ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0

Analysis

max time kernel
30s
max time network
183s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
Size

234KB
MD5

a174e2f98d4b7dca5d5bbb745978deef
SHA1

5e7a0409eb9921daa0bf7a6525bbd2b03521103e
SHA256

ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0
SHA512

c3b2df19afebbd110eb6c3c5f2d03573b0508e4c15b14855b4a57a039f43e69754e05b9b55bf45d20868754034e3fdfc180a20911e8f7c998a7f668fb536d852
SSDEEP

6144:2xV8dI3bxRETtXaz/OJepymej5viyT5O/q9DUGEyoSd:2n8dI3b7ETtKKepymejF5aeDUGNoSd

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
776	SkipeTurns.exe
432	SkipeTurns.exe
1692	SkipeTurns.exe
1180	SkipeTurns.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1960-56-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1396-58-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1396-60-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1748-65-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1396-61-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1396-67-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1748-68-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1396-69-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1748-70-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1748-75-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1960-77-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1748-76-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1396-81-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1748-83-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1396-82-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/files/0x00140000000054ab-86.dat	upx
behavioral1/files/0x00140000000054ab-87.dat	upx
behavioral1/files/0x00140000000054ab-91.dat	upx
behavioral1/files/0x00140000000054ab-90.dat	upx
behavioral1/files/0x00140000000054ab-89.dat	upx
behavioral1/files/0x00140000000054ab-93.dat	upx
behavioral1/memory/1748-96-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/776-110-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/files/0x00140000000054ab-107.dat	upx
behavioral1/files/0x00140000000054ab-100.dat	upx
behavioral1/files/0x00140000000054ab-119.dat	upx
behavioral1/memory/1180-123-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1180-127-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1180-128-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/files/0x00140000000054ab-133.dat	upx
behavioral1/memory/1180-135-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1180-137-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1748-139-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/776-136-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/432-142-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1180-144-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1692-143-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1692-159-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1180-160-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1748	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1748	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1748	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1748	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1748	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 1396	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	28
PID 1960 set thread context of 1748	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	29
PID 776 set thread context of 432	776	SkipeTurns.exe	34
PID 776 set thread context of 1692	776	SkipeTurns.exe	33
PID 776 set thread context of 1180	776	SkipeTurns.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
964	ipconfig.exe
1752	ipconfig.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1976	reg.exe
2040	reg.exe
1620	reg.exe
1996	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	SkipeTurns.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
1748	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
776	SkipeTurns.exe
432	SkipeTurns.exe
1692	SkipeTurns.exe
1180	SkipeTurns.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1396	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	28
PID 1960 wrote to memory of 1396	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	28
PID 1960 wrote to memory of 1396	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	28
PID 1960 wrote to memory of 1396	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	28
PID 1960 wrote to memory of 1396	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	28
PID 1960 wrote to memory of 1396	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	28
PID 1960 wrote to memory of 1396	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	28
PID 1960 wrote to memory of 1396	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	28
PID 1960 wrote to memory of 1748	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	29
PID 1960 wrote to memory of 1748	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	29
PID 1960 wrote to memory of 1748	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	29
PID 1960 wrote to memory of 1748	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	29
PID 1960 wrote to memory of 1748	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	29
PID 1960 wrote to memory of 1748	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	29
PID 1960 wrote to memory of 1748	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	29
PID 1960 wrote to memory of 1748	1960	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	29
PID 1396 wrote to memory of 964	1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	30
PID 1396 wrote to memory of 964	1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	30
PID 1396 wrote to memory of 964	1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	30
PID 1396 wrote to memory of 964	1396	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	30
PID 1748 wrote to memory of 776	1748	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	32
PID 1748 wrote to memory of 776	1748	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	32
PID 1748 wrote to memory of 776	1748	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	32
PID 1748 wrote to memory of 776	1748	ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe	32
PID 776 wrote to memory of 432	776	SkipeTurns.exe	34
PID 776 wrote to memory of 432	776	SkipeTurns.exe	34
PID 776 wrote to memory of 432	776	SkipeTurns.exe	34
PID 776 wrote to memory of 432	776	SkipeTurns.exe	34
PID 776 wrote to memory of 432	776	SkipeTurns.exe	34
PID 776 wrote to memory of 432	776	SkipeTurns.exe	34
PID 776 wrote to memory of 432	776	SkipeTurns.exe	34
PID 776 wrote to memory of 432	776	SkipeTurns.exe	34
PID 776 wrote to memory of 1692	776	SkipeTurns.exe	33
PID 776 wrote to memory of 1692	776	SkipeTurns.exe	33
PID 776 wrote to memory of 1692	776	SkipeTurns.exe	33
PID 776 wrote to memory of 1692	776	SkipeTurns.exe	33
PID 776 wrote to memory of 1692	776	SkipeTurns.exe	33
PID 776 wrote to memory of 1692	776	SkipeTurns.exe	33
PID 776 wrote to memory of 1692	776	SkipeTurns.exe	33
PID 776 wrote to memory of 1692	776	SkipeTurns.exe	33
PID 776 wrote to memory of 1180	776	SkipeTurns.exe	35
PID 776 wrote to memory of 1180	776	SkipeTurns.exe	35
PID 776 wrote to memory of 1180	776	SkipeTurns.exe	35
PID 776 wrote to memory of 1180	776	SkipeTurns.exe	35
PID 776 wrote to memory of 1180	776	SkipeTurns.exe	35
PID 776 wrote to memory of 1180	776	SkipeTurns.exe	35
PID 776 wrote to memory of 1180	776	SkipeTurns.exe	35
PID 776 wrote to memory of 1180	776	SkipeTurns.exe	35
PID 432 wrote to memory of 1752	432	SkipeTurns.exe	36
PID 432 wrote to memory of 1752	432	SkipeTurns.exe	36
PID 432 wrote to memory of 1752	432	SkipeTurns.exe	36
PID 432 wrote to memory of 1752	432	SkipeTurns.exe	36

