File name:

ZohoMeetingLauncher (3).exe

Full analysis: https://app.any.run/tasks/7de90f8c-920e-4a21-920c-afca98292ee4
Verdict: Malicious activity
Analysis date: January 31, 2024, 16:53:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

36E20AB56A37621802A3F1774497AAE9

SHA1:

4FCF814A1B557D6219A44FDDC95E1E4401AEECD1

SHA256:

843212C77600850747D9C384551F3F20D39F38ECA185E2078B05E2BA584A1272

SSDEEP:

12288:4eSZNsl7Oem1cZ+zSgKZjGYFO4NXl+FIClh494m424/DB11RUjB67KFR:FaNspOeSSgKZSYFOEIrDB13iB67a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ZohoMeetingLauncher (3).exe (PID: 1392)
      • Skype-Setup.exe (PID: 3316)
      • Skype-Setup.exe (PID: 3888)
      • Skype-Setup.tmp (PID: 3860)

    • Actions looks like stealing of personal data

      • Skype-Setup.tmp (PID: 3860)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • ZohoMeetingLauncher (3).exe (PID: 1392)
      • Skype.exe (PID: 3668)

    • Adds/modifies Windows certificates

      • ZohoMeetingLauncher (3).exe (PID: 1392)

    • Reads the Internet Settings

      • ZohoMeetingLauncher (3).exe (PID: 1392)
      • Skype.exe (PID: 896)
      • Skype-Setup.tmp (PID: 3860)
      • Skype.exe (PID: 3668)
      • Skype-Setup.tmp (PID: 3548)

    • Application launched itself

      • Skype.exe (PID: 896)
      • Skype.exe (PID: 3668)

    • Executable content was dropped or overwritten

      • Skype-Setup.exe (PID: 3316)
      • Skype-Setup.tmp (PID: 3860)
      • Skype-Setup.exe (PID: 3888)

    • Searches for installed software

      • Skype-Setup.tmp (PID: 3860)

    • Reads the Windows owner or organization settings

      • Skype-Setup.tmp (PID: 3860)

    • Uses TASKKILL.EXE to kill process

      • Skype-Setup.tmp (PID: 3860)

    • Process drops legitimate windows executable

      • Skype-Setup.tmp (PID: 3860)

    • The process drops C-runtime libraries

      • Skype-Setup.tmp (PID: 3860)

    • Uses REG/REGEDIT.EXE to modify registry

      • Skype.exe (PID: 3668)

  • INFO

    • Reads product name

      • ZohoMeetingLauncher (3).exe (PID: 1392)
      • Skype.exe (PID: 896)
      • Skype.exe (PID: 3668)
      • Skype.exe (PID: 2648)

    • Checks supported languages

      • ZohoMeetingLauncher (3).exe (PID: 1392)
      • Skype.exe (PID: 896)
      • Skype.exe (PID: 3156)
      • Skype.exe (PID: 3012)
      • Skype.exe (PID: 3372)
      • Skype-Setup.exe (PID: 3316)
      • Skype-Setup.exe (PID: 3888)
      • Skype-Setup.tmp (PID: 3548)
      • Skype.exe (PID: 2980)
      • Skype-Setup.tmp (PID: 3860)
      • Skype.exe (PID: 2920)
      • Skype.exe (PID: 3944)
      • Skype.exe (PID: 1876)
      • Skype.exe (PID: 3668)
      • Skype.exe (PID: 1728)
      • Skype.exe (PID: 1656)
      • Skype.exe (PID: 2648)
      • Skype.exe (PID: 2032)

    • Reads the computer name

      • ZohoMeetingLauncher (3).exe (PID: 1392)
      • Skype.exe (PID: 896)
      • Skype.exe (PID: 3012)
      • Skype.exe (PID: 3372)
      • Skype-Setup.tmp (PID: 3548)
      • Skype.exe (PID: 2980)
      • Skype.exe (PID: 3156)
      • Skype-Setup.tmp (PID: 3860)
      • Skype.exe (PID: 3668)
      • Skype.exe (PID: 3944)
      • Skype.exe (PID: 1876)
      • Skype.exe (PID: 2648)
      • Skype.exe (PID: 1656)

    • Reads Environment values

      • ZohoMeetingLauncher (3).exe (PID: 1392)
      • Skype.exe (PID: 896)
      • Skype.exe (PID: 3668)
      • Skype.exe (PID: 2648)

    • Creates files or folders in the user directory

      • ZohoMeetingLauncher (3).exe (PID: 1392)
      • Skype.exe (PID: 896)
      • Skype.exe (PID: 3668)
      • Skype.exe (PID: 1876)
      • Skype.exe (PID: 2648)

