9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147

Analysis

max time kernel
4s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/09/2022, 23:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
Size

234KB
MD5

1a5a469f4da90ec346314ed63135bafe
SHA1

63592be6e86fa54fff06e5f8ddd39b680b845df1
SHA256

9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147
SHA512

96b26da3c6578762c8ef4a96fcc4c95519568bf4fe6aca767a3d09b6624e85bd25a065813f2809e8c193ffb2a94377f3ba406bbced460bc19768ffa1c35dd2ea
SSDEEP

6144:2xV8dI3bxRETtXaz/OJepymej5viyT5O/q9DUGEyoS+:2n8dI3b7ETtKKepymejF5aeDUGNoS+

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1644	SkipeTurns.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1452-57-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1452-59-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1452-60-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1524-64-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1452-66-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1524-67-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1524-69-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1452-68-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1524-73-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1524-74-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1212-77-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1452-81-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1524-82-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-85.dat	upx
behavioral1/files/0x000c0000000054a8-84.dat	upx
behavioral1/files/0x000c0000000054a8-88.dat	upx
behavioral1/files/0x000c0000000054a8-87.dat	upx
behavioral1/files/0x000c0000000054a8-86.dat	upx
behavioral1/files/0x000c0000000054a8-90.dat	upx
behavioral1/files/0x000c0000000054a8-93.dat	upx
behavioral1/files/0x000c0000000054a8-100.dat	upx
behavioral1/files/0x000c0000000054a8-110.dat	upx
behavioral1/memory/1536-115-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1644-119-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1536-120-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1536-121-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-124.dat	upx
behavioral1/memory/1536-129-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1644-128-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1536-127-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1524-130-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1716-135-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1536-136-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1452-149-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1716-150-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1536-151-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1536-152-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1524	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1524	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1524	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1524	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1524	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 1452	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	27
PID 1212 set thread context of 1524	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1300	ipconfig.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1336	reg.exe
1708	reg.exe
968	reg.exe
1696	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1524	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
1644	SkipeTurns.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1452	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	27
PID 1212 wrote to memory of 1452	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	27
PID 1212 wrote to memory of 1452	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	27
PID 1212 wrote to memory of 1452	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	27
PID 1212 wrote to memory of 1452	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	27
PID 1212 wrote to memory of 1452	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	27
PID 1212 wrote to memory of 1452	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	27
PID 1212 wrote to memory of 1452	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	27
PID 1212 wrote to memory of 1524	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	28
PID 1212 wrote to memory of 1524	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	28
PID 1212 wrote to memory of 1524	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	28
PID 1212 wrote to memory of 1524	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	28
PID 1212 wrote to memory of 1524	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	28
PID 1212 wrote to memory of 1524	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	28
PID 1212 wrote to memory of 1524	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	28
PID 1212 wrote to memory of 1524	1212	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	28
PID 1452 wrote to memory of 1300	1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	29
PID 1452 wrote to memory of 1300	1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	29
PID 1452 wrote to memory of 1300	1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	29
PID 1452 wrote to memory of 1300	1452	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	29
PID 1524 wrote to memory of 1644	1524	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	31
PID 1524 wrote to memory of 1644	1524	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	31
PID 1524 wrote to memory of 1644	1524	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	31
PID 1524 wrote to memory of 1644	1524	9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe	31

C:\Users\Admin\AppData\Local\Temp\9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
"C:\Users\Admin\AppData\Local\Temp\9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
  "C:\Users\Admin\AppData\Local\Temp\9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:1300
- C:\Users\Admin\AppData\Local\Temp\9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe
  "C:\Users\Admin\AppData\Local\Temp\9d57e5f920561266661500d17ccd3fdcb95cb8e763e03320ee4a62fcbad51147.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
    "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1644
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      PID:548
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      PID:1716
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OBNVN.bat" "
        5⤵
        
        PID:984
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SkipeTurns" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /f
        6⤵
        
        PID:1516
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      PID:1536
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:344
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:1336
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1572
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1708
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1148
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:968
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1804
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OBNVN.bat

Filesize
142B

MD5
7aab82a958be0bdc325ec075c874ca64

SHA1
f4ab3d6776f6ffc569a878a003df9a4f0a331eb6

SHA256
446e766a1c4c57cf38c3b70b1152a5c1216cc86388fefe5d7d39522458436144

SHA512
1737e41a539341737e4fc5c22f13c10b34e5054b2e1b44e604490c4faaf943442c596581fb28b0c967935cfd92c5fd4e7331fb72ae2d4f6ef1b8acc64b46f240

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
379400e8602f784be8f445d33929747f

SHA1
7a96edd7f5e995a10d90178ee10bea0bf3eefafe

SHA256
cfbe0474173bbc8fc40d86590e72f6930b52f30ed0a09c0cc8adcc6fc2a7cf55

SHA512
07ddfe2e2b51e5dd07ae5019fa34c363e730557e4080ffceb385e645cd5fbbbc705a66f3fbd33a0c9368dbc275f879bb0de5ac1d5d2ed50eee716c74e5fd92e7

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
379400e8602f784be8f445d33929747f

