34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4

Analysis

max time kernel
17s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 06:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
Size

234KB
MD5

5098b599528bd3dc1c619b2287575ad0
SHA1

c8f4b96bbbda3a44594ef9148c16bb2a9ccf2a61
SHA256

34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4
SHA512

993741437fdce355e9716225db42e0acada30462f23dba8e3e032ec1912600b8aac2e04e1d462d30e7e732b543bef8d549a56876ff541ad1c9b6c68bda024505
SSDEEP

6144:2xV8dI3bxRETtXaz/OJepymej5viyT5O/q9DUGEyoSD:2n8dI3b7ETtKKepymejF5aeDUGNoSD

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1760	SkipeTurns.exe
616	SkipeTurns.exe
1080	SkipeTurns.exe
1740	SkipeTurns.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1992-55-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1976-58-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1976-60-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1976-61-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1976-66-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/936-65-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1976-68-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/936-69-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/936-71-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/936-76-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/936-77-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1992-81-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/936-84-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-87.dat	upx
behavioral1/files/0x0007000000005c50-86.dat	upx
behavioral1/files/0x0007000000005c50-90.dat	upx
behavioral1/files/0x0007000000005c50-89.dat	upx
behavioral1/files/0x0007000000005c50-88.dat	upx
behavioral1/files/0x0007000000005c50-93.dat	upx
behavioral1/memory/1760-96-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-97.dat	upx
behavioral1/files/0x0007000000005c50-104.dat	upx
behavioral1/files/0x0007000000005c50-114.dat	upx
behavioral1/memory/1740-119-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1740-122-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1740-123-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-125.dat	upx
behavioral1/memory/1740-127-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1740-129-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1760-133-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/936-136-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1740-139-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1740-140-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1976-154-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/616-155-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1080-156-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1740-157-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
936	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
936	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
936	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
936	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
936	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 1976	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	26
PID 1992 set thread context of 936	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	27
PID 1760 set thread context of 616	1760	SkipeTurns.exe	31
PID 1760 set thread context of 1080	1760	SkipeTurns.exe	32
PID 1760 set thread context of 1740	1760	SkipeTurns.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1336	ipconfig.exe
1588	ipconfig.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1972	reg.exe
1704	reg.exe
1616	reg.exe
1952	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
936	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
1760	SkipeTurns.exe
616	SkipeTurns.exe
1080	SkipeTurns.exe
1740	SkipeTurns.exe
1740	SkipeTurns.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1976	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	26
PID 1992 wrote to memory of 1976	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	26
PID 1992 wrote to memory of 1976	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	26
PID 1992 wrote to memory of 1976	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	26
PID 1992 wrote to memory of 1976	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	26
PID 1992 wrote to memory of 1976	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	26
PID 1992 wrote to memory of 1976	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	26
PID 1992 wrote to memory of 1976	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	26
PID 1992 wrote to memory of 936	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	27
PID 1992 wrote to memory of 936	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	27
PID 1992 wrote to memory of 936	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	27
PID 1992 wrote to memory of 936	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	27
PID 1992 wrote to memory of 936	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	27
PID 1992 wrote to memory of 936	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	27
PID 1992 wrote to memory of 936	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	27
PID 1992 wrote to memory of 936	1992	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	27
PID 1976 wrote to memory of 1336	1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	28
PID 1976 wrote to memory of 1336	1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	28
PID 1976 wrote to memory of 1336	1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	28
PID 1976 wrote to memory of 1336	1976	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	28
PID 936 wrote to memory of 1760	936	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	30
PID 936 wrote to memory of 1760	936	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	30
PID 936 wrote to memory of 1760	936	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	30
PID 936 wrote to memory of 1760	936	34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe	30
PID 1760 wrote to memory of 616	1760	SkipeTurns.exe	31
PID 1760 wrote to memory of 616	1760	SkipeTurns.exe	31
PID 1760 wrote to memory of 616	1760	SkipeTurns.exe	31
PID 1760 wrote to memory of 616	1760	SkipeTurns.exe	31
PID 1760 wrote to memory of 616	1760	SkipeTurns.exe	31
PID 1760 wrote to memory of 616	1760	SkipeTurns.exe	31
PID 1760 wrote to memory of 616	1760	SkipeTurns.exe	31
PID 1760 wrote to memory of 616	1760	SkipeTurns.exe	31
PID 1760 wrote to memory of 1080	1760	SkipeTurns.exe	32
PID 1760 wrote to memory of 1080	1760	SkipeTurns.exe	32
PID 1760 wrote to memory of 1080	1760	SkipeTurns.exe	32
PID 1760 wrote to memory of 1080	1760	SkipeTurns.exe	32
PID 1760 wrote to memory of 1080	1760	SkipeTurns.exe	32
PID 1760 wrote to memory of 1080	1760	SkipeTurns.exe	32
PID 1760 wrote to memory of 1080	1760	SkipeTurns.exe	32
PID 1760 wrote to memory of 1080	1760	SkipeTurns.exe	32
PID 1760 wrote to memory of 1740	1760	SkipeTurns.exe	33
PID 1760 wrote to memory of 1740	1760	SkipeTurns.exe	33
PID 1760 wrote to memory of 1740	1760	SkipeTurns.exe	33
PID 1760 wrote to memory of 1740	1760	SkipeTurns.exe	33
PID 1760 wrote to memory of 1740	1760	SkipeTurns.exe	33
PID 1760 wrote to memory of 1740	1760	SkipeTurns.exe	33
PID 1760 wrote to memory of 1740	1760	SkipeTurns.exe	33
PID 1760 wrote to memory of 1740	1760	SkipeTurns.exe	33
PID 616 wrote to memory of 1588	616	SkipeTurns.exe	34
PID 616 wrote to memory of 1588	616	SkipeTurns.exe	34
PID 616 wrote to memory of 1588	616	SkipeTurns.exe	34
PID 616 wrote to memory of 1588	616	SkipeTurns.exe	34

