afb47739a4d163c03
SHA256 ad2983c9d385ee2e332d76e417818e7c86a74c753255541631290e917e1e4db6
SHA512 1c93eeb62b428bf5c4aac5a91de7819565775a107d82e07be84dbefda8a4643b9aedbebb76f13e133d1fb23d29326ca86671f6dcbbd8dd04add5eb895f7f762a

C:\Windows\twisys.ini

MD5 cc72aef041857e3e9ff2f15086e2ae99
SHA1 3afb52c396174e2604c78c8c807a246c8619f1e4
SHA256 418c868147c2f2aa1c9b988ef8f489ab312229be4bc346ce88e0823fbfb9f101
SHA512 4dbe7201d2021dd0e08d8f3d6bb56a94cd1e213606eb8f629ba7ea73c74928c2f1bcf77107bf732ded22067663cce3d0d2089ebd5e6048472643aa22d8b05b37

C:\Windows\twisys.ini

MD5 e9f1507c7900c1ae4af3a2186f145c9f
SHA1 00ffa170d8972a2fa2d756308b73b9ccbac5adb2
SHA256 de39ea4dd4d0502427dfb422cf63ffb06eaa984cb87605210c5b9ea221169246
SHA512 ac7755bfb33375b1f85bb1687f26d61ab0b2b8ed0981c3ddfddef59a421cd5904e054e5fd5d321bc7b370661bc56a07efd9391b42925dd172c857c37bbacf186

memory/2480-66-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Windows\tdcbdcasys32_080615.dll

MD5 9ffcad679063d56de00784483f203367
SHA1 ae617a526451e6e286ba393d49bde048f43ec4c6
SHA256 ecc842b207eb390c9b17215975f409719ca323064783c8646f1e15a01ea7e939
SHA512 7ba6f805fbbbbd78fe2ddf3c47ea0b284a9d5046690c1ebdb498b594c5345b77b0fce84c1e3848ed707299f7a7a788fb21bd6702ea3461e9db9f54d7bb767b7f

C:\Windows\twisys.ini

MD5 cf5a25fcbd841f46d05bf61739112940
SHA1 4a6cee80fc764aa0ddb582dc769769600c1103a2
SHA256 38831f11afb10e5f9f4deca22b71857eaa957560754513efc56037cc2e4f5557
SHA512 3ec2655904c162c2004f62aa5124140460aac999d21b4fae448b8a3fe59cc3d562e70603484508659408137a99302e993e6dae5e3319459d2a738cf24ebad72d

C:\Users\Admin\AppData\Local\Temp\Cab8FD2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Windows\twisys.ini

MD5 47f61b2803f63d625c8c3f10fdcc0219
SHA1 e24a8207d60017abe7c6196606205b90639b43e5
SHA256 14a2d6ed4012615f0b846caff6ce04c276b69c1967cbb95dbd5753edfe9db9c1
SHA512 9897ec3b260ea54b83c70ac61ba503e8124a480c94dc643f78e48e75b94d13f8f8082f3d66445a08614891d510aaa77b6d5696baa196c12dbf0bebbae55e1d9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar9123.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 628a7786e90d47c819dd8dd4c6c7e6da
SHA1 64c28f5a487d5181276ca71d6a8ad5f716d56a31
SHA256 6b7c819361f156a6dda60eff4daf45206c57063691f747cb67dfe2c0ccfecf18
SHA512 f8d11063ce2f06746cbe122ff573a65b9f474040d17f430903ec837b3e74de81ebb4176ba313bd6e1555703ce89ed5d57c8194278c94718566568328381ce9a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b357d2cbc285e8750b9152bbb8ac2f4
SHA1 9c95f8c6611fe01c59990db4c8934d58d36b9fbf
SHA256 d74b61a59408b8f351802e68dc4fc7f1f91b416585d3bfa4d970c797f20f9d5c
SHA512 dfe1c0a191145d9f661556217a76aa8299e7b132152cd574f38690d275571a46ef3c391981fe9f2095780bf6b4a1ce4fe4a3ab04802744255003d1bf7af97005

