56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271

Analysis

max time kernel
4s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
Size

234KB
MD5

e38c5ca4060805b0201c5b3161c3eb22
SHA1

6cb33136b6ece548d1dfb2709d0218dac47cfa9c
SHA256

56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271
SHA512

8567c0ecbd6a40d1a2607dc166ef6e649eff664fc53069c5100a7f1ef15f0b680c0f84af88b8f8e941b345c018a40a5b353da489a45178c5ad78efd28ce6b756
SSDEEP

6144:2xV8dI3bxRETtXaz/OJepymej5viyT5O/q9DUGEyoS6:2n8dI3b7ETtKKepymejF5aeDUGNoS6

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1928-57-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1928-59-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1928-60-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2012-64-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1928-66-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2012-69-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1928-68-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2012-67-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/704-73-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1928-77-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2012-76-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1928-79-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2012-78-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2012-84-0x0000000000400000-0x0000000000410000-memory.dmp	upx
\Users\Admin\AppData\Roaming\SkipeTurns.exe	upx
\Users\Admin\AppData\Roaming\SkipeTurns.exe	upx
\Users\Admin\AppData\Roaming\SkipeTurns.exe	upx
\Users\Admin\AppData\Roaming\SkipeTurns.exe	upx
\Users\Admin\AppData\Roaming\SkipeTurns.exe	upx
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe	upx
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe	upx
behavioral1/memory/1464-98-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe	upx
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe	upx
behavioral1/memory/900-118-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/900-121-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/900-122-0x0000000000400000-0x000000000047B000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe	upx
behavioral1/memory/900-130-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1464-129-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/900-128-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2012-131-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/900-134-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/900-137-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1700-136-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1928-151-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/900-152-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1700-153-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe

description	pid	process	target process
PID 704 set thread context of 1928	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 set thread context of 2012	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1168 ipconfig.exe
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

896 reg.exe
1680 reg.exe
1936 reg.exe
1872 reg.exe

pid	process
1168	ipconfig.exe

pid	process
896	reg.exe
1680	reg.exe
1936	reg.exe
1872	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe

pid	process
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe

pid	process
704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
2012	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe

C:\Users\Admin\AppData\Local\Temp\56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
"C:\Users\Admin\AppData\Local\Temp\56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:704

C:\Users\Admin\AppData\Local\Temp\56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
"C:\Users\Admin\AppData\Local\Temp\56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:1168

C:\Users\Admin\AppData\Local\Temp\56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
"C:\Users\Admin\AppData\Local\Temp\56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
"C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
3⤵
PID:1464

C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
"C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
4⤵
PID:1496

C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
"C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
4⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GVWTC.bat" "
5⤵
PID:332

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SkipeTurns" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /f
6⤵
PID:1616

C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
"C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
4⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
6⤵
- Modifies registry key
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
5⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
6⤵
- Modifies registry key
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
6⤵
- Modifies registry key
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
5⤵
PID:640

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
6⤵
- Modifies registry key
PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GVWTC.bat

Filesize
142B

MD5
7aab82a958be0bdc325ec075c874ca64

SHA1
f4ab3d6776f6ffc569a878a003df9a4f0a331eb6

SHA256
446e766a1c4c57cf38c3b70b1152a5c1216cc86388fefe5d7d39522458436144

SHA512
1737e41a539341737e4fc5c22f13c10b34e5054b2e1b44e604490c4faaf943442c596581fb28b0c967935cfd92c5fd4e7331fb72ae2d4f6ef1b8acc64b46f240

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
94fafbece9a9baefd2aaed03faed51f2

SHA1
dd9a8ba78a9b7fce8168b8ff73d7df653c1750fe

SHA256
8d4372e295918568bf787d0c1f82694e52953d4e79025968c8997e308b971679

SHA512
da6d05516ec7a394603d488c5b19ee9e72fe5c9fce1a987afb345479cad92562a78f358a199d863290118fd811b6f6c5669ad903c757d956e686eb1c53d45be1

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
94fafbece9a9baefd2aaed03faed51f2

SHA1
dd9a8ba78a9b7fce8168b8ff73d7df653c1750fe

SHA256
8d4372e295918568bf787d0c1f82694e52953d4e79025968c8997e308b971679

SHA512
da6d05516ec7a394603d488c5b19ee9e72fe5c9fce1a987afb345479cad92562a78f358a199d863290118fd811b6f6c5669ad903c757d956e686eb1c53d45be1

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
94fafbece9a9baefd2aaed03faed51f2

SHA1
dd9a8ba78a9b7fce8168b8ff73d7df653c1750fe

SHA256
8d4372e295918568bf787d0c1f82694e52953d4e79025968c8997e308b971679

SHA512
da6d05516ec7a394603d488c5b19ee9e72fe5c9fce1a987afb345479cad92562a78f358a199d863290118fd811b6f6c5669ad903c757d956e686eb1c53d45be1

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
94fafbece9a9baefd2aaed03faed51f2

SHA1
dd9a8ba78a9b7fce8168b8ff73d7df653c1750fe

SHA256
8d4372e295918568bf787d0c1f82694e52953d4e79025968c8997e308b971679

SHA512
da6d05516ec7a394603d488c5b19ee9e72fe5c9fce1a987afb345479cad92562a78f358a199d863290118fd811b6f6c5669ad903c757d956e686eb1c53d45be1

