File name: | FT30-03-2020-V1-202072995.xls |
Full analysis: | https://app.any.run/tasks/5dd8a92b-468c-4aaa-a83d-b32bc3564299 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 09:05:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Feb 29 08:17:24 2020, Last Saved Time/Date: Sat Feb 29 08:18:02 2020, Security: 0 |
MD5: | AD7677318E9FF63FA0ACE3AB445D036F |
SHA1: | F8705B9F5FA84A9DF85320680B1430329664EABC |
SHA256: | F424B6EB3B855C89E4D2329115E1C43B8DA179D40750B7AEE1D192D700610331 |
SSDEEP: | 768:+hY+aZoMlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0L0QC5MC8F0K2YWdI:+hY+olYkEIbSkKBEqEXPgsRZmbaoFhZx |
.xls | | | Microsoft Excel sheet (78.9) |
---|
Author: | - |
---|---|
LastModifiedBy: | - |
Software: | Microsoft Excel |
CreateDate: | 2020:03:31 08:17:24 |
ModifyDate: | 2020:03:31 08:18:02 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | Foglio1 |
HeadingPairs: |
|
CompObjUserTypeLen: | 42 |
CompObjUserType: | (Foglio di lavoro di Microsoft Excel 2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3924 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1256 | powershell | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2272 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | explorer.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | ||||
1748 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | ||||
2784 | C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /f | C:\Windows\system32\reg.exe | Skype.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2572 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=6A85E36AB650EF5AE6D018B66E74A84F --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=6A85E36AB650EF5AE6D018B66E74A84F --renderer-client-id=3 --mojo-platform-channel-handle=1580 /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.29.0.50 | ||||
1500 | C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate | C:\Windows\system32\reg.exe | — | Skype.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3724 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 2 Version: 8.29.0.50 | ||||
256 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=97C6C9917AA2DDAFEC1B6E68EBF23EA3 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=1 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=97C6C9917AA2DDAFEC1B6E68EBF23EA3 --renderer-client-id=4 --mojo-platform-channel-handle=2616 /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | ||||
3684 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 2 Version: 8.29.0.50 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3924 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6AC8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G97JH8RI4WEX4Q801THL.temp | — | |
MD5:— | SHA256:— | |||
2272 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XUYCKUWM9QZUZBCEDAZQ.temp | — | |
MD5:— | SHA256:— | |||
2272 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old | — | |
MD5:— | SHA256:— | |||
2572 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-2498499189.blog | — | |
MD5:— | SHA256:— | |||
3924 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF8CA48E1C7BF8931A.TMP | — | |
MD5:— | SHA256:— | |||
1256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa6749c.TMP | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
1256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
3924 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:D50A6E4D4E5319FEEE03A71B3DB7B048 | SHA256:D740DB31C007D2E2758B697C212853D5B4E8C77DA5CC56CF130522B7D3494518 | |||
3924 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exd | tlb | |
MD5:7E3D75CB2153496CB53723657830C30B | SHA256:AC7CAD6738FEBEDDBC552E512D5D415F31C58ABE9E63B205C348B430E90A4421 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2272 | Skype.exe | 13.107.3.128:443 | a.config.skype.com | Microsoft Corporation | US | whitelisted |
2272 | Skype.exe | 216.58.210.10:443 | www.googleapis.com | Google Inc. | US | whitelisted |
2272 | Skype.exe | 13.90.95.57:443 | get.skype.com | Microsoft Corporation | US | whitelisted |
2272 | Skype.exe | 152.199.19.160:443 | bot-framework.azureedge.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2272 | Skype.exe | 95.101.184.179:443 | download.skype.com | CW Vodafone Group PLC | — | unknown |
2272 | Skype.exe | 52.114.88.28:443 | browser.pipe.aria.microsoft.com | Microsoft Corporation | GB | unknown |
2272 | Skype.exe | 13.68.117.223:443 | avatar.skype.com | Microsoft Corporation | US | whitelisted |
2272 | Skype.exe | 52.114.132.23:443 | pipe.skype.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
get.skype.com |
| whitelisted |
a.config.skype.com |
| whitelisted |
pipe.skype.com |
| whitelisted |
download.skype.com |
| whitelisted |
www.googleapis.com |
| whitelisted |
avatar.skype.com |
| whitelisted |
bot-framework.azureedge.net |
| whitelisted |
config.edge.skype.com |
| whitelisted |
browser.pipe.aria.microsoft.com |
| whitelisted |
Process | Message |
---|---|
powershell.exe |
*** Status propagated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
|
powershell.exe |
*** Status propagated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
|
powershell.exe |
*** Status propagated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.Ē |
powershell.exe |
*** Status propagated: -1073741811
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
|
Skype.exe | [3724:3248:0331/100600.653:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|
Skype.exe | [3724:3248:0331/100600.654:VERBOSE1:crash_service.cc(145)] window handle is 000501B8
|
Skype.exe | [3724:3248:0331/100600.654:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service
dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
|
Skype.exe | [3724:3248:0331/100600.654:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt
server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload
maximum 128 reports/day
reporter is electron-crash-service
|
Skype.exe | [3724:3248:0331/100600.654:ERROR:crash_service.cc(311)] could not start dumper
|
Skype.exe | [3684:3756:0331/100604.118:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|