File name:

eicar.com

Full analysis: https://app.any.run/tasks/d296c966-cfad-4536-a600-54f142eaff8a
Verdict: Malicious activity
Analysis date: December 05, 2022, 18:58:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: EICAR virus test files
MD5:

69630E4574EC6798239B091CDA43DCA0

SHA1:

CF8BD9DFDDFF007F75ADF4C2BE48005CEA317C62

SHA256:

131F95C51CC819465FA1797F6CCACF9D494AAAFF46FA3EAC73AE63FFBDFD8267

SSDEEP:

3:a+JraNvsgzsVqSwHqN:tJuOgzsky

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 1640)
  • SUSPICIOUS

    • Application launched itself

      • Skype.exe (PID: 3608)
      • Skype.exe (PID: 2836)
      • Skype.exe (PID: 2372)
    • Changes default file association

      • Skype.exe (PID: 3608)
    • Reads the Internet Settings

      • Skype.exe (PID: 3608)
    • Reads settings of System Certificates

      • Skype.exe (PID: 3608)
  • INFO

    • Checks supported languages

      • Skype.exe (PID: 3608)
      • Skype.exe (PID: 2944)
      • Skype.exe (PID: 2372)
      • Skype.exe (PID: 3164)
      • Skype.exe (PID: 2836)
      • Skype.exe (PID: 2312)
    • Reads the computer name

      • Skype.exe (PID: 3608)
      • Skype.exe (PID: 2944)
      • Skype.exe (PID: 2836)
      • Skype.exe (PID: 3164)
      • Skype.exe (PID: 2372)
      • Skype.exe (PID: 2312)
    • Reads the CPU's name

      • Skype.exe (PID: 3608)
    • Reads CPU info

      • Skype.exe (PID: 3608)
    • Manual execution by a user

      • WINWORD.EXE (PID: 2268)
      • WINWORD.EXE (PID: 2196)
      • Skype.exe (PID: 3608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.com | EICAR antivirus test file (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
12
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ntvdm.exe no specs winword.exe no specs PhotoViewer.dll no specs winword.exe no specs skype.exe skype.exe reg.exe skype.exe no specs reg.exe no specs skype.exe skype.exe no specs skype.exe

Process information

PID
CMD
Path
Indicators
Parent process
1880"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2196"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\pussypapers.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
2708C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2268"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\lasmi.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3608"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Explorer.EXE
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.29.0.50
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
2944"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.29.0.50
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
1640C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /fC:\Windows\system32\reg.exe
Skype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
2836"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=2151C91BFB8F82D8A28E9E666F2AA79E --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=2151C91BFB8F82D8A28E9E666F2AA79E --renderer-client-id=3 --mojo-platform-channel-handle=1584 /prefetch:1C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\vcruntime140.dll
556C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdateC:\Windows\system32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3164"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
2
Version:
8.29.0.50
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
Total events
10 194
Read events
9 543
Write events
360
Delete events
291

Modification events

(PID) Process:(2196) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:!*3
Value:
212A330094080000010000000000000000000000
(PID) Process:(2196) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2196) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2196) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2196) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2196) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2196) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2196) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2196) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2196) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
10
Text files
11
Unknown types
12

Dropped files

PID
Process
Filename
Type
2196WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4621.tmp.cvr
MD5:
SHA256:
2268WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8A00.tmp.cvr
MD5:
SHA256:
3608Skype.exeC:\Users\admin\AppData\Local\Temp\bd7b9db0-bc9b-4959-9dd3-baeff26d3469.tmp.ico
MD5:
SHA256:
2196WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B8B8F702-3E27-4615-9A8C-FEC7F563FB95}.tmpbinary
MD5:F97A8286C08FFEA17992F547E014E160
SHA256:1D76E729196E9E4DB81ED9421E46BAAAFA07D716EEB59D89957E654210565267
2268WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{89C5A84D-00DE-43BC-8806-39E562C527FF}.tmpdbf
MD5:A2911BBBFC3EA6BACBBED635C0233AC9
SHA256:98044C78F21EA75F7C78A3130EE6CFAA247E88B430405CDBC41AC40A7B70720F
1880ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsF93A.tmptext
MD5:8CF6DDB5AA59B49F34B967CD46F013B6
SHA256:EE06792197C3E025B84860A72460EAF628C66637685F8C52C5A08A9CC35D376C
2268WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0541E429-17A7-4690-A28F-0E9D3DC3BA0C}.tmpsmt
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
2268WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:256CC44C582B81EEC61F0E8063354343
SHA256:BD6BE6878F37D6F3296BF4F6451DE4D4F14917BDDB184A5E5CD6E9FB2C0D15D6
1880ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsF93B.tmptext
MD5:4C361DEA398F7AEEF49953BDC0AB4A9B
SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD
2196WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:889790ED603993BC81399E5289723322
SHA256:566831587A33CB4E0A0F9470F0808BCBE3533FAA373E6CAD072EBD637FA35BC9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
152.199.19.160:443
bot-framework.azureedge.net
EDGECAST
US
whitelisted
3608
Skype.exe
52.174.193.75:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3608
Skype.exe
13.107.42.16:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3608
Skype.exe
52.182.143.208:443
pipe.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious
3608
Skype.exe
88.221.168.142:443
download.skype.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
get.skype.com
  • 52.174.193.75
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
pipe.skype.com
  • 52.182.143.208
whitelisted
download.skype.com
  • 88.221.168.142
whitelisted
bot-framework.azureedge.net
  • 152.199.19.160
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted

Threats

No threats detected
Process
Message
Skype.exe
[2944:2936:1205/185900.326:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[2944:2936:1205/185900.342:VERBOSE1:crash_service.cc(145)] window handle is 000901C6
Skype.exe
[2944:2936:1205/185900.342:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
Skype.exe
[2944:2936:1205/185900.342:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[2944:2936:1205/185900.342:VERBOSE1:crash_service_main.cc(94)] Ready to process crash requests
Skype.exe
[2944:2608:1205/185900.342:VERBOSE1:crash_service.cc(333)] client start. pid = 3608
Skype.exe
[2944:2608:1205/185901.826:VERBOSE1:crash_service.cc(333)] client start. pid = 2836
Skype.exe
[3164:1032:1205/185901.871:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[3164:1032:1205/185901.874:VERBOSE1:crash_service.cc(145)] window handle is 0007018E
Skype.exe
[3164:1032:1205/185901.874:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes