File name:

loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104

Full analysis: https://app.any.run/tasks/a9b46fb3-7e6b-496e-8633-0c54ac7488c4
Verdict: Malicious activity
Analysis date: September 30, 2020, 05:21:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DFB91E24B3377FDF791642FD59E98331

SHA1:

A7BB25569BBCC7F2D11EBC966A9275FF29785886

SHA256:

5E24E243F507B365FB2330351BBBEBC0F69020F0ECBE4735E4310CA6B1444104

SSDEEP:

24576:CUj843I41PyIs5M/tuxxMTtquq8bdyvmsX:Lj/PyIQxxMhquFd1sX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2056)

  • SUSPICIOUS

    • Application launched itself

      • Skype.exe (PID: 2756)
      • Skype.exe (PID: 2236)
      • Skype.exe (PID: 2676)

    • Reads CPU info

      • Skype.exe (PID: 2756)

    • Creates files in the user directory

      • Skype.exe (PID: 2756)
      • Skype.exe (PID: 2676)

    • Uses REG.EXE to modify Windows registry

      • Skype.exe (PID: 2756)

    • Modifies the open verb of a shell class

      • Skype.exe (PID: 2756)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4036)

    • Manual execution by user

      • WINWORD.EXE (PID: 4036)
      • NOTEPAD.EXE (PID: 3824)
      • Skype.exe (PID: 2756)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4036)

    • Reads the hosts file

      • Skype.exe (PID: 2756)

    • Reads settings of System Certificates

      • Skype.exe (PID: 2756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (38.7)
.exe | Win64 Executable (generic) (34.3)
.scr | Windows screen saver (16.2)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:03:28 05:10:38+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 2494464
InitializedDataSize: 647168
UninitializedDataSize: -
EntryPoint: 0x25de5a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2014.328.2014.328
ProductVersionNumber: 2014.328.2014.328
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 2014.328.2014.328
FileDescription: Excel表格分发与汇总-《秋语软件》
ProductName: Excel表格分发与汇总
ProductVersion: 2014.328.2014.328
CompanyName: 四川省乐至县大佛中学 赵映友
LegalCopyright: 四川省乐至县大佛中学 赵映友
Comments: Excel表格分发与汇总-《秋语软件》

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 28-Mar-2014 04:10:38
Detected languages:
  • Chinese - PRC
FileVersion: 2014.328.2014.328
FileDescription: Excel表格分发与汇总-《秋语软件》
ProductName: Excel表格分发与汇总
ProductVersion: 2014.328.2014.328
CompanyName: 四川省乐至县大佛中学 赵映友
LegalCopyright: 四川省乐至县大佛中学 赵映友
Comments: Excel表格分发与汇总-《秋语软件》

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 28-Mar-2014 04:10:38
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000E27C6
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.rdata
0x000E4000
0x00025B90
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0
.data
0x0010A000
0x000658AA
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00170000
0x0005BBD8
0x00056000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.53559
.vmp0
0x001CC000
0x00004058
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.vmp1
0x001D1000
0x0009094F
0x00091000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.91918
.reloc
0x00262000
0x00000070
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.232724

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.24836
696
Latin 1 / Western European
Chinese - PRC
RT_VERSION
2
2.18858
296
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
3.28124
816
Latin 1 / Western European
UNKNOWN
RT_ICON
4
3.86969
304
Latin 1 / Western European
UNKNOWN
RT_ICON
5
2.61826
176
Latin 1 / Western European
UNKNOWN
RT_ICON
6
7.94231
22629
Latin 1 / Western European
UNKNOWN
RT_ICON
7
3.5013
1640
Latin 1 / Western European
UNKNOWN
RT_ICON
8
3.58253
744
Latin 1 / Western European
UNKNOWN
RT_ICON
9
3.49912
488
Latin 1 / Western European
UNKNOWN
RT_ICON
10
3.13139
296
Latin 1 / Western European
UNKNOWN
RT_ICON

Imports

ADVAPI32.dll
AVIFIL32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
MSVFW32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104.exe notepad.exe no specs winword.exe no specs skype.exe skype.exe reg.exe skype.exe no specs reg.exe no specs skype.exe skype.exe no specs skype.exe