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0373472fbb0207348c6c1700f6f9ddc
SHA1 50f19658cc948ac62e567dbc5af93e7c6bcab8c1
SHA256 285a22bc589ca6e4a31fd5880b334ed63c47bac076a315331efdf18858b8c311
SHA512 bc160e7d723ddc964a23de7df47dd0660d31be9afe358c31a31d6c529bec059d2d9cd9e40e3bf4201830b1c7ed1b2e40c58413eda338a9ece9aa15f322dd3423

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87bf4257033b240387d9ca64f39d1821
SHA1 ec984058a21ac3e8a81047b50e497a7f18629b93
SHA256 ab1ece41fad68314278b800ec182692e0f98253a2dd5b8897119f9a94a1f6f08
SHA512 b993bc7d79aa2e7ce23ef0ea1d576ef3402122e1a2c660cb972db9b1a95f0851f65de1988ba069643e4b2aa42fd2c88a209bb56c4d2f63ec8d4f72f5fc407a24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c07ffcbee2b6443019bade4c5b8ace4
SHA1 b4aa619b378069590a050c9163e88ab69ebcdc92
SHA256 86befed9b2aaaa1a1ba6c1d7a80fab5f1a50a041cff3b162521945c4c234f20a
SHA512 e26a3b6e4e77c90c24e9f5f18a3897f7f0a46bed829f8ccc8e71b81194baa12649f279f6d32ba3d11deb9814616972562158266f9277414d8885cda3082f29d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f98d6310028e85a53fff30419ce0c504
SHA1 e9a1973dd5d0cd3841f037e43f643f1b9721ce7e
SHA256 b2b9f53178401ad184e82c7f6ea33f06bddac207c2f95619a523666b7d9b41e8
SHA512 eec066148b358b96f227c29d06b3d216fe12489618f8a3a677b749c18d17cb7b763570ac914236cb41b97fae4456a06a94f8e723b82ae06c9efab260c15b4879

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ace43d1377de0989b8ad5ed0edeb028b
SHA1 da1f160648aac8644027a00bbc87f799ea1e4b35
SHA256 00ce87424d6c1266f7313a3db18b3bd5208b49408e30f18b4671436ad8f4031f
SHA512 29bb7dc0b5e448447a3a8b32aa1440646731dbbd3a3c312624aae63380006f0789e1f9fccc564d4b9613680441e1433ac37ef33d531c55f6f2c2ae36109da3b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5fc74b9edcea02d70cbb6dbc883a8dc
SHA1 4fc3dbeeff26df72df52e76ade95733cb4100d04
SHA256 f835d0ee18c6fe6f9eb1746a5902b5015371c6a1c406280011e1e01effb2038d
SHA512 c4262acfea015f8be4eed11260086f56648b089f4a09be4199ff07c9eea2230cb5da4afd83a546031d6792d4144eaac344db19b7f9dfb5018f5f5f19553be930

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fba7b52b713c091738a537d6a5d0574
SHA1 24c77d7d0012af8ff17a4603b5f115f75cea38c1
SHA256 09a98feba2d14848e42f13d56fb0b632faeb75e5dc58934a87e2244c119e2b34
SHA512 2bd04556224f69f1a82097a7a92dcae57317227b985cd275e71c0cf05cbfe1cf80e101993216bf889166dce372b12ada18ec4dd59678e4b0fd7507efa57bc6cf

memory/2480-402-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2480-433-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6ba016065133a82f23d4bea7e2ac205
SHA1 ae965da97a34ced9ce52a102e97f1013a93aaa50
SHA256 f9e53967ea20b3e7648c83543a539d0f43b99c1ded1cc393256c4bc731fede0c
SHA512 8be615f3a0ac4cc31a10fef6d11234b86b40532896cd011e80670c2ea3370a3e838e56f02e7583fa0da1a13af9bc6fa1b7268ba00aac00207aa48215141d6af9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6042098e429130281af2907ef5cf2070
SHA1 0383ed916c09034640c5a9e42db0f4bd5ed91997
SHA256 2b9bc6fd4454981afb5802a42c58277cc95f0a51a055db231c7784efa053a213
SHA512 d114a226d265c1933f5b6dcbd17599aea0116f405c14362818e126bf15ff975dddad90cb81603045500804dbadf3f324487d416c3bff6c82d6f6a13a4c04ff59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb2510166bbc7634b858376dd8e337a8
SHA1 68fdc7ebbad2632dc4398d1e7720f322045d07df
SHA256 ca5b0121039a907a8fb5ba8e7f4b3cbb60ab959409ef5d2894a2201dd4c696b2
SHA512 04099c641be094092c66e99f641b8fcb67509956866230c3951b94fbc191855ca333f8738f5833ee37d5768e6cac9b408621a41b4e5e997341368eb2d690c925

