analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

eicar.com

Full analysis: https://app.any.run/tasks/d296c966-cfad-4536-a600-54f142eaff8a
Verdict: Malicious activity
Analysis date: December 05, 2022, 18:58:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: EICAR virus test files
MD5:

69630E4574EC6798239B091CDA43DCA0

SHA1:

CF8BD9DFDDFF007F75ADF4C2BE48005CEA317C62

SHA256:

131F95C51CC819465FA1797F6CCACF9D494AAAFF46FA3EAC73AE63FFBDFD8267

SSDEEP:

3:a+JraNvsgzsVqSwHqN:tJuOgzsky

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 1640)
  • SUSPICIOUS

    • Application launched itself

      • Skype.exe (PID: 3608)
      • Skype.exe (PID: 2836)
      • Skype.exe (PID: 2372)
    • Changes default file association

      • Skype.exe (PID: 3608)
    • Reads the Internet Settings

      • Skype.exe (PID: 3608)
    • Reads settings of System Certificates

      • Skype.exe (PID: 3608)
  • INFO

    • Reads the computer name

      • Skype.exe (PID: 3608)
      • Skype.exe (PID: 2944)
      • Skype.exe (PID: 2836)
      • Skype.exe (PID: 3164)
      • Skype.exe (PID: 2312)
      • Skype.exe (PID: 2372)
    • Manual execution by a user

      • Skype.exe (PID: 3608)
      • WINWORD.EXE (PID: 2196)
      • WINWORD.EXE (PID: 2268)
    • Checks supported languages

      • Skype.exe (PID: 3608)
      • Skype.exe (PID: 2944)
      • Skype.exe (PID: 2836)
      • Skype.exe (PID: 3164)
      • Skype.exe (PID: 2372)
      • Skype.exe (PID: 2312)
    • Reads the CPU's name

      • Skype.exe (PID: 3608)
    • Reads CPU info

      • Skype.exe (PID: 3608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.com | EICAR antivirus test file (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
12
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ntvdm.exe no specs winword.exe no specs PhotoViewer.dll no specs winword.exe no specs skype.exe skype.exe reg.exe skype.exe no specs reg.exe no specs skype.exe skype.exe no specs skype.exe

Process information

PID
CMD
Path
Indicators
Parent process
1880"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2196"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\pussypapers.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
2708C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2268"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\lasmi.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3608"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Explorer.EXE
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.29.0.50
2944"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.29.0.50
1640C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /fC:\Windows\system32\reg.exe
Skype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2836"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=2151C91BFB8F82D8A28E9E666F2AA79E --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=2151C91BFB8F82D8A28E9E666F2AA79E --renderer-client-id=3 --mojo-platform-channel-handle=1584 /prefetch:1C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
556C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdateC:\Windows\system32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3164"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
2
Version:
8.29.0.50
Total events
10 194
Read events
9 543
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
11
Unknown types
12

Dropped files

PID
Process
Filename
Type
2196WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4621.tmp.cvr
MD5:
SHA256:
2268WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8A00.tmp.cvr
MD5:
SHA256:
3608Skype.exeC:\Users\admin\AppData\Local\Temp\bd7b9db0-bc9b-4959-9dd3-baeff26d3469.tmp.ico
MD5:
SHA256:
2196WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:889790ED603993BC81399E5289723322
SHA256:566831587A33CB4E0A0F9470F0808BCBE3533FAA373E6CAD072EBD637FA35BC9
2268WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:256CC44C582B81EEC61F0E8063354343
SHA256:BD6BE6878F37D6F3296BF4F6451DE4D4F14917BDDB184A5E5CD6E9FB2C0D15D6
3608Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old
MD5:
SHA256:
2196WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\pussypapers.rtf.LNKlnk
MD5:A9099312BF6E7AA565132152A72F5691
SHA256:535EE29107C6C084168BD69DC7C8A5B095E02A48F18039B2ACA7D4A38495927D
2196WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B8B8F702-3E27-4615-9A8C-FEC7F563FB95}.tmpbinary
MD5:F97A8286C08FFEA17992F547E014E160
SHA256:1D76E729196E9E4DB81ED9421E46BAAAFA07D716EEB59D89957E654210565267
3608Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old
MD5:
SHA256:
2268WINWORD.EXEC:\Users\admin\Desktop\~$lasmi.rtfpgc
MD5:C5F2E0C536CECF3200A7958E0D523EC9
SHA256:3469CFC269E00F3197ACBAE8EF0A948F943B937E89BAA5E296574BD442DD1A8B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3608
Skype.exe
13.107.42.16:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3608
Skype.exe
52.182.143.208:443
pipe.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious
3608
Skype.exe
52.174.193.75:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3608
Skype.exe
88.221.168.142:443
download.skype.com
AKAMAI-AS
DE
unknown
152.199.19.160:443
bot-framework.azureedge.net
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
get.skype.com
  • 52.174.193.75
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
pipe.skype.com
  • 52.182.143.208
whitelisted
download.skype.com
  • 88.221.168.142
whitelisted
bot-framework.azureedge.net
  • 152.199.19.160
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted

Threats

No threats detected
Process
Message
Skype.exe
[2944:2936:1205/185900.326:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[2944:2936:1205/185900.342:VERBOSE1:crash_service.cc(145)] window handle is 000901C6
Skype.exe
[2944:2936:1205/185900.342:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
Skype.exe
[2944:2936:1205/185900.342:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[2944:2936:1205/185900.342:VERBOSE1:crash_service_main.cc(94)] Ready to process crash requests
Skype.exe
[2944:2608:1205/185900.342:VERBOSE1:crash_service.cc(333)] client start. pid = 3608
Skype.exe
[2944:2608:1205/185901.826:VERBOSE1:crash_service.cc(333)] client start. pid = 2836
Skype.exe
[3164:1032:1205/185901.871:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[3164:1032:1205/185901.874:VERBOSE1:crash_service.cc(145)] window handle is 0007018E
Skype.exe
[3164:1032:1205/185901.874:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes