File name: | diefioj.scr |
Full analysis: | https://app.any.run/tasks/030c308f-dc4c-4ec3-a8b1-c00bb5a5eae2 |
Verdict: | Malicious activity |
Analysis date: | January 18, 2019, 05:55:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C1F2DB0B40AA445EA93FA6F89832F2B4 |
SHA1: | C0BE70C56258B571F9CFB5D13536DE09A2CBB159 |
SHA256: | 3100EBD91FD286ABC43572CF20D16456D78C7D9FFB598BEA702CF1398AC1091F |
SSDEEP: | 768:uoHNPE4G7XnMvYqf0mq/6/Q/9NF0+LEc8af3ts0E9t:uB4Ggv/q2oS+Ljb3ts0E9t |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
FileSubtype: | - |
---|---|
ObjectFileType: | Unknown |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 1 |
OSVersion: | 4 |
EntryPoint: | 0x1184 |
UninitializedDataSize: | - |
InitializedDataSize: | 4096 |
CodeSize: | 49152 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2000:01:01 13:00:00+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 01-Jan-2000 12:00:00 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000B0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 01-Jan-2000 12:00:00 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0000B988 | 0x0000C000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.21332 |
.data | 0x0000D000 | 0x000023B0 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00010000 | 0x000000B4 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.80818 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 1.98351 | 92 | Latin 1 / Western European | UNKNOWN | RT_VERSION |
MSVBVM60.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Users\admin\AppData\Local\Temp\diefioj.scr" /S | C:\Users\admin\AppData\Local\Temp\diefioj.scr | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
2300 | "C:\Users\admin\biecei.exe" | C:\Users\admin\biecei.exe | diefioj.scr | |
User: admin Integrity Level: MEDIUM | ||||
3516 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | explorer.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.29.0.50 | ||||
3016 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.29.0.50 | ||||
3660 | C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /f | C:\Windows\system32\reg.exe | Skype.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2916 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=0B52AE9770DEE359B415370BB2F772B5 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=0B52AE9770DEE359B415370BB2F772B5 --renderer-client-id=3 --mojo-platform-channel-handle=1536 /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 3221225477 Version: 8.29.0.50 | ||||
3164 | C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate | C:\Windows\system32\reg.exe | — | Skype.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3816 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 2 Version: 8.29.0.50 | ||||
3080 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=71BA0E266FD0353CCC4BC1B19EE3DBC3 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=1 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=71BA0E266FD0353CCC4BC1B19EE3DBC3 --renderer-client-id=4 --mojo-platform-channel-handle=2584 /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 3221225477 Version: 8.29.0.50 | ||||
2092 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 2 Version: 8.29.0.50 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3516 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U0QZ2IL8D38E9E5QS98T.temp | — | |
MD5:— | SHA256:— | |||
3516 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe | — | |
MD5:— | SHA256:— | |||
3516 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms | binary | |
MD5:FF17E86FAAFB072686D650443C84A7D6 | SHA256:3AD89CB552952707F86D8BDF449FBC9E6486943D07985F49009C477595A659CB | |||
3516 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms~RF1ab670.TMP | binary | |
MD5:FF17E86FAAFB072686D650443C84A7D6 | SHA256:3AD89CB552952707F86D8BDF449FBC9E6486943D07985F49009C477595A659CB | |||
3816 | Skype.exe | C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\operation_log.txt | text | |
MD5:D06EE013F7C7A119B3A6BFF40B796A87 | SHA256:8BFC2979249CBA531B2E8CABAEB7AADD884518EA8C46ED9802B1702ADA448BAF | |||
3516 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json | text | |
MD5:A00042E827E9FA749E490427DC1F6781 | SHA256:B1E7103D6E098300F60DAD4D1ADAE502478682CEB2A8DD0A32C87A3D648AEE13 | |||
2940 | diefioj.scr | C:\Users\admin\biecei.exe | executable | |
MD5:E151D5E17D55DA8C4B237F0ED7F7C589 | SHA256:0A858841FAAA6EEDA2DD5DC8254200165AB4813471C027D6EAEE3E0D70B9DE97 | |||
2092 | Skype.exe | C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\operation_log.txt | text | |
MD5:62C836880CA350F7439110A7A5EB6801 | SHA256:E64D83AB07B79581DF7BFE79C3BC66F09B491F934482B73A78B53CC1F28CE232 | |||
3516 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000005 | compressed | |
MD5:2F639CBB561789AAA2DDED91BA7B10C3 | SHA256:D16E14B38C97D9AF993615640BCD864E5179A2F112980E098D2D2F6C7FADA039 | |||
3516 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log | binary | |
MD5:76B2722AA96D7383D14691DE20685BC4 | SHA256:B3104E83662289AFB561341DD8138BEB4945F64F5DD040C3D033C264097F07ED |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3516 | Skype.exe | 52.114.158.53:443 | pipe.skype.com | Microsoft Corporation | US | whitelisted |
3516 | Skype.exe | 23.101.156.198:443 | a.config.skype.com | Microsoft Corporation | US | whitelisted |
3516 | Skype.exe | 157.55.134.138:443 | login.live.com | Microsoft Corporation | US | whitelisted |
3516 | Skype.exe | 152.199.19.161:443 | accountalt.azureedge.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3516 | Skype.exe | 13.90.95.57:443 | get.skype.com | Microsoft Corporation | US | whitelisted |
3516 | Skype.exe | 172.217.18.170:443 | www.googleapis.com | Google Inc. | US | whitelisted |
3516 | Skype.exe | 13.68.117.223:443 | avatar.skype.com | Microsoft Corporation | US | whitelisted |
3516 | Skype.exe | 23.54.114.63:443 | download.skype.com | Akamai International B.V. | NL | whitelisted |
3516 | Skype.exe | 40.126.9.5:443 | account.live.com | Microsoft Corporation | US | unknown |
3016 | Skype.exe | 34.192.103.109:443 | rink.hockeyapp.net | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
ns2.theimageparlour.net |
| unknown |
get.skype.com |
| whitelisted |
a.config.skype.com |
| whitelisted |
pipe.skype.com |
| whitelisted |
download.skype.com |
| whitelisted |
login.live.com |
| whitelisted |
www.googleapis.com |
| whitelisted |
avatar.skype.com |
| whitelisted |
browser.pipe.aria.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
Process | Message |
---|---|
Skype.exe | [3016:1452:0118/055701.754:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|
Skype.exe | [3016:1452:0118/055701.754:VERBOSE1:crash_service.cc(145)] window handle is 0002011E
|
Skype.exe | [3016:1452:0118/055701.754:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service
dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
|
Skype.exe | [3016:1452:0118/055701.754:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt
server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload
maximum 128 reports/day
reporter is electron-crash-service
|
Skype.exe | [3016:1452:0118/055701.754:VERBOSE1:crash_service_main.cc(94)] Ready to process crash requests
|
Skype.exe | [3016:2288:0118/055701.754:VERBOSE1:crash_service.cc(333)] client start. pid = 3516
|
Skype.exe | [3016:2288:0118/055704.740:VERBOSE1:crash_service.cc(333)] client start. pid = 2916
|
Skype.exe | [3816:3796:0118/055705.050:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|
Skype.exe | [3816:3796:0118/055705.054:VERBOSE1:crash_service.cc(145)] window handle is 00040120
|
Skype.exe | [3816:3796:0118/055705.054:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service
dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
|