ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749

Analysis

max time kernel
5s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
Size

234KB
MD5

637c95cf9c9720a455fecf175e010729
SHA1

446e85ffefe60668b5c8e1927cc1752d89df58d4
SHA256

ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749
SHA512

3d382abde2ba18c99ded17b3310c9aecb390af8ef340fae5277499bac6a5f92a600bfbf0f402a118b34a2052e144eb91acbb424cd99873a09566dfa6c55c3cc1
SSDEEP

6144:2xV8dI3bxRETtXaz/OJepymej5viyT5O/q9DUGEyoSr:2n8dI3b7ETtKKepymejF5aeDUGNoSr

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
772	SkipeTurns.exe

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1264-56-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/816-58-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/816-60-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1352-65-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/816-61-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/816-67-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/816-69-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1352-70-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1352-68-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1352-75-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1352-77-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1264-76-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1352-82-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/816-83-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/816-84-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-87.dat	upx
behavioral1/files/0x000c0000000054a8-86.dat	upx
behavioral1/files/0x000c0000000054a8-90.dat	upx
behavioral1/files/0x000c0000000054a8-89.dat	upx
behavioral1/files/0x000c0000000054a8-88.dat	upx
behavioral1/files/0x000c0000000054a8-92.dat	upx
behavioral1/memory/772-96-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-97.dat	upx
behavioral1/files/0x000c0000000054a8-104.dat	upx
behavioral1/files/0x000c0000000054a8-115.dat	upx
behavioral1/memory/1800-119-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1800-123-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1800-124-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1384-129-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1800-128-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-126.dat	upx
behavioral1/memory/1800-134-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/772-132-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1352-136-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1800-140-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/816-145-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1384-148-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1760-149-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1800-150-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1800-152-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1352	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
1352	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
1352	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
1352	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
1352	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1264 set thread context of 816	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	28
PID 1264 set thread context of 1352	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1964	ipconfig.exe
1764	ipconfig.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
960	reg.exe
964	reg.exe
1688	reg.exe
1592	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
1352	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
772	SkipeTurns.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 816	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	28
PID 1264 wrote to memory of 816	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	28
PID 1264 wrote to memory of 816	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	28
PID 1264 wrote to memory of 816	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	28
PID 1264 wrote to memory of 816	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	28
PID 1264 wrote to memory of 816	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	28
PID 1264 wrote to memory of 816	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	28
PID 1264 wrote to memory of 816	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	28
PID 1264 wrote to memory of 1352	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	29
PID 1264 wrote to memory of 1352	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	29
PID 1264 wrote to memory of 1352	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	29
PID 1264 wrote to memory of 1352	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	29
PID 1264 wrote to memory of 1352	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	29
PID 1264 wrote to memory of 1352	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	29
PID 1264 wrote to memory of 1352	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	29
PID 1264 wrote to memory of 1352	1264	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	29
PID 816 wrote to memory of 1764	816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	30
PID 816 wrote to memory of 1764	816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	30
PID 816 wrote to memory of 1764	816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	30
PID 816 wrote to memory of 1764	816	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	30
PID 1352 wrote to memory of 772	1352	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	32
PID 1352 wrote to memory of 772	1352	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	32
PID 1352 wrote to memory of 772	1352	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	32
PID 1352 wrote to memory of 772	1352	ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe	32

C:\Users\Admin\AppData\Local\Temp\ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
"C:\Users\Admin\AppData\Local\Temp\ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
  "C:\Users\Admin\AppData\Local\Temp\ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe
  "C:\Users\Admin\AppData\Local\Temp\ecf6a3928c4a8193d44c7da3bde637de45ecc9ae41b51e56a81a94e1acf75749.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
    "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:772
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      PID:1384
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:1964
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OWKVL.bat" "
        5⤵
        
        PID:928
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SkipeTurns" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /f
        6⤵
        
        PID:1612
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:568
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1348
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:960
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1092
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1788
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OWKVL.bat

Filesize
142B

MD5
7aab82a958be0bdc325ec075c874ca64

SHA1
f4ab3d6776f6ffc569a878a003df9a4f0a331eb6

SHA256
446e766a1c4c57cf38c3b70b1152a5c1216cc86388fefe5d7d39522458436144

SHA512
1737e41a539341737e4fc5c22f13c10b34e5054b2e1b44e604490c4faaf943442c596581fb28b0c967935cfd92c5fd4e7331fb72ae2d4f6ef1b8acc64b46f240

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
d4f8be729986127f3ae764a4a9b4d28f

SHA1
de80e036c9d723dfdc8618e4f25fbc117090e0a0

SHA256
a3d1b952b5c62e5ccae5dcbab93ea5719fa86782eff37add0d2e5504e7dc10ad

SHA512
3dc29553390ea33c73c8b9d7211e1cd3b597759a721a4f972c7ff9212b48b1ff98bfc71e313893d771837c2467f66794d5e2481e34e3da52784cd180b06fd3fe

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
d4f8be729986127f3ae764a4a9b4d28f

SHA1
de80e036c9d723dfdc8618e4f25fbc117090e0a0

SHA256
a3d1b952b5c62e5ccae5dcbab93ea5719fa86782eff37add0d2e5504e7dc10ad

SHA512
3dc29553390ea33c73c8b9d7211e1cd3b597759a721a4f972c7ff9212b48b1ff98bfc71e313893d771837c2467f66794d5e2481e34e3da52784cd180b06fd3fe

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
d4f8be729986127f3ae764a4a9b4d28f