SHA1
7a96edd7f5e995a10d90178ee10bea0bf3eefafe

SHA256
cfbe0474173bbc8fc40d86590e72f6930b52f30ed0a09c0cc8adcc6fc2a7cf55

SHA512
07ddfe2e2b51e5dd07ae5019fa34c363e730557e4080ffceb385e645cd5fbbbc705a66f3fbd33a0c9368dbc275f879bb0de5ac1d5d2ed50eee716c74e5fd92e7

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
379400e8602f784be8f445d33929747f

SHA1
7a96edd7f5e995a10d90178ee10bea0bf3eefafe

SHA256
cfbe0474173bbc8fc40d86590e72f6930b52f30ed0a09c0cc8adcc6fc2a7cf55

SHA512
07ddfe2e2b51e5dd07ae5019fa34c363e730557e4080ffceb385e645cd5fbbbc705a66f3fbd33a0c9368dbc275f879bb0de5ac1d5d2ed50eee716c74e5fd92e7

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
379400e8602f784be8f445d33929747f

SHA1
7a96edd7f5e995a10d90178ee10bea0bf3eefafe

SHA256
cfbe0474173bbc8fc40d86590e72f6930b52f30ed0a09c0cc8adcc6fc2a7cf55

SHA512
07ddfe2e2b51e5dd07ae5019fa34c363e730557e4080ffceb385e645cd5fbbbc705a66f3fbd33a0c9368dbc275f879bb0de5ac1d5d2ed50eee716c74e5fd92e7

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
379400e8602f784be8f445d33929747f

SHA1
7a96edd7f5e995a10d90178ee10bea0bf3eefafe

SHA256
cfbe0474173bbc8fc40d86590e72f6930b52f30ed0a09c0cc8adcc6fc2a7cf55

SHA512
07ddfe2e2b51e5dd07ae5019fa34c363e730557e4080ffceb385e645cd5fbbbc705a66f3fbd33a0c9368dbc275f879bb0de5ac1d5d2ed50eee716c74e5fd92e7

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
379400e8602f784be8f445d33929747f

SHA1
7a96edd7f5e995a10d90178ee10bea0bf3eefafe

SHA256
cfbe0474173bbc8fc40d86590e72f6930b52f30ed0a09c0cc8adcc6fc2a7cf55

SHA512
07ddfe2e2b51e5dd07ae5019fa34c363e730557e4080ffceb385e645cd5fbbbc705a66f3fbd33a0c9368dbc275f879bb0de5ac1d5d2ed50eee716c74e5fd92e7

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
379400e8602f784be8f445d33929747f

SHA1
7a96edd7f5e995a10d90178ee10bea0bf3eefafe

SHA256
cfbe0474173bbc8fc40d86590e72f6930b52f30ed0a09c0cc8adcc6fc2a7cf55

SHA512
07ddfe2e2b51e5dd07ae5019fa34c363e730557e4080ffceb385e645cd5fbbbc705a66f3fbd33a0c9368dbc275f879bb0de5ac1d5d2ed50eee716c74e5fd92e7

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
379400e8602f784be8f445d33929747f

SHA1
7a96edd7f5e995a10d90178ee10bea0bf3eefafe

SHA256
cfbe0474173bbc8fc40d86590e72f6930b52f30ed0a09c0cc8adcc6fc2a7cf55

SHA512
07ddfe2e2b51e5dd07ae5019fa34c363e730557e4080ffceb385e645cd5fbbbc705a66f3fbd33a0c9368dbc275f879bb0de5ac1d5d2ed50eee716c74e5fd92e7

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
379400e8602f784be8f445d33929747f

SHA1
7a96edd7f5e995a10d90178ee10bea0bf3eefafe

SHA256
cfbe0474173bbc8fc40d86590e72f6930b52f30ed0a09c0cc8adcc6fc2a7cf55

SHA512
07ddfe2e2b51e5dd07ae5019fa34c363e730557e4080ffceb385e645cd5fbbbc705a66f3fbd33a0c9368dbc275f879bb0de5ac1d5d2ed50eee716c74e5fd92e7

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
379400e8602f784be8f445d33929747f

SHA1
7a96edd7f5e995a10d90178ee10bea0bf3eefafe

SHA256
cfbe0474173bbc8fc40d86590e72f6930b52f30ed0a09c0cc8adcc6fc2a7cf55

SHA512
07ddfe2e2b51e5dd07ae5019fa34c363e730557e4080ffceb385e645cd5fbbbc705a66f3fbd33a0c9368dbc275f879bb0de5ac1d5d2ed50eee716c74e5fd92e7

Download Submit
memory/1212-77-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1300-80-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1452-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1452-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1452-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1452-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1452-149-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1452-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1452-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1452-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1524-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-116-0x0000000002A20000-0x0000000002AFF000-memory.dmp

Filesize
892KB

Download
memory/1524-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-130-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-82-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1536-113-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1536-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1536-152-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1536-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1536-129-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1536-120-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1536-115-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1536-121-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1536-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1644-119-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1644-128-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1716-150-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1716-135-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download