File name: | loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104 |
Full analysis: | https://app.any.run/tasks/a9b46fb3-7e6b-496e-8633-0c54ac7488c4 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 05:21:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | DFB91E24B3377FDF791642FD59E98331 |
SHA1: | A7BB25569BBCC7F2D11EBC966A9275FF29785886 |
SHA256: | 5E24E243F507B365FB2330351BBBEBC0F69020F0ECBE4735E4310CA6B1444104 |
SSDEEP: | 24576:CUj843I41PyIs5M/tuxxMTtquq8bdyvmsX:Lj/PyIQxxMhquFd1sX |
.exe | | | Win32 Executable MS Visual C++ (generic) (38.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (34.3) |
.scr | | | Windows screen saver (16.2) |
.exe | | | Win32 Executable (generic) (5.6) |
.exe | | | Generic Win/DOS Executable (2.4) |
Comments: | Excel表格分发与汇总-《秋语软件》 |
---|---|
LegalCopyright: | 四川省乐至县大佛中学 赵映友 |
CompanyName: | 四川省乐至县大佛中学 赵映友 |
ProductVersion: | 2014.328.2014.328 |
ProductName: | Excel表格分发与汇总 |
FileDescription: | Excel表格分发与汇总-《秋语软件》 |
FileVersion: | 2014.328.2014.328 |
CharacterSet: | Unicode |
LanguageCode: | Chinese (Simplified) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 2014.328.2014.328 |
FileVersionNumber: | 2014.328.2014.328 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x25de5a |
UninitializedDataSize: | - |
InitializedDataSize: | 647168 |
CodeSize: | 2494464 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2014:03:28 05:10:38+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 28-Mar-2014 04:10:38 |
Detected languages: |
|
FileVersion: | 2014.328.2014.328 |
FileDescription: | Excel表格分发与汇总-《秋语软件》 |
ProductName: | Excel表格分发与汇总 |
ProductVersion: | 2014.328.2014.328 |
CompanyName: | 四川省乐至县大佛中学 赵映友 |
LegalCopyright: | 四川省乐至县大佛中学 赵映友 |
Comments: | Excel表格分发与汇总-《秋语软件》 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 7 |
Time date stamp: | 28-Mar-2014 04:10:38 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000E27C6 | 0x00000000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 0 |
.rdata | 0x000E4000 | 0x00025B90 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0 |
.data | 0x0010A000 | 0x000658AA | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00170000 | 0x0005BBD8 | 0x00056000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.53559 |
.vmp0 | 0x001CC000 | 0x00004058 | 0x00000000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 0 |
.vmp1 | 0x001D1000 | 0x0009094F | 0x00091000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.91918 |
.reloc | 0x00262000 | 0x00000070 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.232724 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.24836 | 696 | Latin 1 / Western European | Chinese - PRC | RT_VERSION |
2 | 2.18858 | 296 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 3.28124 | 816 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 3.86969 | 304 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 2.61826 | 176 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 7.94231 | 22629 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 3.5013 | 1640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
8 | 3.58253 | 744 | Latin 1 / Western European | UNKNOWN | RT_ICON |
9 | 3.49912 | 488 | Latin 1 / Western European | UNKNOWN | RT_ICON |
10 | 3.13139 | 296 | Latin 1 / Western European | UNKNOWN | RT_ICON |
ADVAPI32.dll |
AVIFIL32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
MSIMG32.dll |
MSVFW32.dll |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3176 | "C:\Users\admin\Desktop\loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104.exe" | C:\Users\admin\Desktop\loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104.exe | explorer.exe | |
User: admin Company: 四川省乐至县大佛中学 赵映友 Integrity Level: MEDIUM Description: Excel表格分发与汇总-《秋语软件》 Exit code: 0 Version: 2014.328.2014.328 | ||||
3824 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Excel·Ö·¢Óë»ã×Ü-»úÆ÷ÌØÕ÷Âë.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4036 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\mapnon.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2756 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | explorer.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | ||||
3964 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | ||||