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
94fafbece9a9baefd2aaed03faed51f2

SHA1
dd9a8ba78a9b7fce8168b8ff73d7df653c1750fe

SHA256
8d4372e295918568bf787d0c1f82694e52953d4e79025968c8997e308b971679

SHA512
da6d05516ec7a394603d488c5b19ee9e72fe5c9fce1a987afb345479cad92562a78f358a199d863290118fd811b6f6c5669ad903c757d956e686eb1c53d45be1

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
94fafbece9a9baefd2aaed03faed51f2

SHA1
dd9a8ba78a9b7fce8168b8ff73d7df653c1750fe

SHA256
8d4372e295918568bf787d0c1f82694e52953d4e79025968c8997e308b971679

SHA512
da6d05516ec7a394603d488c5b19ee9e72fe5c9fce1a987afb345479cad92562a78f358a199d863290118fd811b6f6c5669ad903c757d956e686eb1c53d45be1

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
94fafbece9a9baefd2aaed03faed51f2

SHA1
dd9a8ba78a9b7fce8168b8ff73d7df653c1750fe

SHA256
8d4372e295918568bf787d0c1f82694e52953d4e79025968c8997e308b971679

SHA512
da6d05516ec7a394603d488c5b19ee9e72fe5c9fce1a987afb345479cad92562a78f358a199d863290118fd811b6f6c5669ad903c757d956e686eb1c53d45be1

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
94fafbece9a9baefd2aaed03faed51f2

SHA1
dd9a8ba78a9b7fce8168b8ff73d7df653c1750fe

SHA256
8d4372e295918568bf787d0c1f82694e52953d4e79025968c8997e308b971679

SHA512
da6d05516ec7a394603d488c5b19ee9e72fe5c9fce1a987afb345479cad92562a78f358a199d863290118fd811b6f6c5669ad903c757d956e686eb1c53d45be1

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
94fafbece9a9baefd2aaed03faed51f2

SHA1
dd9a8ba78a9b7fce8168b8ff73d7df653c1750fe

SHA256
8d4372e295918568bf787d0c1f82694e52953d4e79025968c8997e308b971679

SHA512
da6d05516ec7a394603d488c5b19ee9e72fe5c9fce1a987afb345479cad92562a78f358a199d863290118fd811b6f6c5669ad903c757d956e686eb1c53d45be1

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
94fafbece9a9baefd2aaed03faed51f2

SHA1
dd9a8ba78a9b7fce8168b8ff73d7df653c1750fe

SHA256
8d4372e295918568bf787d0c1f82694e52953d4e79025968c8997e308b971679

SHA512
da6d05516ec7a394603d488c5b19ee9e72fe5c9fce1a987afb345479cad92562a78f358a199d863290118fd811b6f6c5669ad903c757d956e686eb1c53d45be1

Download Submit
memory/332-145-0x0000000000000000-mapping.dmp

Download
memory/640-143-0x0000000000000000-mapping.dmp

Download
memory/704-73-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/704-74-0x0000000002A30000-0x0000000002B0F000-memory.dmp

Filesize
892KB

Download
memory/896-144-0x0000000000000000-mapping.dmp

Download
memory/900-121-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/900-122-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/900-116-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/900-130-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/900-118-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/900-134-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/900-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/900-152-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/900-123-0x00000000004790F0-mapping.dmp

Download
memory/900-128-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1168-83-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1168-82-0x0000000000000000-mapping.dmp

Download
memory/1268-141-0x0000000000000000-mapping.dmp

Download
memory/1360-140-0x0000000000000000-mapping.dmp

Download
memory/1464-98-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1464-91-0x0000000000000000-mapping.dmp

Download
memory/1464-129-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1496-102-0x0000000000409A00-mapping.dmp

Download
memory/1616-150-0x0000000000000000-mapping.dmp

Download
memory/1680-146-0x0000000000000000-mapping.dmp

Download
memory/1692-142-0x0000000000000000-mapping.dmp

Download
memory/1700-136-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1700-153-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1700-112-0x000000000040D570-mapping.dmp

Download
memory/1872-148-0x0000000000000000-mapping.dmp

Download
memory/1928-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1928-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1928-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1928-79-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1928-151-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1928-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1928-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1928-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1928-61-0x0000000000409A00-mapping.dmp

Download
memory/1928-77-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1936-147-0x0000000000000000-mapping.dmp

Download
memory/2012-76-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-131-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-70-0x000000000040D570-mapping.dmp

Download
memory/2012-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-84-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

description	pid	process	target process
PID 704 wrote to memory of 1928	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 1928	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 1928	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 1928	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 1928	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 1928	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 1928	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 1928	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 2012	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 2012	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 2012	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 2012	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 2012	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 2012	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 2012	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 704 wrote to memory of 2012	704	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe
PID 1928 wrote to memory of 1168	1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	ipconfig.exe
PID 1928 wrote to memory of 1168	1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	ipconfig.exe
PID 1928 wrote to memory of 1168	1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	ipconfig.exe
PID 1928 wrote to memory of 1168	1928	56ddacf17c104be40a02d1e915f8c5b8a6a02db8818c0c3634c48850aad4a271.exe	ipconfig.exe