21bde94a3135ff18ed1c65d2bd22b14cfed33b81f685ff8f16917c56d3f21a03

Analysis

max time kernel
29s
max time network
158s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 03:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02c8150286b81cf31db0586dbd969aef.exe
Size

234KB
MD5

02c8150286b81cf31db0586dbd969aef
SHA1

75800dec0d7e137088ad3a2cb2def8a26bce9864
SHA256

21bde94a3135ff18ed1c65d2bd22b14cfed33b81f685ff8f16917c56d3f21a03
SHA512

d6b9882895f5e076f72b6bad70c74b1a06af34a2826b633359c074f7e52ad4c3fd0259dbf3f37ea051a897b9b4d783134c1e8699d491682df279fb5bafad9492
SSDEEP

6144:2xV8dI3bxRETtXaz/OJepymej5viyT5O/q9DUGEyoSO:2n8dI3b7ETtKKepymejF5aeDUGNoSO

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2004	SkipeTurns.exe
2548	SkipeTurns.exe
1224	SkipeTurns.exe
2952	SkipeTurns.exe

Loads dropped DLL 5 IoCs

pid	Process
2780	02c8150286b81cf31db0586dbd969aef.exe
2780	02c8150286b81cf31db0586dbd969aef.exe
2780	02c8150286b81cf31db0586dbd969aef.exe
2780	02c8150286b81cf31db0586dbd969aef.exe
2780	02c8150286b81cf31db0586dbd969aef.exe