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24cb1252158f87216e7e6d5c0b413ffc
SHA1 fc706b790f81ff018a220ce027f28fd6c0da0d7e
SHA256 a30b4bad7a1a6d49bf67ce751862ab12a6fca5f2a0f76de597ee24ca67865c7c
SHA512 05f8b4fba81e95eb948367d17e901b6f201e3dd0ed4b11e2770607de62e4e9572ddea542187cd2633efd25dcc628541d25c81ff205fa3cd2bca0613908fedfa9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f6c30ff2aae62e2b5eb167a577b4fdd
SHA1 8f8016b4d0c1dc63882b94e36b2eb6805e35c820
SHA256 1eb023b855dfa0c919536fdd74623e915b3f24250f1e656910e425288ea9f2f9
SHA512 5db06dc4c4200414c82cc92f39c4aedb6b08c8bc85df711f757828fd3a255f8fdeb360767dbfa195449d362c11787778eea717d9ea451697fec24f370ae43b88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f69a82719025a0371bfe78430fcab4f
SHA1 1306f005d7ee434918d0f1da82c72b38ebd7fea8
SHA256 c7eca67cf87a740a7728ea2d27da7f1ae3cacc599901134c3fe469790cc6a41f
SHA512 3dd030076c32a1bf936ba933a54270de1510ff6e309a86a8b3f7c37bb7fb7cea43ed816a85dae5eb49b480aa96d5042306ec4e55f2b1d4759e6801000d53964b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3e3d0d9ce8121ee29d4e003e695abd2
SHA1 aef07038b1bc10ed9eaf1cceec5bbf98b670da30
SHA256 c55208c47def808d2f24d2c6cc8bf17da01a714fe87ac10e8e5e5427bf3a8a33
SHA512 5b5a36b7714a677df1356ab589b4776a6a3398c03de7c75472b2b9b32fb50df3efe057104aedfa09fd44422a6480cf53f9a6fcae22d496d991b83d2404697eae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a68b92a0f6725bf98a82f7a00579cebf
SHA1 04bdf341c7202334d47171a8e333bf2d11afa45c
SHA256 9a043837857b1085c3a13fae0acbb04cff93c5eb0178d5f0a427c5c85f2d4997
SHA512 6a846a164dca546f5324293bfc644e9155e9154c28e404e4d93d8854986323382692a4bb90ecf0196629251017fe48737a5a2f854df95acf3c434015a6f6bf12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 614982c3367914b6fbea439c789eaabe
SHA1 f03b5f25c7641cf9dbbe28ad7c5d7ac3fcdc123e
SHA256 9a617d4cb3510bf879b73894c5cbb8ca7c01451ada405b7ac20058503f533b57
SHA512 87e5ffa7151204dd9c9b52b3ce04318573e28383bca0f8742e7915c46defd48246ae244dbce858c14af5b9c61893af805c64f30876befa3568168becac20aa9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e07981af016fe43f3eaac007e73a97e
SHA1 837ad615b4e34d26f6a6f7e8382209d96737b626
SHA256 2be582b78d7c28661bc23ae44a267a617329fdff8af127471850831334f4179d
SHA512 7d2dd3b8823d204d6d423cbbde4f1df837d6bb5947f7675a751a3c8e4af45a29b14b5df8c517ba52c617da4c796650913f47f8daabc35aabfb3e5c58ad9544ad