C:\Users\Admin\AppData\Local\Temp\ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
"C:\Users\Admin\AppData\Local\Temp\ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
  "C:\Users\Admin\AppData\Local\Temp\ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:964
- C:\Users\Admin\AppData\Local\Temp\ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe
  "C:\Users\Admin\AppData\Local\Temp\ed278e91889e03139bb05f83d2267f641275e5e21945f04a245043a7602fafe0.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
    "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NADPQ.bat" "
        5⤵
        
        PID:320
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SkipeTurns" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /f
        6⤵
        
        PID:1780
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:1752
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1180
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1532
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:2040
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:680
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1700
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1592
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NADPQ.bat

Filesize
142B

MD5
7aab82a958be0bdc325ec075c874ca64

SHA1
f4ab3d6776f6ffc569a878a003df9a4f0a331eb6

SHA256
446e766a1c4c57cf38c3b70b1152a5c1216cc86388fefe5d7d39522458436144

SHA512
1737e41a539341737e4fc5c22f13c10b34e5054b2e1b44e604490c4faaf943442c596581fb28b0c967935cfd92c5fd4e7331fb72ae2d4f6ef1b8acc64b46f240

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
c50d70a92130c22fe27a0d8b561a6b98

SHA1
22f3bac470fa15b1b63ea36c0a75a1cc38028d9e

SHA256
fb9c5f6f202c619c66ccd8679be41789dfc05ea547d8911f61e8c2895d4759fa

SHA512
63ae0ddf1cf0b6b40aac41e6b9bfba2e2cd8fa4c32af77c5a84bd9340a6c9d37c19671918463d22f4e628d9d2cfbc9af0e2d3344e994a45151ffccabf25d90fe

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
c50d70a92130c22fe27a0d8b561a6b98

SHA1
22f3bac470fa15b1b63ea36c0a75a1cc38028d9e

SHA256
fb9c5f6f202c619c66ccd8679be41789dfc05ea547d8911f61e8c2895d4759fa

SHA512
63ae0ddf1cf0b6b40aac41e6b9bfba2e2cd8fa4c32af77c5a84bd9340a6c9d37c19671918463d22f4e628d9d2cfbc9af0e2d3344e994a45151ffccabf25d90fe

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
c50d70a92130c22fe27a0d8b561a6b98

SHA1
22f3bac470fa15b1b63ea36c0a75a1cc38028d9e

SHA256
fb9c5f6f202c619c66ccd8679be41789dfc05ea547d8911f61e8c2895d4759fa

SHA512
63ae0ddf1cf0b6b40aac41e6b9bfba2e2cd8fa4c32af77c5a84bd9340a6c9d37c19671918463d22f4e628d9d2cfbc9af0e2d3344e994a45151ffccabf25d90fe

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
c50d70a92130c22fe27a0d8b561a6b98

