File name:

Skype.exe

Full analysis: https://app.any.run/tasks/7dce1d89-8eed-4351-9801-198394eca124
Verdict: Malicious activity
Threats:

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

Malware Trends Tracker     >>>
Analysis date: January 28, 2025, 07:41:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
exela
stealer
python
discord
screenshot
pyinstaller
susp-powershell
ims-api
generic
growtopia
discordgrabber
upx
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

ACB5EA74898E50FFCA9F426D655D08FE

SHA1:

55FCD77DA9AEC4FFDB6A3D23CB443316735FA727

SHA256:

E44E7810115FDAFC7952FA7F62C2773812D49CF9D987114046B16FDD499AC4EE

SSDEEP:

98304:xJ3DD54k4oVRrj1oi7dp45KK+Mj1nwOPkByaIxOeW/OKeJqQKHH7bmY90GpJNSDG:DVZmWFxvfA3Xodu6YWHCq95Ge

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 4076)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 2232)

    • Actions looks like stealing of personal data

      • Skype.exe (PID: 3988)

    • Steals credentials from Web Browsers

      • Skype.exe (PID: 3988)

    • ExelaStealer has been detected

      • Skype.exe (PID: 3988)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 5320)
      • cmd.exe (PID: 1688)
      • net.exe (PID: 4136)
      • net.exe (PID: 2676)

    • Starts NET.EXE to view/change users localgroup

      • net.exe (PID: 5880)
      • cmd.exe (PID: 1688)
      • net.exe (PID: 2744)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3260)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3420)

    • DISCORDGRABBER has been detected (YARA)

      • Skype.exe (PID: 3988)

    • GROWTOPIA has been detected (YARA)

      • Skype.exe (PID: 3988)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • Skype.exe (PID: 5532)
      • Skype.exe (PID: 624)

    • Process drops legitimate windows executable

      • Skype.exe (PID: 5532)
      • Skype.exe (PID: 624)

    • Executable content was dropped or overwritten

      • Skype.exe (PID: 5532)
      • Skype.exe (PID: 5712)
      • Skype.exe (PID: 624)
      • csc.exe (PID: 4392)

    • Process drops python dynamic module

      • Skype.exe (PID: 5532)
      • Skype.exe (PID: 624)

    • Application launched itself

      • Skype.exe (PID: 5532)
      • Skype.exe (PID: 5712)
      • Skype.exe (PID: 624)
      • cmd.exe (PID: 2100)
      • cmd.exe (PID: 1224)

    • Get information on the list of running processes

      • cmd.exe (PID: 4512)
      • Skype.exe (PID: 5712)
      • cmd.exe (PID: 5096)
      • Skype.exe (PID: 3988)
      • cmd.exe (PID: 4300)
      • cmd.exe (PID: 3544)
      • cmd.exe (PID: 1688)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3688)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 4716)
      • schtasks.exe (PID: 644)

    • Reads security settings of Internet Explorer

      • Skype.exe (PID: 5712)

    • Reads the date of Windows installation

      • Skype.exe (PID: 5712)

    • Loads Python modules

      • Skype.exe (PID: 3988)
      • Skype.exe (PID: 5712)

    • Starts CMD.EXE for commands execution

      • Skype.exe (PID: 3988)
      • cmd.exe (PID: 2100)
      • cmd.exe (PID: 1224)
      • Skype.exe (PID: 5712)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3688)
      • cmd.exe (PID: 2160)
      • cmd.exe (PID: 4136)
      • cmd.exe (PID: 3816)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 4520)
      • WMIC.exe (PID: 5748)
      • WMIC.exe (PID: 1616)
      • WMIC.exe (PID: 2160)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4764)
      • cmd.exe (PID: 236)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5388)
      • cmd.exe (PID: 3420)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 3700)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 1688)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • Skype.exe (PID: 3988)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 1688)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 3612)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 1688)

    • Uses WMIC.EXE to obtain commands that are run when users log in

      • cmd.exe (PID: 1688)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 1688)

    • Uses ROUTE.EXE to obtain the routing table information

      • cmd.exe (PID: 1688)

    • Process uses ARP to discover network configuration

      • cmd.exe (PID: 1688)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1688)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2676)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3420)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 4392)

    • There is functionality for taking screenshot (YARA)

      • Skype.exe (PID: 624)
      • Skype.exe (PID: 3988)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 3420)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 3420)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 3260)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Skype.exe (PID: 3988)

  • INFO

    • Reads the computer name

      • Skype.exe (PID: 5532)
      • Skype.exe (PID: 5712)
      • Skype.exe (PID: 624)
      • Skype.exe (PID: 3988)

