File name:

VMware.Workstation.Pro.17.kg.exe

Full analysis: https://app.any.run/tasks/6f20ddb1-6baf-4967-8836-4ffe85735c44
Verdict: Malicious activity
Analysis date: April 24, 2024, 16:22:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

37D211C3FC5272DFA3535EBD800F57CB

SHA1:

0AFD9FEEBE27A74F03E0B4E6278FC1AF07D25BCC

SHA256:

90874042CE8F563D41D173A095C4B808BB151ED31957F305C4EE503BBA35C5F9

SSDEEP:

768:ZBzRVPRcOfgm4sNM/+VYgwhjQ0VMBjmc6vQyXBurVfaTU0n4bU:7RJR2kNM/+VlsQx6LXorV4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • VMware.Workstation.Pro.17.kg.exe (PID: 1316)
      • Skype-Setup.exe (PID: 3484)
      • Skype-Setup.exe (PID: 1236)
      • Skype-Setup.tmp (PID: 980)

    • Actions looks like stealing of personal data

      • Skype-Setup.tmp (PID: 980)

  • SUSPICIOUS

    • Application launched itself

      • Skype.exe (PID: 2300)

    • Reads the Internet Settings

      • Skype.exe (PID: 2300)
      • Skype-Setup.tmp (PID: 980)
      • Skype-Setup.tmp (PID: 1808)

    • Executable content was dropped or overwritten

      • Skype-Setup.exe (PID: 1236)
      • Skype-Setup.exe (PID: 3484)
      • Skype-Setup.tmp (PID: 980)

    • Reads the Windows owner or organization settings

      • Skype-Setup.tmp (PID: 980)

    • Reads security settings of Internet Explorer

      • Skype-Setup.tmp (PID: 980)
      • Skype-Setup.tmp (PID: 1808)

    • Searches for installed software

      • Skype-Setup.tmp (PID: 980)

    • The process drops C-runtime libraries

      • Skype-Setup.tmp (PID: 980)

    • Uses TASKKILL.EXE to kill process

      • Skype-Setup.tmp (PID: 980)

    • Process drops legitimate windows executable

      • Skype-Setup.tmp (PID: 980)

  • INFO

    • Checks supported languages

      • VMware.Workstation.Pro.17.kg.exe (PID: 1316)
      • Skype.exe (PID: 2300)
      • Skype.exe (PID: 3664)
      • Skype.exe (PID: 3084)
      • Skype.exe (PID: 1428)
      • Skype-Setup.exe (PID: 3484)
      • Skype.exe (PID: 2756)
      • Skype-Setup.tmp (PID: 1808)
      • Skype.exe (PID: 3984)
      • Skype-Setup.exe (PID: 1236)
      • Skype-Setup.tmp (PID: 980)
      • Skype.exe (PID: 900)

    • Reads product name

      • Skype.exe (PID: 2300)

    • Reads the computer name

      • Skype.exe (PID: 2300)
      • Skype.exe (PID: 3084)
      • Skype.exe (PID: 1428)
      • Skype.exe (PID: 2756)
      • Skype.exe (PID: 3984)
      • Skype-Setup.tmp (PID: 1808)
      • Skype-Setup.tmp (PID: 980)

    • Manual execution by a user

      • Skype.exe (PID: 2300)

    • Reads Environment values

      • Skype.exe (PID: 2300)

    • Reads CPU info

      • Skype.exe (PID: 2300)

    • Creates files or folders in the user directory

      • Skype.exe (PID: 2300)

    • Create files in a temporary directory

      • Skype-Setup.exe (PID: 3484)
      • Skype-Setup.tmp (PID: 980)
      • Skype-Setup.exe (PID: 1236)

    • Creates a software uninstall entry

      • Skype-Setup.tmp (PID: 980)