SHA1
22f3bac470fa15b1b63ea36c0a75a1cc38028d9e

SHA256
fb9c5f6f202c619c66ccd8679be41789dfc05ea547d8911f61e8c2895d4759fa

SHA512
63ae0ddf1cf0b6b40aac41e6b9bfba2e2cd8fa4c32af77c5a84bd9340a6c9d37c19671918463d22f4e628d9d2cfbc9af0e2d3344e994a45151ffccabf25d90fe

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
c50d70a92130c22fe27a0d8b561a6b98

SHA1
22f3bac470fa15b1b63ea36c0a75a1cc38028d9e

SHA256
fb9c5f6f202c619c66ccd8679be41789dfc05ea547d8911f61e8c2895d4759fa

SHA512
63ae0ddf1cf0b6b40aac41e6b9bfba2e2cd8fa4c32af77c5a84bd9340a6c9d37c19671918463d22f4e628d9d2cfbc9af0e2d3344e994a45151ffccabf25d90fe

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
c50d70a92130c22fe27a0d8b561a6b98

SHA1
22f3bac470fa15b1b63ea36c0a75a1cc38028d9e

SHA256
fb9c5f6f202c619c66ccd8679be41789dfc05ea547d8911f61e8c2895d4759fa

SHA512
63ae0ddf1cf0b6b40aac41e6b9bfba2e2cd8fa4c32af77c5a84bd9340a6c9d37c19671918463d22f4e628d9d2cfbc9af0e2d3344e994a45151ffccabf25d90fe

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
c50d70a92130c22fe27a0d8b561a6b98

SHA1
22f3bac470fa15b1b63ea36c0a75a1cc38028d9e

SHA256
fb9c5f6f202c619c66ccd8679be41789dfc05ea547d8911f61e8c2895d4759fa

SHA512
63ae0ddf1cf0b6b40aac41e6b9bfba2e2cd8fa4c32af77c5a84bd9340a6c9d37c19671918463d22f4e628d9d2cfbc9af0e2d3344e994a45151ffccabf25d90fe

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
c50d70a92130c22fe27a0d8b561a6b98

SHA1
22f3bac470fa15b1b63ea36c0a75a1cc38028d9e

SHA256
fb9c5f6f202c619c66ccd8679be41789dfc05ea547d8911f61e8c2895d4759fa

SHA512
63ae0ddf1cf0b6b40aac41e6b9bfba2e2cd8fa4c32af77c5a84bd9340a6c9d37c19671918463d22f4e628d9d2cfbc9af0e2d3344e994a45151ffccabf25d90fe

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
c50d70a92130c22fe27a0d8b561a6b98

SHA1
22f3bac470fa15b1b63ea36c0a75a1cc38028d9e

SHA256
fb9c5f6f202c619c66ccd8679be41789dfc05ea547d8911f61e8c2895d4759fa

SHA512
63ae0ddf1cf0b6b40aac41e6b9bfba2e2cd8fa4c32af77c5a84bd9340a6c9d37c19671918463d22f4e628d9d2cfbc9af0e2d3344e994a45151ffccabf25d90fe

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
c50d70a92130c22fe27a0d8b561a6b98

SHA1
22f3bac470fa15b1b63ea36c0a75a1cc38028d9e

SHA256
fb9c5f6f202c619c66ccd8679be41789dfc05ea547d8911f61e8c2895d4759fa

SHA512
63ae0ddf1cf0b6b40aac41e6b9bfba2e2cd8fa4c32af77c5a84bd9340a6c9d37c19671918463d22f4e628d9d2cfbc9af0e2d3344e994a45151ffccabf25d90fe

Download Submit
memory/432-142-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/776-136-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/776-110-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/964-84-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1180-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1180-135-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1180-160-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1180-128-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1180-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1180-123-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1180-121-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1180-144-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1396-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1396-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1396-82-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1396-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1396-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1396-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1396-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1692-143-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1692-159-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-139-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-88-0x0000000002C40000-0x0000000002D1F000-memory.dmp

Filesize
892KB

Download
memory/1748-99-0x0000000002C40000-0x0000000002D1F000-memory.dmp

Filesize
892KB

Download
memory/1748-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-98-0x0000000002C40000-0x0000000002D1F000-memory.dmp

Filesize
892KB

Download
memory/1748-97-0x0000000002C40000-0x0000000002D1F000-memory.dmp

Filesize
892KB

Download
memory/1748-96-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-76-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1960-77-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1960-56-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download