C:\Users\Admin\AppData\Local\Temp\34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
"C:\Users\Admin\AppData\Local\Temp\34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
  "C:\Users\Admin\AppData\Local\Temp\34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:1336
- C:\Users\Admin\AppData\Local\Temp\34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe
  "C:\Users\Admin\AppData\Local\Temp\34906a268d2984fb680d693586c3f4fbf3cb3f347dc7a5a42c0044b1d5b6fac4.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
    "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:1588
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1080
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQEOF.bat" "
        5⤵
        
        PID:784
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SkipeTurns" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /f
        6⤵
        
        PID:1516
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1560
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1636
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:316
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:1616
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:392
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IQEOF.bat

Filesize
142B

MD5
7aab82a958be0bdc325ec075c874ca64

SHA1
f4ab3d6776f6ffc569a878a003df9a4f0a331eb6

SHA256
446e766a1c4c57cf38c3b70b1152a5c1216cc86388fefe5d7d39522458436144

SHA512
1737e41a539341737e4fc5c22f13c10b34e5054b2e1b44e604490c4faaf943442c596581fb28b0c967935cfd92c5fd4e7331fb72ae2d4f6ef1b8acc64b46f240

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
22a5a1a2a252bd00d288c8b77fc3d988

SHA1
3fff14a5bbb44ddb4b4b70b5dd4ed15987851b1f

SHA256
43c67bca92a9b559b89248bba88e70fd4a2ce53bb89c5d16bd9f3c548fc6488b

SHA512
f2044e673b9d2a8cc86eb801795802893f360760ededd12ac50eb42a86d6decf23ee1e3abe365bac04223ce5ebeb37c166991b139f5e96ddc05d5e83e105e519

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
22a5a1a2a252bd00d288c8b77fc3d988

SHA1
3fff14a5bbb44ddb4b4b70b5dd4ed15987851b1f

SHA256
43c67bca92a9b559b89248bba88e70fd4a2ce53bb89c5d16bd9f3c548fc6488b

SHA512
f2044e673b9d2a8cc86eb801795802893f360760ededd12ac50eb42a86d6decf23ee1e3abe365bac04223ce5ebeb37c166991b139f5e96ddc05d5e83e105e519

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
22a5a1a2a252bd00d288c8b77fc3d988

SHA1
3fff14a5bbb44ddb4b4b70b5dd4ed15987851b1f

SHA256
43c67bca92a9b559b89248bba88e70fd4a2ce53bb89c5d16bd9f3c548fc6488b

SHA512
f2044e673b9d2a8cc86eb801795802893f360760ededd12ac50eb42a86d6decf23ee1e3abe365bac04223ce5ebeb37c166991b139f5e96ddc05d5e83e105e519