    • Creates files in the program directory

      • Skype-Setup.tmp (PID: 980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:09:27 08:59:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28672
InitializedDataSize: 20480
UninitializedDataSize: 45056
EntryPoint: 0x11f10
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
13
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vmware.workstation.pro.17.kg.exe no specs skype.exe skype.exe skype.exe no specs skype.exe no specs skype-setup.exe skype.exe no specs skype-setup.tmp no specs skype.exe no specs skype-setup.exe skype-setup.tmp taskkill.exe no specs skype.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
900"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype-Setup.tmp
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.110.0.218
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
980"C:\Users\admin\AppData\Local\Temp\is-DDAFV.tmp\Skype-Setup.tmp" /SL5="$18021C,88729071,404480,C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /SPAWNWND=$170170 /NOTIFYWND=$24013E /silent !desktopiconC:\Users\admin\AppData\Local\Temp\is-DDAFV.tmp\Skype-Setup.tmp
Skype-Setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ddafv.tmp\skype-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1236"C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /SPAWNWND=$170170 /NOTIFYWND=$24013E /silent !desktopiconC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe
Skype-Setup.tmp
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
HIGH
Description:
Skype Setup
Version:
8.110.0.218
Modules
Images
c:\users\admin\appdata\roaming\microsoft\skype for desktop\skype-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1316"C:\Users\admin\AppData\Local\Temp\VMware.Workstation.Pro.17.kg.exe" C:\Users\admin\AppData\Local\Temp\VMware.Workstation.Pro.17.kg.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\vmware.workstation.pro.17.kg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1340"C:\Windows\System32\taskkill.exe" /f /im Skype.exeC:\Windows\System32\taskkill.exeSkype-Setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1428"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=1516 --field-trial-handle=1312,i,3017551576535084881,359876616554849595,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1808"C:\Users\admin\AppData\Local\Temp\is-BPS51.tmp\Skype-Setup.tmp" /SL5="$24013E,88729071,404480,C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /silent !desktopiconC:\Users\admin\AppData\Local\Temp\is-BPS51.tmp\Skype-Setup.tmpSkype-Setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-bps51.tmp\skype-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2300"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2756"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1320 --field-trial-handle=1312,i,3017551576535084881,359876616554849595,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
LOW
Description:
Skype
Exit code:
0
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
3084"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 --field-trial-handle=1312,i,3017551576535084881,359876616554849595,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
LOW
Description:
Skype
Exit code:
0
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
6 284
Read events
6 225
Write events
57
Delete events
2

Modification events

(PID) Process:(980) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
D4030000C9B58FA16396DA01
(PID) Process:(980) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
DEDE69A0938F4C87E8470D5D3F355EDC62A7F0BA937C056F2FE015826E492E7E
(PID) Process:(980) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(980) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(980) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(980) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(980) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(980) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\Microsoft\Skype for Desktop\api-ms-win-core-console-l1-1-0.dll
(PID) Process:(980) Skype-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
35C0C10CE5673E5727C5DCBF9387B3A97C1E527FE91A218471EAD9674375802C
(PID) Process:(980) Skype-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype
Operation:writeName:icon
Value:
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Executable files
146
Suspicious files
63
Text files
87
Unknown types
63

Dropped files

PID
Process
Filename
Type
2300Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.oldtext
MD5:AEAB6EEF48334E4749D630894ADCA674
SHA256:7B1139E4ABA3CF16CA2C097DC19F515B73C934315CC497769B6627C6252AE264
2300Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.jsonbinary
MD5:8AAB3FFA37C9CEF3FF1B107AE8FD1335
SHA256:AB9B6A671A41D213308E5D83C4DC72F090C25CD97392CB43A6EEF2FB55159833
980Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:EEFE86B5A3AB256BEED8621A05210DF2
SHA256:1D1C11FC1AD1FEBF9308225C4CCF0431606A4AB08680BA04494D276CB310BF15
980Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-9CII4.tmpexecutable
MD5:8894176AF3EA65A09AE5CF4C0E6FF50F
SHA256:C64B7C6400E9BACC1A4F1BAED6374BFBCE9A3F8CF20C2D03F81EF18262F89C60
980Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:879920C7FA905036856BCB10875121D9
SHA256:7E4CBA620B87189278B5631536CDAD9BFDA6E12ABD8E4EB647CB85369A204FE8
980Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-LTDJE.tmpexecutable
MD5:AABBB38C4110CC0BF7203A567734A7E7
SHA256:24B07028C1E38B9CA2F197750654A0DFB7D33C2E52C9DD67100609499E8028DB
980Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-U3B04.tmpexecutable
MD5:79EE4A2FCBE24E9A65106DE834CCDA4A
SHA256:9F7BDA59FAAFC8A455F98397A63A7F7D114EFC4E8A41808C791256EBF33C7613
980Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-T3THK.tmpexecutable
MD5:D91BF81CF5178D47D1A588B0DF98EB24
SHA256:F8E3B45FD3E22866006F16A9E73E28B5E357F31F3C275B517692A5F16918B492
980Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:D91BF81CF5178D47D1A588B0DF98EB24
SHA256:F8E3B45FD3E22866006F16A9E73E28B5E357F31F3C275B517692A5F16918B492
980Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-F4JT5.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted
2300
Skype.exe
52.113.194.133:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2300
Skype.exe
13.107.42.16:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2300
Skype.exe
23.43.60.136:443
download.skype.com
Akamai International B.V.
US
unknown

DNS requests

Domain
IP
Reputation
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
download.skype.com
  • 23.43.60.136
whitelisted

Threats

No threats detected
Process
Message
Skype.exe
[0424/172236.194:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VMware.Workstation.Pro.17.kg.exe