File name:

.reg

Full analysis: https://app.any.run/tasks/6eb2cb57-c37f-4291-b3ae-aa9caa1ac5d5
Verdict: Malicious activity
Analysis date: June 10, 2024, 14:42:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-ms-regedit
File info: Windows Registry little-endian text (Win2K or above)
MD5:

AEBE1A37963543D0DD6C18C80E1F71CE

SHA1:

251E755E01F61C3A7FBB6206B7526C6D6ECA3758

SHA256:

FE65E8010B781422D858AB5D69B49534BEA8AA87CC343CC6C40901B11170A775

SSDEEP:

6:FaC+SkWCiiCRroZ6IJlUAG+DZvDllcHWn+Sk2k+Skwl5G4cjRmeaIN:FarhVZteAxDZvDEW+qE04Ax

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the Windows auto-update feature

      • regedit.exe (PID: 6548)
      • regedit.exe (PID: 6944)

    • Changes the autorun value in the registry

      • reg.exe (PID: 6368)

  • SUSPICIOUS

    • Application launched itself

      • Skype.exe (PID: 7000)

    • Uses REG/REGEDIT.EXE to modify registry

      • Skype.exe (PID: 7000)

    • Reads security settings of Internet Explorer

      • Skype.exe (PID: 7000)
      • TextInputHost.exe (PID: 6544)

    • Detected use of alternative data streams (AltDS)

      • Skype.exe (PID: 7000)

  • INFO

    • Manual execution by a user

      • Skype.exe (PID: 7000)
      • regedit.exe (PID: 6944)
      • regedit.exe (PID: 6896)
      • Taskmgr.exe (PID: 364)
      • Taskmgr.exe (PID: 6904)
      • mspaint.exe (PID: 1012)

    • Checks supported languages

      • Skype.exe (PID: 7000)
      • Skype.exe (PID: 7136)
      • Skype.exe (PID: 6264)
      • Skype.exe (PID: 4344)
      • Skype.exe (PID: 6840)
      • Skype.exe (PID: 6864)
      • Skype.exe (PID: 3500)
      • TextInputHost.exe (PID: 6544)
      • Skype.exe (PID: 6288)
      • Skype.exe (PID: 5752)

    • Reads Environment values

      • Skype.exe (PID: 7000)
      • Skype.exe (PID: 5752)

    • Reads CPU info

      • Skype.exe (PID: 7000)

    • Creates files or folders in the user directory

      • Skype.exe (PID: 7000)
      • Skype.exe (PID: 6288)
      • Skype.exe (PID: 5752)

    • Reads the computer name

      • Skype.exe (PID: 7000)
      • Skype.exe (PID: 5752)
      • Skype.exe (PID: 6864)
      • Skype.exe (PID: 3500)
      • TextInputHost.exe (PID: 6544)
      • Skype.exe (PID: 6264)
      • Skype.exe (PID: 6288)

    • Checks proxy server information

      • Skype.exe (PID: 7000)

    • Process checks computer location settings

      • Skype.exe (PID: 7000)
      • Skype.exe (PID: 5752)
      • Skype.exe (PID: 4344)
      • Skype.exe (PID: 6840)

    • Create files in a temporary directory

      • Skype.exe (PID: 7000)

    • Reads the software policy settings

      • Skype.exe (PID: 7000)

    • Reads the machine GUID from the registry

      • Skype.exe (PID: 7000)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 6904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.reg | Windows Registry Data (Ver. 5.0 - UTF16) (96.9)
.txt | Text - UTF-16 (LE) encoded (2)
.mp3 | MP3 audio (1)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
31
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start regedit.exe regedit.exe no specs regedit.exe skype.exe skype.exe no specs skype.exe no specs skype.exe reg.exe conhost.exe no specs skype.exe no specs reg.exe no specs conhost.exe no specs skype.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs mspaint.exe no specs skype.exe no specs taskmgr.exe no specs taskmgr.exe skype.exe no specs skype.exe no specs textinputhost.exe no specs regedit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
364"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
1012"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\chapteroutside.png"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3500"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=2400 --field-trial-handle=2128,i,14685141575143512965,5819081520253026996,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
3652\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3712C:\WINDOWS\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgIdC:\Windows\SysWOW64\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4264C:\WINDOWS\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgIdC:\Windows\SysWOW64\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4344"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3548 --field-trial-handle=2128,i,14685141575143512965,5819081520253026996,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
4960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5752"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2928 --field-trial-handle=2128,i,14685141575143512965,5819081520253026996,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --skype-process-type=Main --skype-window-id=__MAIN_ROOT_VIEW_ID__ /prefetch:1C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
13 083
Read events
13 023
Write events
36
Delete events
24