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
22a5a1a2a252bd00d288c8b77fc3d988

SHA1
3fff14a5bbb44ddb4b4b70b5dd4ed15987851b1f

SHA256
43c67bca92a9b559b89248bba88e70fd4a2ce53bb89c5d16bd9f3c548fc6488b

SHA512
f2044e673b9d2a8cc86eb801795802893f360760ededd12ac50eb42a86d6decf23ee1e3abe365bac04223ce5ebeb37c166991b139f5e96ddc05d5e83e105e519

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
22a5a1a2a252bd00d288c8b77fc3d988

SHA1
3fff14a5bbb44ddb4b4b70b5dd4ed15987851b1f

SHA256
43c67bca92a9b559b89248bba88e70fd4a2ce53bb89c5d16bd9f3c548fc6488b

SHA512
f2044e673b9d2a8cc86eb801795802893f360760ededd12ac50eb42a86d6decf23ee1e3abe365bac04223ce5ebeb37c166991b139f5e96ddc05d5e83e105e519

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
22a5a1a2a252bd00d288c8b77fc3d988

SHA1
3fff14a5bbb44ddb4b4b70b5dd4ed15987851b1f

SHA256
43c67bca92a9b559b89248bba88e70fd4a2ce53bb89c5d16bd9f3c548fc6488b

SHA512
f2044e673b9d2a8cc86eb801795802893f360760ededd12ac50eb42a86d6decf23ee1e3abe365bac04223ce5ebeb37c166991b139f5e96ddc05d5e83e105e519

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
22a5a1a2a252bd00d288c8b77fc3d988

SHA1
3fff14a5bbb44ddb4b4b70b5dd4ed15987851b1f

SHA256
43c67bca92a9b559b89248bba88e70fd4a2ce53bb89c5d16bd9f3c548fc6488b

SHA512
f2044e673b9d2a8cc86eb801795802893f360760ededd12ac50eb42a86d6decf23ee1e3abe365bac04223ce5ebeb37c166991b139f5e96ddc05d5e83e105e519

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
22a5a1a2a252bd00d288c8b77fc3d988

SHA1
3fff14a5bbb44ddb4b4b70b5dd4ed15987851b1f

SHA256
43c67bca92a9b559b89248bba88e70fd4a2ce53bb89c5d16bd9f3c548fc6488b

SHA512
f2044e673b9d2a8cc86eb801795802893f360760ededd12ac50eb42a86d6decf23ee1e3abe365bac04223ce5ebeb37c166991b139f5e96ddc05d5e83e105e519

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
22a5a1a2a252bd00d288c8b77fc3d988

SHA1
3fff14a5bbb44ddb4b4b70b5dd4ed15987851b1f

SHA256
43c67bca92a9b559b89248bba88e70fd4a2ce53bb89c5d16bd9f3c548fc6488b

SHA512
f2044e673b9d2a8cc86eb801795802893f360760ededd12ac50eb42a86d6decf23ee1e3abe365bac04223ce5ebeb37c166991b139f5e96ddc05d5e83e105e519

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
22a5a1a2a252bd00d288c8b77fc3d988

SHA1
3fff14a5bbb44ddb4b4b70b5dd4ed15987851b1f

SHA256
43c67bca92a9b559b89248bba88e70fd4a2ce53bb89c5d16bd9f3c548fc6488b

SHA512
f2044e673b9d2a8cc86eb801795802893f360760ededd12ac50eb42a86d6decf23ee1e3abe365bac04223ce5ebeb37c166991b139f5e96ddc05d5e83e105e519

Download Submit
memory/616-155-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/936-76-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/936-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/936-136-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/936-84-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/936-77-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/936-91-0x0000000002BC0000-0x0000000002C9F000-memory.dmp

Filesize
892KB

Download
memory/936-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/936-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/936-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1080-156-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1336-83-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1740-122-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1740-123-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1740-157-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1740-119-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1740-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1740-129-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1740-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1740-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1740-116-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1760-133-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1760-96-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1976-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1976-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1976-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1976-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1976-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1976-154-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1976-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1992-70-0x0000000002640000-0x000000000271F000-memory.dmp

Filesize
892KB

Download
memory/1992-72-0x0000000002640000-0x000000000271F000-memory.dmp

Filesize
892KB

Download
memory/1992-55-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1992-81-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download