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-0-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2668-3-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2668-4-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2668-5-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2332-8-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2332-11-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2332-20-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2332-23-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2332-25-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2780-24-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2780-19-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2332-15-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2668-32-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2780-33-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2780-30-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2780-36-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2780-39-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2780-35-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000b00000001468c-43.dat	upx
behavioral1/memory/2332-49-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2780-50-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2332-51-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2332-52-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2004-66-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2004-72-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2004-69-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2548-80-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2548-87-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2548-89-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2548-91-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2952-103-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2952-106-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2952-116-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2004-117-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2952-120-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2780-127-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2548-154-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1224-158-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2952-160-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2952-164-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2332	2668	02c8150286b81cf31db0586dbd969aef.exe	28
PID 2668 set thread context of 2780	2668	02c8150286b81cf31db0586dbd969aef.exe	29
PID 2004 set thread context of 2548	2004	SkipeTurns.exe	35
PID 2004 set thread context of 1224	2004	SkipeTurns.exe	36
PID 2004 set thread context of 2952	2004	SkipeTurns.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2712	ipconfig.exe
1892	ipconfig.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1528	reg.exe
892	reg.exe
1700	reg.exe
1380	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2952	SkipeTurns.exe
Token: SeCreateTokenPrivilege	2952	SkipeTurns.exe
Token: SeAssignPrimaryTokenPrivilege	2952	SkipeTurns.exe
Token: SeLockMemoryPrivilege	2952	SkipeTurns.exe
Token: SeIncreaseQuotaPrivilege	2952	SkipeTurns.exe
Token: SeMachineAccountPrivilege	2952	SkipeTurns.exe
Token: SeTcbPrivilege	2952	SkipeTurns.exe
Token: SeSecurityPrivilege	2952	SkipeTurns.exe
Token: SeTakeOwnershipPrivilege	2952	SkipeTurns.exe
Token: SeLoadDriverPrivilege	2952	SkipeTurns.exe
Token: SeSystemProfilePrivilege	2952	SkipeTurns.exe
Token: SeSystemtimePrivilege	2952	SkipeTurns.exe
Token: SeProfSingleProcessPrivilege	2952	SkipeTurns.exe
Token: SeIncBasePriorityPrivilege	2952	SkipeTurns.exe
Token: SeCreatePagefilePrivilege	2952	SkipeTurns.exe
Token: SeCreatePermanentPrivilege	2952	SkipeTurns.exe
Token: SeBackupPrivilege	2952	SkipeTurns.exe
Token: SeRestorePrivilege	2952	SkipeTurns.exe
Token: SeShutdownPrivilege	2952	SkipeTurns.exe
Token: SeDebugPrivilege	2952	SkipeTurns.exe
Token: SeAuditPrivilege	2952	SkipeTurns.exe
Token: SeSystemEnvironmentPrivilege	2952	SkipeTurns.exe
Token: SeChangeNotifyPrivilege	2952	SkipeTurns.exe
Token: SeRemoteShutdownPrivilege	2952	SkipeTurns.exe
Token: SeUndockPrivilege	2952	SkipeTurns.exe
Token: SeSyncAgentPrivilege	2952	SkipeTurns.exe
Token: SeEnableDelegationPrivilege	2952	SkipeTurns.exe
Token: SeManageVolumePrivilege	2952	SkipeTurns.exe
Token: SeImpersonatePrivilege	2952	SkipeTurns.exe
Token: SeCreateGlobalPrivilege	2952	SkipeTurns.exe
Token: 31	2952	SkipeTurns.exe
Token: 32	2952	SkipeTurns.exe
Token: 33	2952	SkipeTurns.exe
Token: 34	2952	SkipeTurns.exe
Token: 35	2952	SkipeTurns.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2668	02c8150286b81cf31db0586dbd969aef.exe
2332	02c8150286b81cf31db0586dbd969aef.exe
2780	02c8150286b81cf31db0586dbd969aef.exe
2004	SkipeTurns.exe
2548	SkipeTurns.exe
1224	SkipeTurns.exe
2952	SkipeTurns.exe
2952	SkipeTurns.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2332	2668	02c8150286b81cf31db0586dbd969aef.exe	28
PID 2668 wrote to memory of 2332	2668	02c8150286b81cf31db0586dbd969aef.exe	28
PID 2668 wrote to memory of 2332	2668	02c8150286b81cf31db0586dbd969aef.exe	28
PID 2668 wrote to memory of 2332	2668	02c8150286b81cf31db0586dbd969aef.exe	28
PID 2668 wrote to memory of 2332	2668	02c8150286b81cf31db0586dbd969aef.exe	28
PID 2668 wrote to memory of 2332	2668	02c8150286b81cf31db0586dbd969aef.exe	28
PID 2668 wrote to memory of 2332	2668	02c8150286b81cf31db0586dbd969aef.exe	28
PID 2668 wrote to memory of 2332	2668	02c8150286b81cf31db0586dbd969aef.exe	28
PID 2668 wrote to memory of 2780	2668	02c8150286b81cf31db0586dbd969aef.exe	29
PID 2668 wrote to memory of 2780	2668	02c8150286b81cf31db0586dbd969aef.exe	29
PID 2668 wrote to memory of 2780	2668	02c8150286b81cf31db0586dbd969aef.exe	29
PID 2668 wrote to memory of 2780	2668	02c8150286b81cf31db0586dbd969aef.exe	29
PID 2668 wrote to memory of 2780	2668	02c8150286b81cf31db0586dbd969aef.exe	29
PID 2668 wrote to memory of 2780	2668	02c8150286b81cf31db0586dbd969aef.exe	29
PID 2668 wrote to memory of 2780	2668	02c8150286b81cf31db0586dbd969aef.exe	29
PID 2668 wrote to memory of 2780	2668	02c8150286b81cf31db0586dbd969aef.exe	29
PID 2332 wrote to memory of 2712	2332	02c8150286b81cf31db0586dbd969aef.exe	30
PID 2332 wrote to memory of 2712	2332	02c8150286b81cf31db0586dbd969aef.exe	30
PID 2332 wrote to memory of 2712	2332	02c8150286b81cf31db0586dbd969aef.exe	30
PID 2332 wrote to memory of 2712	2332	02c8150286b81cf31db0586dbd969aef.exe	30
PID 2780 wrote to memory of 2004	2780	02c8150286b81cf31db0586dbd969aef.exe	32
PID 2780 wrote to memory of 2004	2780	02c8150286b81cf31db0586dbd969aef.exe	32
PID 2780 wrote to memory of 2004	2780	02c8150286b81cf31db0586dbd969aef.exe	32
PID 2780 wrote to memory of 2004	2780	02c8150286b81cf31db0586dbd969aef.exe	32
PID 2004 wrote to memory of 2548	2004	SkipeTurns.exe	35
PID 2004 wrote to memory of 2548	2004	SkipeTurns.exe	35
PID 2004 wrote to memory of 2548	2004	SkipeTurns.exe	35
PID 2004 wrote to memory of 2548	2004	SkipeTurns.exe	35
PID 2004 wrote to memory of 2548	2004	SkipeTurns.exe	35
PID 2004 wrote to memory of 2548	2004	SkipeTurns.exe	35
PID 2004 wrote to memory of 2548	2004	SkipeTurns.exe	35
PID 2004 wrote to memory of 2548	2004	SkipeTurns.exe	35
PID 2004 wrote to memory of 1224	2004	SkipeTurns.exe	36
PID 2004 wrote to memory of 1224	2004	SkipeTurns.exe	36
PID 2004 wrote to memory of 1224	2004	SkipeTurns.exe	36
PID 2004 wrote to memory of 1224	2004	SkipeTurns.exe	36
PID 2004 wrote to memory of 1224	2004	SkipeTurns.exe	36
PID 2004 wrote to memory of 1224	2004	SkipeTurns.exe	36
PID 2004 wrote to memory of 1224	2004	SkipeTurns.exe	36
PID 2004 wrote to memory of 1224	2004	SkipeTurns.exe	36
PID 2004 wrote to memory of 2952	2004	SkipeTurns.exe	37
PID 2004 wrote to memory of 2952	2004	SkipeTurns.exe	37
PID 2004 wrote to memory of 2952	2004	SkipeTurns.exe	37
PID 2004 wrote to memory of 2952	2004	SkipeTurns.exe	37
PID 2548 wrote to memory of 1892	2548	SkipeTurns.exe	39
PID 2548 wrote to memory of 1892	2548	SkipeTurns.exe	39
PID 2548 wrote to memory of 1892	2548	SkipeTurns.exe	39
PID 2548 wrote to memory of 1892	2548	SkipeTurns.exe	39
PID 2004 wrote to memory of 2952	2004	SkipeTurns.exe	37
PID 2004 wrote to memory of 2952	2004	SkipeTurns.exe	37
PID 2004 wrote to memory of 2952	2004	SkipeTurns.exe	37
PID 2004 wrote to memory of 2952	2004	SkipeTurns.exe	37
PID 2952 wrote to memory of 1096	2952	SkipeTurns.exe	40
PID 2952 wrote to memory of 1096	2952	SkipeTurns.exe	40
PID 2952 wrote to memory of 1096	2952	SkipeTurns.exe	40
PID 2952 wrote to memory of 1096	2952	SkipeTurns.exe	40
PID 2952 wrote to memory of 1592	2952	SkipeTurns.exe	42
PID 2952 wrote to memory of 1592	2952	SkipeTurns.exe	42
PID 2952 wrote to memory of 1592	2952	SkipeTurns.exe	42
PID 2952 wrote to memory of 1592	2952	SkipeTurns.exe	42
PID 2952 wrote to memory of 660	2952	SkipeTurns.exe	44
PID 2952 wrote to memory of 660	2952	SkipeTurns.exe	44
PID 2952 wrote to memory of 660	2952	SkipeTurns.exe	44
PID 2952 wrote to memory of 660	2952	SkipeTurns.exe	44