Process information

PID
CMD
Path
Indicators
Parent process
604C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdateC:\Windows\system32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2056C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /fC:\Windows\system32\reg.exe
Skype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2236"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=570C2A0D83B0ED72FD2EFA95EAEC3F28 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=1 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=570C2A0D83B0ED72FD2EFA95EAEC3F28 --renderer-client-id=4 --mojo-platform-channel-handle=2620 /prefetch:1C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
2248"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
Modules
Images
c:\systemroot\system32\ntdll.dll
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
2492"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
2
Version:
8.29.0.50
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
2676"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=D74D46AF331279E58DF3AB85FF593CAD --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=D74D46AF331279E58DF3AB85FF593CAD --renderer-client-id=3 --mojo-platform-channel-handle=1580 /prefetch:1C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
2756"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
3176"C:\Users\admin\Desktop\loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104.exe" C:\Users\admin\Desktop\loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104.exe
explorer.exe
User:
admin
Company:
四川省乐至县大佛中学 赵映友
Integrity Level:
MEDIUM
Description:
Excel表格分发与汇总-《秋语软件》
Exit code:
0
Version:
2014.328.2014.328
Modules
Images
c:\users\admin\desktop\loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3824"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Excel·Ö·¢Óë»ã×Ü-»úÆ÷ÌØÕ÷Âë.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3964"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
Total events
1 334
Read events
1 009
Write events
180
Delete events
145

Modification events

(PID) Process:(4036) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:`vk
Value:
60766B00C40F0000010000000000000000000000
(PID) Process:(4036) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(4036) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(4036) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(4036) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(4036) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(4036) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(4036) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(4036) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(4036) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
2
Text files
15
Unknown types
4

Dropped files

PID
Process
Filename
Type
4036WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5A60.tmp.cvr
MD5:
SHA256:
4036WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DDFB4AA4-DC6A-4A56-8007-DCD606170353}.tmp
MD5:
SHA256:
4036WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C2FCFA6-0A0F-49F1-AF3B-CE1D984F32FF}.tmp
MD5:
SHA256:
4036WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7C1849F4-EC4B-4F92-8099-938CBBEBACFD}.tmp
MD5:
SHA256:
2756Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQFB2KJBRSVHOPPMN6QO.temp
MD5:
SHA256:
2676Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-1886119813.blog
MD5:
SHA256:
2756Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.jsontext
MD5:
SHA256:
3176loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104.exeC:\Users\admin\Desktop\Excel·Ö·¢Óë»ã×Ü-»úÆ÷ÌØÕ÷Âë.txttext
MD5:
SHA256:
4036WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:
SHA256:
4036WINWORD.EXEC:\Users\admin\Desktop\~$mapnon.rtfpgc
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2756
Skype.exe
104.111.214.239:443
download.skype.com
Akamai International B.V.
NL
whitelisted
2756
Skype.exe
152.199.19.160:443
bot-framework.azureedge.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2756
Skype.exe
142.250.74.202:443
www.googleapis.com
Google Inc.
US
whitelisted
2756
Skype.exe
13.107.42.23:443
a.config.skype.com
Microsoft Corporation
US
suspicious
2756
Skype.exe
52.233.180.130:443
avatar.skype.com
Microsoft Corporation
NL
unknown
2756
Skype.exe
52.174.193.75:443
get.skype.com
Microsoft Corporation
NL
whitelisted
3176
loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104.exe
203.129.68.14:13
Hutchison Global Crossing Ltd.
HK
unknown

DNS requests

Domain
IP
Reputation
get.skype.com
  • 52.174.193.75
whitelisted
a.config.skype.com
  • 13.107.42.23
whitelisted
download.skype.com
  • 104.111.214.239
whitelisted
www.googleapis.com
  • 142.250.74.202
  • 172.217.23.170
  • 172.217.23.138
  • 216.58.205.234
  • 216.58.206.10
  • 172.217.22.74
  • 216.58.207.42
  • 216.58.207.74
  • 172.217.22.106
  • 172.217.16.202
  • 172.217.21.234
  • 172.217.16.170
  • 172.217.23.106
  • 216.58.212.138
  • 172.217.22.42
  • 172.217.16.138
whitelisted
avatar.skype.com
  • 52.233.180.130
whitelisted
bot-framework.azureedge.net
  • 152.199.19.160
whitelisted

Threats

No threats detected
Process
Message
Skype.exe
[3964:3692:0930/062256.879:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[3964:3692:0930/062256.894:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
Skype.exe
[3964:3692:0930/062256.894:VERBOSE1:crash_service_main.cc(94)] Ready to process crash requests
Skype.exe
[3964:1524:0930/062256.894:VERBOSE1:crash_service.cc(333)] client start. pid = 2756
Skype.exe
[3964:3692:0930/062256.894:VERBOSE1:crash_service.cc(145)] window handle is 00100298
Skype.exe
[3964:3692:0930/062256.894:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[3964:1524:0930/062258.937:VERBOSE1:crash_service.cc(333)] client start. pid = 2676
Skype.exe
[2492:3188:0930/062259.110:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[2492:3188:0930/062259.112:ERROR:crash_service.cc(311)] could not start dumper
Skype.exe
[2492:3188:0930/062259.112:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loaded_5e24e243f507b365fb2330351bbbebc0f69020f0ecbe4735e4310ca6b1444104