File name: | eicar.com |
Full analysis: | https://app.any.run/tasks/d296c966-cfad-4536-a600-54f142eaff8a |
Verdict: | Malicious activity |
Analysis date: | December 05, 2022, 18:58:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | EICAR virus test files |
MD5: | 69630E4574EC6798239B091CDA43DCA0 |
SHA1: | CF8BD9DFDDFF007F75ADF4C2BE48005CEA317C62 |
SHA256: | 131F95C51CC819465FA1797F6CCACF9D494AAAFF46FA3EAC73AE63FFBDFD8267 |
SSDEEP: | 3:a+JraNvsgzsVqSwHqN:tJuOgzsky |
.com | | | EICAR antivirus test file (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1880 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2196 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\pussypapers.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
2708 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | |||||||||||||||
2268 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\lasmi.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | |||||||||||||||
3608 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Explorer.EXE | ||||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | |||||||||||||||
2944 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | ||||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | |||||||||||||||
1640 | C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /f | C:\Windows\system32\reg.exe | Skype.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | |||||||||||||||
2836 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=2151C91BFB8F82D8A28E9E666F2AA79E --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=2151C91BFB8F82D8A28E9E666F2AA79E --renderer-client-id=3 --mojo-platform-channel-handle=1584 /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe | |||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.29.0.50 | |||||||||||||||
556 | C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate | C:\Windows\system32\reg.exe | — | Skype.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | |||||||||||||||
3164 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | ||||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 2 Version: 8.29.0.50 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2196 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4621.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2268 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8A00.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3608 | Skype.exe | C:\Users\admin\AppData\Local\Temp\bd7b9db0-bc9b-4959-9dd3-baeff26d3469.tmp.ico | — | |
MD5:— | SHA256:— | |||
2196 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:889790ED603993BC81399E5289723322 | SHA256:566831587A33CB4E0A0F9470F0808BCBE3533FAA373E6CAD072EBD637FA35BC9 | |||
2268 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:256CC44C582B81EEC61F0E8063354343 | SHA256:BD6BE6878F37D6F3296BF4F6451DE4D4F14917BDDB184A5E5CD6E9FB2C0D15D6 | |||
3608 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old | — | |
MD5:— | SHA256:— | |||
2196 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\pussypapers.rtf.LNK | lnk | |
MD5:A9099312BF6E7AA565132152A72F5691 | SHA256:535EE29107C6C084168BD69DC7C8A5B095E02A48F18039B2ACA7D4A38495927D | |||
2196 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B8B8F702-3E27-4615-9A8C-FEC7F563FB95}.tmp | binary | |
MD5:F97A8286C08FFEA17992F547E014E160 | SHA256:1D76E729196E9E4DB81ED9421E46BAAAFA07D716EEB59D89957E654210565267 | |||
3608 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old | — | |
MD5:— | SHA256:— | |||
2268 | WINWORD.EXE | C:\Users\admin\Desktop\~$lasmi.rtf | pgc | |
MD5:C5F2E0C536CECF3200A7958E0D523EC9 | SHA256:3469CFC269E00F3197ACBAE8EF0A948F943B937E89BAA5E296574BD442DD1A8B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3608 | Skype.exe | 13.107.42.16:443 | a.config.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3608 | Skype.exe | 52.182.143.208:443 | pipe.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | suspicious |
3608 | Skype.exe | 52.174.193.75:443 | get.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3608 | Skype.exe | 88.221.168.142:443 | download.skype.com | AKAMAI-AS | DE | unknown |
— | — | 152.199.19.160:443 | bot-framework.azureedge.net | EDGECAST | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
get.skype.com |
| whitelisted |
a.config.skype.com |
| whitelisted |
pipe.skype.com |
| whitelisted |
download.skype.com |
| whitelisted |
bot-framework.azureedge.net |
| whitelisted |
config.edge.skype.com |
| whitelisted |
Process | Message |
---|---|
Skype.exe | [2944:2936:1205/185900.326:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|
Skype.exe | [2944:2936:1205/185900.342:VERBOSE1:crash_service.cc(145)] window handle is 000901C6
|
Skype.exe | [2944:2936:1205/185900.342:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service
dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
|
Skype.exe | [2944:2936:1205/185900.342:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt
server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload
maximum 128 reports/day
reporter is electron-crash-service
|
Skype.exe | [2944:2936:1205/185900.342:VERBOSE1:crash_service_main.cc(94)] Ready to process crash requests
|
Skype.exe | [2944:2608:1205/185900.342:VERBOSE1:crash_service.cc(333)] client start. pid = 3608
|
Skype.exe | [2944:2608:1205/185901.826:VERBOSE1:crash_service.cc(333)] client start. pid = 2836
|
Skype.exe | [3164:1032:1205/185901.871:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|
Skype.exe | [3164:1032:1205/185901.874:VERBOSE1:crash_service.cc(145)] window handle is 0007018E
|
Skype.exe | [3164:1032:1205/185901.874:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service
dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
|