2056 | C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /f | C:\Windows\system32\reg.exe | Skype.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2676 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=D74D46AF331279E58DF3AB85FF593CAD --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=D74D46AF331279E58DF3AB85FF593CAD --renderer-client-id=3 --mojo-platform-channel-handle=1580 /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.29.0.50 | ||||
604 | C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate | C:\Windows\system32\reg.exe | — | Skype.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2492 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 2 Version: 8.29.0.50 | ||||
2236 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=570C2A0D83B0ED72FD2EFA95EAEC3F28 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=1 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=570C2A0D83B0ED72FD2EFA95EAEC3F28 --renderer-client-id=4 --mojo-platform-channel-handle=2620 /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4036 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5A60.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4036 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DDFB4AA4-DC6A-4A56-8007-DCD606170353}.tmp | — | |
MD5:— | SHA256:— | |||
4036 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C2FCFA6-0A0F-49F1-AF3B-CE1D984F32FF}.tmp | — | |
MD5:— | SHA256:— | |||
4036 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7C1849F4-EC4B-4F92-8099-938CBBEBACFD}.tmp | — | |
MD5:— | SHA256:— | |||
2756 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQFB2KJBRSVHOPPMN6QO.temp | — | |
MD5:— | SHA256:— | |||
2676 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-1886119813.blog | — | |
MD5:— | SHA256:— | |||
3176 | loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104.exe | C:\Users\admin\Desktop\Excel·Ö·¢Óë»ã×Ü-»úÆ÷ÌØÕ÷Âë.txt | text | |
MD5:366B3E3D34B80AAF1461A4EAC305C10F | SHA256:C04BE28E3574D60370A212ADDBA12A6E8B6238790883A86D3D3617378D138E96 | |||
4036 | WINWORD.EXE | C:\Users\admin\Desktop\~$mapnon.rtf | pgc | |
MD5:71D48231F6A08BBA12E9C9A9217FF10B | SHA256:644403A261FDA1CEDBFFA4A64573B5101F322A202AC1EB1EEFDFE1DFEE0D7BC9 | |||
4036 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:C47CA85F3CF808EF43EE524E61EB6DC9 | SHA256:ECD311B8C31C676D11653D730BC55694A0447170981A2509F5C95BDF3360750E | |||
2756 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json | text | |
MD5:6B61EC08C034FD16B389813A86B50F0F | SHA256:48C79BE17E7DEFC98971D908E598473BB5B8F9A0AA9A51613F935FD9B2E7C045 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2756 | Skype.exe | 142.250.74.202:443 | www.googleapis.com | Google Inc. | US | whitelisted |
2756 | Skype.exe | 152.199.19.160:443 | bot-framework.azureedge.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2756 | Skype.exe | 104.111.214.239:443 | download.skype.com | Akamai International B.V. | NL | whitelisted |
3176 | loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104.exe | 203.129.68.14:13 | — | Hutchison Global Crossing Ltd. | HK | unknown |
2756 | Skype.exe | 52.233.180.130:443 | avatar.skype.com | Microsoft Corporation | NL | unknown |
2756 | Skype.exe | 52.174.193.75:443 | get.skype.com | Microsoft Corporation | NL | whitelisted |
2756 | Skype.exe | 13.107.42.23:443 | a.config.skype.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
get.skype.com |
| whitelisted |
a.config.skype.com |
| whitelisted |
download.skype.com |
| whitelisted |
www.googleapis.com |
| whitelisted |
avatar.skype.com |
| whitelisted |
bot-framework.azureedge.net |
| whitelisted |
Process | Message |
---|---|
Skype.exe | [2492:3188:0930/062259.110:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|
Skype.exe | [2492:3188:0930/062259.112:VERBOSE1:crash_service.cc(145)] window handle is 001E0186
|
Skype.exe | [2492:3188:0930/062259.112:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service
dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
|
Skype.exe | [2492:3188:0930/062259.112:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt
server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload
maximum 128 reports/day
reporter is electron-crash-service
|
Skype.exe | [2492:3188:0930/062259.112:ERROR:crash_service.cc(311)] could not start dumper
|