C:\Users\Admin\AppData\Local\Temp\02c8150286b81cf31db0586dbd969aef.exe
"C:\Users\Admin\AppData\Local\Temp\02c8150286b81cf31db0586dbd969aef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\02c8150286b81cf31db0586dbd969aef.exe
  "C:\Users\Admin\AppData\Local\Temp\02c8150286b81cf31db0586dbd969aef.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2712
- C:\Users\Admin\AppData\Local\Temp\02c8150286b81cf31db0586dbd969aef.exe
  "C:\Users\Admin\AppData\Local\Temp\02c8150286b81cf31db0586dbd969aef.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
    "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:1892
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1224
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TRVQY.bat" "
        5⤵
        
        PID:3044
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SkipeTurns" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /f
        6⤵
        
        PID:2216
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1096
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:1528
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1592
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1380
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:660
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1644
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TRVQY.bat

Filesize
142B

MD5
7aab82a958be0bdc325ec075c874ca64

SHA1
f4ab3d6776f6ffc569a878a003df9a4f0a331eb6

SHA256
446e766a1c4c57cf38c3b70b1152a5c1216cc86388fefe5d7d39522458436144

SHA512
1737e41a539341737e4fc5c22f13c10b34e5054b2e1b44e604490c4faaf943442c596581fb28b0c967935cfd92c5fd4e7331fb72ae2d4f6ef1b8acc64b46f240

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
14746b0365c4a9dbb63e41ea15df00ca

SHA1
67cf08f33a1fec32d319995e5cc9b85fe03dc1a6

SHA256
97f04a40847afc61a4cf8b4213644e014435b38f5385e8a8bca79e5670b401c7

SHA512
af3c6dda59ecde51289d6a1c8aab2f6d4dc49db24db423b682429d3de710bebd0b556a15da487623bbcb4b8e624eefd5b3c5bd0ecbc34d5f6cb34a1c1eda6821

Download Submit
memory/1224-158-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2004-66-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2004-72-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2004-69-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2004-117-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2332-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-49-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2332-52-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2332-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2332-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2332-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2332-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2332-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2332-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2332-51-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2332-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2548-154-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2548-89-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2548-87-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2548-80-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2548-91-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2668-5-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2668-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2668-32-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2668-10-0x0000000002B30000-0x0000000002C0F000-memory.dmp

Filesize
892KB

Download
memory/2668-4-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2668-3-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2780-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2780-127-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2780-63-0x0000000002BD0000-0x0000000002CAF000-memory.dmp

Filesize
892KB

Download
memory/2780-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2780-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2780-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2780-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2780-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2780-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2780-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2780-64-0x0000000002BD0000-0x0000000002CAF000-memory.dmp

Filesize
892KB

Download
memory/2780-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2952-120-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2952-116-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2952-106-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2952-103-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2952-99-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2952-160-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2952-164-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download