SHA1
de80e036c9d723dfdc8618e4f25fbc117090e0a0

SHA256
a3d1b952b5c62e5ccae5dcbab93ea5719fa86782eff37add0d2e5504e7dc10ad

SHA512
3dc29553390ea33c73c8b9d7211e1cd3b597759a721a4f972c7ff9212b48b1ff98bfc71e313893d771837c2467f66794d5e2481e34e3da52784cd180b06fd3fe

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
d4f8be729986127f3ae764a4a9b4d28f

SHA1
de80e036c9d723dfdc8618e4f25fbc117090e0a0

SHA256
a3d1b952b5c62e5ccae5dcbab93ea5719fa86782eff37add0d2e5504e7dc10ad

SHA512
3dc29553390ea33c73c8b9d7211e1cd3b597759a721a4f972c7ff9212b48b1ff98bfc71e313893d771837c2467f66794d5e2481e34e3da52784cd180b06fd3fe

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
d4f8be729986127f3ae764a4a9b4d28f

SHA1
de80e036c9d723dfdc8618e4f25fbc117090e0a0

SHA256
a3d1b952b5c62e5ccae5dcbab93ea5719fa86782eff37add0d2e5504e7dc10ad

SHA512
3dc29553390ea33c73c8b9d7211e1cd3b597759a721a4f972c7ff9212b48b1ff98bfc71e313893d771837c2467f66794d5e2481e34e3da52784cd180b06fd3fe

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
d4f8be729986127f3ae764a4a9b4d28f

SHA1
de80e036c9d723dfdc8618e4f25fbc117090e0a0

SHA256
a3d1b952b5c62e5ccae5dcbab93ea5719fa86782eff37add0d2e5504e7dc10ad

SHA512
3dc29553390ea33c73c8b9d7211e1cd3b597759a721a4f972c7ff9212b48b1ff98bfc71e313893d771837c2467f66794d5e2481e34e3da52784cd180b06fd3fe

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
d4f8be729986127f3ae764a4a9b4d28f

SHA1
de80e036c9d723dfdc8618e4f25fbc117090e0a0

SHA256
a3d1b952b5c62e5ccae5dcbab93ea5719fa86782eff37add0d2e5504e7dc10ad

SHA512
3dc29553390ea33c73c8b9d7211e1cd3b597759a721a4f972c7ff9212b48b1ff98bfc71e313893d771837c2467f66794d5e2481e34e3da52784cd180b06fd3fe

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
d4f8be729986127f3ae764a4a9b4d28f

SHA1
de80e036c9d723dfdc8618e4f25fbc117090e0a0

SHA256
a3d1b952b5c62e5ccae5dcbab93ea5719fa86782eff37add0d2e5504e7dc10ad

SHA512
3dc29553390ea33c73c8b9d7211e1cd3b597759a721a4f972c7ff9212b48b1ff98bfc71e313893d771837c2467f66794d5e2481e34e3da52784cd180b06fd3fe

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
d4f8be729986127f3ae764a4a9b4d28f

SHA1
de80e036c9d723dfdc8618e4f25fbc117090e0a0

SHA256
a3d1b952b5c62e5ccae5dcbab93ea5719fa86782eff37add0d2e5504e7dc10ad

SHA512
3dc29553390ea33c73c8b9d7211e1cd3b597759a721a4f972c7ff9212b48b1ff98bfc71e313893d771837c2467f66794d5e2481e34e3da52784cd180b06fd3fe

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
d4f8be729986127f3ae764a4a9b4d28f

SHA1
de80e036c9d723dfdc8618e4f25fbc117090e0a0

SHA256
a3d1b952b5c62e5ccae5dcbab93ea5719fa86782eff37add0d2e5504e7dc10ad

SHA512
3dc29553390ea33c73c8b9d7211e1cd3b597759a721a4f972c7ff9212b48b1ff98bfc71e313893d771837c2467f66794d5e2481e34e3da52784cd180b06fd3fe

Download Submit
memory/568-143-0x0000000000000000-mapping.dmp

Download
memory/772-91-0x0000000000000000-mapping.dmp

Download
memory/772-96-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/772-132-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/816-84-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/816-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/816-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/816-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/816-83-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/816-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/816-62-0x0000000000409A00-mapping.dmp

Download
memory/816-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/816-145-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/816-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/928-151-0x0000000000000000-mapping.dmp

Download
memory/960-153-0x0000000000000000-mapping.dmp

Download
memory/964-155-0x0000000000000000-mapping.dmp

Download
memory/1092-146-0x0000000000000000-mapping.dmp

Download
memory/1264-76-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1264-56-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1348-144-0x0000000000000000-mapping.dmp

Download
memory/1352-71-0x000000000040D570-mapping.dmp

Download
memory/1352-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1352-95-0x0000000002C70000-0x0000000002D4F000-memory.dmp

Filesize
892KB

Download
memory/1352-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1352-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1352-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1352-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1352-77-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1352-136-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1352-82-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1384-103-0x0000000000409A00-mapping.dmp

Download
memory/1384-148-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1384-129-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1592-158-0x0000000000000000-mapping.dmp

Download
memory/1612-157-0x0000000000000000-mapping.dmp

Download
memory/1688-154-0x0000000000000000-mapping.dmp

Download
memory/1760-114-0x000000000040D570-mapping.dmp

Download
memory/1760-149-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1764-80-0x0000000000000000-mapping.dmp

Download
memory/1764-81-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1788-147-0x0000000000000000-mapping.dmp

Download
memory/1800-150-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-125-0x00000000004790F0-mapping.dmp

Download
memory/1800-124-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-118-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-152-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-134-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-119-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-123-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-128-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1964-133-0x0000000000000000-mapping.dmp

Download