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 06:12

Reported

2024-02-29 06:15

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Windows\system\sgcxcxxaspf080615.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nyuserinit = "C:\\Windows\\system32\\inf\\svchostc.exe C:\\Windows\\twftadfia16_080615.dll tanlt88" C:\Windows\system\sgcxcxxaspf080615.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\inf\svchostc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\system\sgcxcxxaspf080615.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\inf\svchostc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\inf\svchostc.exe N/A
N/A N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\inf\svchostc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\inf\svchostc.exe C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File opened for modification C:\Windows\SysWOW64\inf\svchostc.exe C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File created C:\Windows\SysWOW64\inf\sppdcrs080615.scr C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File created C:\Windows\SysWOW64\inf\scsys16_080615.dll C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\twisys.ini C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File created C:\Windows\system\sgcxcxxaspf080615.exe C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File created C:\Windows\tdcbdcasys32_080615.dll C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File created C:\Windows\twftadfia16_080615.dll C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
File opened for modification C:\Windows\twisys.ini C:\Windows\SysWOW64\inf\svchostc.exe N/A
File opened for modification C:\Windows\twisys.ini C:\Windows\system\sgcxcxxaspf080615.exe N/A
File created C:\Windows\tdcbdcasys32_080615.dll C:\Windows\system\sgcxcxxaspf080615.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Windows\system\sgcxcxxaspf080615.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A4348B60-D6C9-11EE-9216-EA08C850D01B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2022689320" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415952177" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31091414" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31091414" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31091414" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2025345639" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2022689320" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system\sgcxcxxaspf080615.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe C:\Windows\SysWOW64\inf\svchostc.exe
PID 1748 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe C:\Windows\SysWOW64\inf\svchostc.exe
PID 1748 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe C:\Windows\SysWOW64\inf\svchostc.exe
PID 2948 wrote to memory of 3540 N/A C:\Windows\SysWOW64\inf\svchostc.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 3540 N/A C:\Windows\SysWOW64\inf\svchostc.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 3540 N/A C:\Windows\SysWOW64\inf\svchostc.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system\sgcxcxxaspf080615.exe
PID 3540 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system\sgcxcxxaspf080615.exe
PID 3540 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system\sgcxcxxaspf080615.exe
PID 3924 wrote to memory of 1008 N/A C:\Windows\system\sgcxcxxaspf080615.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3924 wrote to memory of 1008 N/A C:\Windows\system\sgcxcxxaspf080615.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1008 wrote to memory of 2200 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1008 wrote to memory of 2200 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1008 wrote to memory of 2200 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3924 wrote to memory of 1008 N/A C:\Windows\system\sgcxcxxaspf080615.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe

"C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe"

C:\Windows\SysWOW64\inf\svchostc.exe

"C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080615.dll tanlt88

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"

C:\Windows\system\sgcxcxxaspf080615.exe

"C:\Windows\system\sgcxcxxaspf080615.exe" i

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1008 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 udp

Files

C:\Windows\twisys.ini

MD5 033bcec777267cf4358ac0da4cac6dc9
SHA1 b8127384122b57e301988bf059fac49d86f83c14
SHA256 78313879e727cfc88bbc95ae05af2893e7699a29c14fb3ca421c72c3b0b357a7
SHA512 12fb21c483a752606fd51ce44fbdf1ca2cbfe9694ffc466ab89fcc7f71fcfe6832ab958148d12f7fe66cd043893b32d72544628ba577704a7fbd916fe0f3c768

C:\Windows\SysWOW64\inf\svchostc.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/1748-52-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Windows\twftadfia16_080615.dll

MD5 4b0a833136e7db417c3553674fae561e
SHA1 8cec9a200575227bbc45566b7f16d688e2dcedda
SHA256 7502fe8ead3a2d449643981fc9aa06370675ea4c3348161f1926c6bdf0a563cc
SHA512 b945ce854f58857d6d7f2624a6f98aa5fa3e6188e9f3baafa91ee920fb0818e486a9e521179f15500370a8b18ea07ab7ad33683165af154d3a962090cf16dcb6

C:\Windows\twisys.ini

MD5 0fb7f4692482afc5f6f3ccbf08f62948
SHA1 a534f4dee03ce489c32bb2515d2324a03c0ef24a
SHA256 6190340f935e87c36666da60370fdddac8ecefc482494ccd5aa56803a51a20d0
SHA512 f6f090fc7a1848bd4ca4553ef3751b478b4f95d171bd48d55e6668c1381f37e4fe4cee88e26141a9687a3a086aa21d558a658330a1438ac4aef14bc3393c18b0