    • Reads the machine GUID from the registry

      • ZohoMeetingLauncher (3).exe (PID: 1392)
      • Skype.exe (PID: 3668)

    • Create files in a temporary directory

      • ZohoMeetingLauncher (3).exe (PID: 1392)
      • Skype-Setup.exe (PID: 3316)
      • Skype-Setup.exe (PID: 3888)
      • Skype-Setup.tmp (PID: 3860)
      • Skype.exe (PID: 3668)

    • Manual execution by a user

      • Skype.exe (PID: 896)

    • Reads CPU info

      • Skype.exe (PID: 896)
      • Skype.exe (PID: 3668)

    • Creates files in the program directory

      • Skype-Setup.tmp (PID: 3860)

    • Process checks computer location settings

      • Skype.exe (PID: 3668)
      • Skype.exe (PID: 1728)
      • Skype.exe (PID: 2648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:09:11 13:11:53+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 428544
InitializedDataSize: 309760
UninitializedDataSize: -
EntryPoint: 0x3ca48
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.1
ProductVersionNumber: 2.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: ZOHO Corporation
FileDescription: Zoho Meeting
FileVersion: 2.0.0.1
InternalName: Zoho Meeting
LegalCopyright: Copyright © 2023, Zoho Corporation Pvt. Ltd. All Rights Reserved.
OriginalFileName: ZohoMeetingLauncher.exe
ProductName: Zoho Meeting
ProductVersion: 2.0.0.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
36
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start zohomeetinglauncher (3).exe skype.exe skype.exe skype.exe no specs skype.exe no specs skype-setup.exe skype.exe no specs skype-setup.tmp no specs skype-setup.exe skype.exe no specs skype-setup.tmp taskkill.exe no specs skype.exe skype.exe skype.exe no specs skype.exe reg.exe no specs skype.exe no specs reg.exe no specs skype.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs skype.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
332C:\Windows\system32\reg.exe QUERY HKCR\MSEdgeHTM\Application /v ApplicationNameC:\Windows\System32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
680C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /veC:\Windows\System32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
752C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /veC:\Windows\System32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
896"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1040C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /fC:\Windows\System32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1168C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgIdC:\Windows\System32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1392"C:\Users\admin\AppData\Local\Temp\ZohoMeetingLauncher (3).exe" C:\Users\admin\AppData\Local\Temp\ZohoMeetingLauncher (3).exe
explorer.exe
User:
admin
Company:
ZOHO Corporation
Integrity Level:
MEDIUM
Description:
Zoho Meeting
Exit code:
0
Version:
2.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\zohomeetinglauncher (3).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1576C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgIdC:\Windows\System32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1588C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /veC:\Windows\System32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1656"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1484 --field-trial-handle=1292,i,4032495369610062996,13794478754501748301,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
LOW
Description:
Skype
Exit code:
0
Version:
8.110.0.218
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
14 899
Read events
14 825
Write events
63
Delete events
11

Modification events

(PID) Process:(1392) ZohoMeetingLauncher (3).exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1392) ZohoMeetingLauncher (3).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(1392) ZohoMeetingLauncher (3).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:delete keyName:(default)
Value:
(PID) Process:(1392) ZohoMeetingLauncher (3).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Operation:writeName:Blob
Value:
53000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000EA6089055218053DD01E37E1D806EEDF620000000100000020000000E793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD21400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB1D0000000100000010000000885010358D29A38F059B028559C95F900B00000001000000100000005300650063007400690067006F0000000300000001000000140000002B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E0F000000010000003000000066B764A96581128168CF208E374DDA479D54E311F32457F4AEE0DBD2A6C8D171D531289E1CD22BFDBBD4CFD979625483090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703082000000001000000E2050000308205DE308203C6A003020102021001FD6D30FCA3CA51A81BBC640E35032D300D06092A864886F70D01010C0500308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A3423040301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201005CD47C0DCFF7017D4199650C73C5529FCBF8CF99067F1BDA43159F9E0255579614F1523C27879428ED1F3A0137A276FC5350C0849BC66B4EBA8C214FA28E556291F36915D8BC88E3C4AA0BFDEFA8E94B552A06206D55782919EE5F305C4B241155FF249A6E5E2A2BEE0B4D9F7FF70138941495430709FB60A9EE1CAB128CA09A5EA7986A596D8B3F08FBC8D145AF18156490120F73282EC5E2244EFC58ECF0F445FE22B3EB2F8ED2D9456105C1976FA876728F8B8C36AFBF0D05CE718DE6A66F1F6CA67162C5D8D083720CF16711890C9C134C7234DFBCD571DFAA71DDE1B96C8C3C125D65DABD5712B6436BFFE5DE4D661151CF99AEEC17B6E871918CDE49FEDD3571A21527941CCF61E326BB6FA36725215DE6DD1D0B2E681B3B82AFEC836785D4985174B1B9998089FF7F78195C794A602E9240AE4C372A2CC9C762C80E5DF7365BCAE0252501B4DD1A079C77003FD0DCD5EC3DD4FABB3FCC85D66F7FA92DDFB902F7F5979AB535DAC367B0874AA9289E238EFF5C276BE1B04FF307EE002ED45987CB524195EAF447D7EE6441557C8D590295DD629DC2B9EE5A287484A59BB790C70C07DFF589367432D628C1B0B00BE09C4CC31CD6FCE369B54746812FA282ABD3634470C48DFF2D33BAAD8F7BB57088AE3E19CF4028D8FCC890BB5D9922F552E658C51F883143EE881DD7C68E3C436A1DA718DE7D3D16F162F9CA90A8FD
(PID) Process:(1392) ZohoMeetingLauncher (3).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Operation:delete keyName:(default)
Value:
(PID) Process:(3860) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3860) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3860) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3860) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3860) Skype-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype
Operation:writeName:icon
Value:
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Executable files
146
Suspicious files
171
Text files
95
Unknown types
0