Modification events

(PID) Process:(6548) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoRebootWithLoggedOnUsers
Value:
0
(PID) Process:(6944) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoRebootWithLoggedOnUsers
Value:
0
(PID) Process:(6368) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Skype for Desktop
Value:
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(PID) Process:(7000) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en-US
Value:
(PID) Process:(7000) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en
Value:
(PID) Process:(7000) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:_Global_
Value:
(PID) Process:(1012) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:WindowPlacement
Value:
2C00000000000000010000000000000000000000FFFFFFFFFFFFFFFF7F000000470000007F04000087020000
(PID) Process:(1012) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ShowThumbnail
Value:
0
(PID) Process:(1012) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:BMPWidth
Value:
0
(PID) Process:(1012) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:BMPHeight
Value:
0
Executable files
0
Suspicious files
40
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-msbinary
MD5:D6A6E05DE699D0435378CDE55F60C43A
SHA256:7B7D338D14505C1BFE82C07EE0EDE061D31E6415EB7CFF4C84E70BC98C3C0C9F
7000Skype.exeC:\USERS\ADMIN\APPDATA\ROAMING\MICROSOFT\SKYPE FOR DESKTOP\CRASHPAD\SETTINGS.DATbinary
MD5:9D0439A794AA96ABD6AFF504C86C7F31
SHA256:5DBC3A5DAF431973E245D83AB51B128E9C4CC2F3ECD61C45C88DB161ACC25B7B
7000Skype.exeC:\USERS\ADMIN\APPDATA\ROAMING\MICROSOFT\SPELLING\EN-US\DEFAULT.EXCtext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.oldtext
MD5:D9CF6AAE805A20C96EF6414D030D6CE8
SHA256:6AFE86308EA331969317D933883AAB0D08EF96B7F14F54E45C0145D4D757DCD5
5752Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.confbinary
MD5:99914B932BD37A50B983C5E7C90AE93B
SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
7000Skype.exeC:\USERS\ADMIN\APPDATA\ROAMING\MICROSOFT\SPELLING\EN-US\DEFAULT.DICtext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
7000Skype.exeC:\USERS\ADMIN\APPDATA\ROAMING\MICROSOFT\SPELLING\EN-US\DEFAULT.ACLtext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
7000Skype.exeC:\USERS\ADMIN\APPDATA\ROAMING\MICROSOFT\SKYPE FOR DESKTOP\SETTINGS.JSONbinary
MD5:95D3A9F5B2C5989A3E6A174FB3E21820
SHA256:5961A7DCBB98937F89DA58A47266F3E90DF340B8D255050312EB98356A006E70
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\9216c76f-cd17-413a-97da-dd0b75bcfeb2\Local Storage\leveldb\MANIFEST-000001binary
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\9216c76f-cd17-413a-97da-dd0b75bcfeb2\Local Storage\leveldb\000001.dbtmptext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
49
DNS requests
15
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
40.126.32.138:443
https://login.live.com/oauth20_authorize.srf?app_version=8.104.0.207&client_flight=ReservedFlight33,suhs&client_id=00000000480BC46C&cobrandid=6e63daac-8dfe-43f6-b70e-deacb69a89d6&display=touch&fl=phone2&lw=1&mkt=en-US&nopa=2&psi=skype&uaid=14ab70d7ebc745ce994ffd209083668b&coa=1&scope=service::lw.skype.com::MBI_SSL&response_type=token&redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf
unknown
unknown
GET
2.19.176.88:443
https://r.bing.com/rb/1a/cir3,ortl,cc,nc/oT6Um3bDKq3bSDJ4e0e-YJ5MXCI.css?bu=B68CP54ChwFZWbkC&or=w
unknown
unknown
POST
200
2.19.176.88:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
unknown
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Skype/1433_8.104.0.207?OSVer=10.0.19045&ClientID=868d4f0bb29b967461d2a3581a095530&Manufacturer=19.1.8&Model=Electron-ia32&Language=en&Locale=en-US
unknown
jspf
169 Kb
unknown
POST
200
23.216.155.168:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
15 b
unknown
POST
204
23.216.155.162:443
https://www.bing.com/threshold/xls.aspx
unknown
unknown
POST
200
52.168.117.175:443
https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-JS-1.8.3&x-apikey=412067e7f99b4d5485bd95f98e2bdbfe-5b5e945b-a981-4c87-963f-cd6fe0410029-7280&client-time-epoch-millis=1718030614439&time-delta-to-apply-millis=use-collector-delta
unknown
unknown
POST
200
23.216.155.146:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
binary
15 b
unknown
POST
200
23.216.155.146:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
binary
15 b
unknown
POST
200
23.216.155.145:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
binary
15 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5448
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5576
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5456
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7000
Skype.exe
52.113.194.133:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
7000
Skype.exe
13.107.42.16:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7000
Skype.exe
20.42.73.25:443
pipe.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
pipe.skype.com
  • 20.42.73.25
  • 20.50.73.10
whitelisted
b.config.skype.com
  • 13.107.42.16
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
gateway.bingviz.microsoftapp.net
  • 13.107.246.67
unknown
login.live.com
  • 40.126.32.134
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.74
  • 40.126.32.140
  • 40.126.32.138
whitelisted
browser.pipe.aria.microsoft.com
  • 13.89.179.13
whitelisted
self.events.data.microsoft.com
  • 104.46.162.226
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
No debug info