C:\Windows\system\sgcxcxxaspf080615.exe

MD5 addfc1ec8a277f7692892fff20e5490e
SHA1 583c8d6eced0c465c2dd2a9afb47739a4d163c03
SHA256 ad2983c9d385ee2e332d76e417818e7c86a74c753255541631290e917e1e4db6
SHA512 1c93eeb62b428bf5c4aac5a91de7819565775a107d82e07be84dbefda8a4643b9aedbebb76f13e133d1fb23d29326ca86671f6dcbbd8dd04add5eb895f7f762a

\??\c:\mylstecj.bat

MD5 da1246d60fb14fd94892aed08d4efdea
SHA1 9cbb3efeb757112bea4538923727eb6aac9d852e
SHA256 676b0f775d503b049bddbdc12898718483b6a4dfc692fc4c3d9fc07fdd0be234
SHA512 0d6ecbc5ed71133ba1ea3b83fdcd29162d6972edc3524bcc47c233c394f24c6b1c09a7b3cbb00cda10ce9497610ecfcb5b8714f0eb8a7750e953b084e623cdc9

C:\Windows\twisys.ini

MD5 cc72aef041857e3e9ff2f15086e2ae99
SHA1 3afb52c396174e2604c78c8c807a246c8619f1e4
SHA256 418c868147c2f2aa1c9b988ef8f489ab312229be4bc346ce88e0823fbfb9f101
SHA512 4dbe7201d2021dd0e08d8f3d6bb56a94cd1e213606eb8f629ba7ea73c74928c2f1bcf77107bf732ded22067663cce3d0d2089ebd5e6048472643aa22d8b05b37

memory/2948-65-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\twisys.ini

MD5 87c70147b275110dff5c42d2db300398
SHA1 25a35b0297783b2f3b46998072d1e3deeb9f8aa0
SHA256 f98de0d242dfb3a3c393be55c74c7f1c0e4f7f5fd9da16e5ad56079b596f99dc
SHA512 1d77f90a865bec01b56e9afeccfc006b4896d1963a6468a6b6285f180870da0acb9594eb6822f4fb533bd107a2d59eb03325adee047a86778e3ccf0d2e459ddc

C:\Windows\twisys.ini

MD5 e9f1507c7900c1ae4af3a2186f145c9f
SHA1 00ffa170d8972a2fa2d756308b73b9ccbac5adb2
SHA256 de39ea4dd4d0502427dfb422cf63ffb06eaa984cb87605210c5b9ea221169246
SHA512 ac7755bfb33375b1f85bb1687f26d61ab0b2b8ed0981c3ddfddef59a421cd5904e054e5fd5d321bc7b370661bc56a07efd9391b42925dd172c857c37bbacf186

memory/3924-73-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2948-74-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\tdcbdcasys32_080615.dll

MD5 9ffcad679063d56de00784483f203367
SHA1 ae617a526451e6e286ba393d49bde048f43ec4c6
SHA256 ecc842b207eb390c9b17215975f409719ca323064783c8646f1e15a01ea7e939
SHA512 7ba6f805fbbbbd78fe2ddf3c47ea0b284a9d5046690c1ebdb498b594c5345b77b0fce84c1e3848ed707299f7a7a788fb21bd6702ea3461e9db9f54d7bb767b7f

C:\Windows\twisys.ini

MD5 cf5a25fcbd841f46d05bf61739112940
SHA1 4a6cee80fc764aa0ddb582dc769769600c1103a2
SHA256 38831f11afb10e5f9f4deca22b71857eaa957560754513efc56037cc2e4f5557
SHA512 3ec2655904c162c2004f62aa5124140460aac999d21b4fae448b8a3fe59cc3d562e70603484508659408137a99302e993e6dae5e3319459d2a738cf24ebad72d

memory/3924-82-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Windows\twisys.ini

MD5 c6a0598d2f107431eff2e13f692a9dff
SHA1 2a238988a95f6d2af9e578694e7f6e9ff483f2e8
SHA256 b86a02746049603c2e2f4931fc184dc906ba30039e4dfcd62f88854156a87bd4
SHA512 4a4f02c1047f83b1f54b128bde5ef00b3e53f6c277a094f75a3dcb94ca8f6b452efd0213179e937d3855de1bcbe108433407a54322fa279f1c67d415b02f0c60

memory/3924-88-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2948-89-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/2948-109-0x0000000000400000-0x000000000040E000-memory.dmp