Dropped files

PID
Process
Filename
Type
896Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.datbinary
MD5:3B2AEFD32F61DB8110091B81A16A9AD1
SHA256:27A6D2020F45CD9D3F4DFCF837EC661A1D997B08D23E3CB41B94186C21A50B37
3888Skype-Setup.exeC:\Users\admin\AppData\Local\Temp\is-OELTI.tmp\Skype-Setup.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
3860Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-SAV70.tmpexecutable
MD5:8894176AF3EA65A09AE5CF4C0E6FF50F
SHA256:C64B7C6400E9BACC1A4F1BAED6374BFBCE9A3F8CF20C2D03F81EF18262F89C60
3316Skype-Setup.exeC:\Users\admin\AppData\Local\Temp\is-6PJP2.tmp\Skype-Setup.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
3860Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:8894176AF3EA65A09AE5CF4C0E6FF50F
SHA256:C64B7C6400E9BACC1A4F1BAED6374BFBCE9A3F8CF20C2D03F81EF18262F89C60
3860Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-0GMI5.tmpexecutable
MD5:879920C7FA905036856BCB10875121D9
SHA256:7E4CBA620B87189278B5631536CDAD9BFDA6E12ABD8E4EB647CB85369A204FE8
896Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.jsonbinary
MD5:8AAB3FFA37C9CEF3FF1B107AE8FD1335
SHA256:AB9B6A671A41D213308E5D83C4DC72F090C25CD97392CB43A6EEF2FB55159833
896Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old~RF167b8d.TMPtext
MD5:FF878337359379694741312E6B39EF79
SHA256:AFDE1D769112411CE68EBA5A2821FED0E058B8A31D0795F6047718DD324B3C8F
3860Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-3SUUF.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
3860Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-VC1F5.tmpexecutable
MD5:D91BF81CF5178D47D1A588B0DF98EB24
SHA256:F8E3B45FD3E22866006F16A9E73E28B5E357F31F3C275B517692A5F16918B492
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
21
DNS requests
21
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1392
ZohoMeetingLauncher (3).exe
136.143.190.163:443
meeting.zoho.com
ZOHO-AS
US
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
896
Skype.exe
52.113.194.133:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
896
Skype.exe
13.107.42.16:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
896
Skype.exe
23.32.184.137:443
download.skype.com
AKAMAI-AS
BR
unknown
3668
Skype.exe
52.113.194.133:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3668
Skype.exe
13.107.42.16:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3668
Skype.exe
20.189.173.18:443
pipe.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
meeting.zoho.com
  • 136.143.190.163
whitelisted
meeting-monitor.zoho.com
  • 136.143.190.163
unknown
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
download.skype.com
  • 23.32.184.137
whitelisted
pipe.skype.com
  • 20.189.173.18
whitelisted
gateway.bingviz.microsoftapp.net
  • 13.107.246.45
  • 13.107.213.45
unknown
eagle.sapphire.microsoftapp.net
  • 13.107.246.62
  • 13.107.213.62
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
login.live.com
  • 20.190.159.71
  • 20.190.159.4
  • 20.190.159.64
  • 20.190.159.23
  • 40.126.31.73
  • 20.190.159.0
  • 40.126.31.69
  • 20.190.159.73
whitelisted

Threats

No threats detected
Process
Message
Skype.exe
[0131/165356.470:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
Skype.exe
[0131/165416.492:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ZohoMeetingLauncher (3).exe