    • Checks supported languages

      • Skype.exe (PID: 5532)
      • Skype.exe (PID: 5712)
      • Skype.exe (PID: 624)
      • Skype.exe (PID: 3988)
      • chcp.com (PID: 2216)
      • chcp.com (PID: 4516)
      • csc.exe (PID: 4392)
      • cvtres.exe (PID: 4548)

    • Create files in a temporary directory

      • Skype.exe (PID: 5532)
      • Skype.exe (PID: 624)
      • Skype.exe (PID: 3988)
      • Skype.exe (PID: 5712)
      • cvtres.exe (PID: 4548)
      • csc.exe (PID: 4392)

    • The sample compiled with english language support

      • Skype.exe (PID: 5532)
      • Skype.exe (PID: 624)

    • Creates files or folders in the user directory

      • Skype.exe (PID: 5712)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5748)
      • WMIC.exe (PID: 4520)
      • WMIC.exe (PID: 5576)
      • WMIC.exe (PID: 4628)
      • WMIC.exe (PID: 1616)
      • WMIC.exe (PID: 2160)

    • Process checks computer location settings

      • Skype.exe (PID: 5712)

    • Checks operating system version

      • Skype.exe (PID: 3988)
      • Skype.exe (PID: 5712)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3288)

    • Changes the display of characters in the console

      • cmd.exe (PID: 236)
      • cmd.exe (PID: 4764)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 2612)

    • Reads the time zone

      • net1.exe (PID: 4672)
      • net1.exe (PID: 3260)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 3640)

    • PyInstaller has been detected (YARA)

      • Skype.exe (PID: 624)
      • Skype.exe (PID: 3988)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 4392)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Skype.exe (PID: 3988)

    • Application based on Rust

      • Skype.exe (PID: 3988)

    • UPX packer has been detected

      • Skype.exe (PID: 3988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(3988) Skype.exe
Discord-Webhook-Tokens (1)1333690748830224434/c8Iy49h5sLgbe09C-cy_IJizL-fOJ3TAJr2gyYZTk1Lyy7mXNntG2hVODS3ufDFd9uCO
Discord-Info-Links
1333690748830224434/c8Iy49h5sLgbe09C-cy_IJizL-fOJ3TAJr2gyYZTk1Lyy7mXNntG2hVODS3ufDFd9uCO
Get Webhook Infohttps://discord.com/api/webhooks/1333690748830224434/c8Iy49h5sLgbe09C-cy_IJizL-fOJ3TAJr2gyYZTk1Lyy7mXNntG2hVODS3ufDFd9uCO
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:28 06:54:23+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 172032
InitializedDataSize: 93696
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.746
ProductVersionNumber: 10.0.19041.746
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
216
Monitored processes
97
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start skype.exe skype.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs skype.exe #EXELASTEALER skype.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs mshta.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs chcp.com no specs chcp.com no specs powershell.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs systeminfo.exe no specs tiworker.exe no specs hostname.exe no specs wmic.exe no specs net.exe no specs net1.exe no specs query.exe no specs quser.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs wmic.exe no specs tasklist.exe no specs ipconfig.exe no specs route.exe no specs arp.exe no specs netstat.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236cmd.exe /c chcpC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624"C:\Users\admin\Desktop\Skype.exe" C:\Users\admin\Desktop\Skype.exeC:\Users\admin\Desktop\Skype.exe
Skype.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
628ipconfig /all C:\Windows\System32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
628\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
644schtasks /query /TN "SkypeUpdateService"C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
644C:\WINDOWS\system32\net1 user C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
1224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1224C:\WINDOWS\system32\cmd.exe /c "cmd.exe /c chcp"C:\Windows\System32\cmd.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
27 555
Read events
27 548
Write events
7
Delete events
0

Modification events

(PID) Process:(3288) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3288) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3288) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5572) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31158616
(PID) Process:(5572) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
356082731
(PID) Process:(2744) ARP.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters
Operation:writeName:TrapPollTimeMilliSecs
Value:
15000
(PID) Process:(3288) NETSTAT.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters
Operation:writeName:TrapPollTimeMilliSecs
Value:
15000
Executable files
68
Suspicious files
35
Text files
40
Unknown types
0

Dropped files

PID
Process
Filename
Type
5532Skype.exeC:\Users\admin\AppData\Local\Temp\_MEI55322\_bz2.pydexecutable
MD5:80C69A1D87F0C82D6C4268E5A8213B78
SHA256:307359F1B2552B60839385EB63D74CBFE75CD5EFDB4E7CD0BB7D296FA67D8A87
5532Skype.exeC:\Users\admin\AppData\Local\Temp\_MEI55322\VCRUNTIME140.dllexecutable
MD5:F12681A472B9DD04A812E16096514974
SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
5532Skype.exeC:\Users\admin\AppData\Local\Temp\_MEI55322\_multiprocessing.pydexecutable
MD5:849B4203C5F9092DB9022732D8247C97
SHA256:45BFBAB1D2373CF7A8AF19E5887579B8A306B3AD0C4F57E8F666339177F1F807
5532Skype.exeC:\Users\admin\AppData\Local\Temp\_MEI55322\_asyncio.pydexecutable
MD5:1B8CE772A230A5DA8CBDCCD8914080A5
SHA256:FA5A1E7031DE5849AB2AB5A177E366B41E1DF6BBD90C8D2418033A01C740771F
5532Skype.exeC:\Users\admin\AppData\Local\Temp\_MEI55322\_cffi_backend.cp311-win_amd64.pydexecutable
MD5:0F0F1C4E1D043F212B00473A81C012A3
SHA256:FDA255664CBF627CB6A9CD327DAF4E3EB06F4F0707ED2615E86E2E99B422AD0B
5532Skype.exeC:\Users\admin\AppData\Local\Temp\_MEI55322\_ctypes.pydexecutable
MD5:B4C41A4A46E1D08206C109CE547480C7
SHA256:9925AB71A4D74CE0CCC036034D422782395DD496472BD2D7B6D617F4D6DDC1F9
5532Skype.exeC:\Users\admin\AppData\Local\Temp\_MEI55322\_decimal.pydexecutable
MD5:E9501519A447B13DCCA19E09140C9E84
SHA256:6B5FE2DEA13B84E40B0278D1702AA29E9E2091F9DC09B64BBFF5FD419A604C3C
5532Skype.exeC:\Users\admin\AppData\Local\Temp\_MEI55322\_hashlib.pydexecutable
MD5:0629BDB5FF24CE5E88A2DDCEDE608AEE
SHA256:F404BB8371618BBD782201F092A3BCD7A96D3C143787EBEA1D8D86DED1F4B3B8
5532Skype.exeC:\Users\admin\AppData\Local\Temp\_MEI55322\_lzma.pydexecutable
MD5:BFCA96ED7647B31DD2919BEDEBB856B8
SHA256:032B1A139ADCFF84426B6E156F9987B501AD42ECFB18170B10FB54DA0157392E
5532Skype.exeC:\Users\admin\AppData\Local\Temp\_MEI55322\_socket.pydexecutable
MD5:04E7EB0B6861495233247AC5BB33A89A
SHA256:7EFE25284A4663DF9458603BF0988B0F47C7DCF56119E3E853E6BDA80831A383
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
26
DNS requests
12
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4536
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4536
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3988
Skype.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
shared
POST
404
162.159.128.233:443
https://discord.com/api/webhooks/1333690748830224434/c8Iy49h5sLgbe09C-cy_IJizL-fOJ3TAJr2gyYZTk1Lyy7mXNntG2hVODS3ufDFd9uCO
unknown
binary
45 b
whitelisted
GET
404
45.112.123.126:443
https://api.gofile.io/getServer
unknown
text
14 b
whitelisted
POST
404
162.159.128.233:443
https://discord.com/api/webhooks/1333690748830224434/c8Iy49h5sLgbe09C-cy_IJizL-fOJ3TAJr2gyYZTk1Lyy7mXNntG2hVODS3ufDFd9uCO
unknown
binary
45 b
whitelisted
POST
200
45.112.123.227:443
https://store1.gofile.io/uploadFile
unknown
binary
439 b
whitelisted
POST
404
162.159.137.232:443
https://discord.com/api/webhooks/1333690748830224434/c8Iy49h5sLgbe09C-cy_IJizL-fOJ3TAJr2gyYZTk1Lyy7mXNntG2hVODS3ufDFd9uCO
unknown
binary
45 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.21.65.153:443
www.bing.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4536
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4536
svchost.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4536
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.21.65.153
  • 2.21.65.132
  • 2.21.65.154
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
ip-api.com
  • 208.95.112.1
shared
discord.com
  • 162.159.135.232
  • 162.159.128.233
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.138.232
whitelisted
api.gofile.io
  • 51.91.7.6
  • 45.112.123.126
whitelisted
store1.gofile.io
  • 45.112.123.227
whitelisted
self.events.data.microsoft.com
  • 52.182.143.215
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3988
Skype.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2192
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3988
Skype.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
3988
Skype.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2192
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
3988
Skype.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
2192
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
3988
Skype.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Skype.exe