File name:

.reg

Full analysis: https://app.any.run/tasks/6eb2cb57-c37f-4291-b3ae-aa9caa1ac5d5
Verdict: Malicious activity
Analysis date: June 10, 2024, 14:42:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-ms-regedit
File info: Windows Registry little-endian text (Win2K or above)
MD5:

AEBE1A37963543D0DD6C18C80E1F71CE

SHA1:

251E755E01F61C3A7FBB6206B7526C6D6ECA3758

SHA256:

FE65E8010B781422D858AB5D69B49534BEA8AA87CC343CC6C40901B11170A775

SSDEEP:

6:FaC+SkWCiiCRroZ6IJlUAG+DZvDllcHWn+Sk2k+Skwl5G4cjRmeaIN:FarhVZteAxDZvDEW+qE04Ax

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the Windows auto-update feature

      • regedit.exe (PID: 6548)
      • regedit.exe (PID: 6944)

    • Changes the autorun value in the registry

      • reg.exe (PID: 6368)

  • SUSPICIOUS

    • Uses REG/REGEDIT.EXE to modify registry

      • Skype.exe (PID: 7000)

    • Application launched itself

      • Skype.exe (PID: 7000)

    • Reads security settings of Internet Explorer

      • Skype.exe (PID: 7000)
      • TextInputHost.exe (PID: 6544)

    • Detected use of alternative data streams (AltDS)

      • Skype.exe (PID: 7000)

  • INFO

    • Manual execution by a user

      • regedit.exe (PID: 6944)
      • regedit.exe (PID: 6896)
      • Skype.exe (PID: 7000)
      • Taskmgr.exe (PID: 6904)
      • mspaint.exe (PID: 1012)
      • Taskmgr.exe (PID: 364)

    • Checks supported languages

      • Skype.exe (PID: 7000)
      • Skype.exe (PID: 7136)
      • Skype.exe (PID: 6264)
      • Skype.exe (PID: 6288)
      • Skype.exe (PID: 5752)
      • Skype.exe (PID: 4344)
      • Skype.exe (PID: 6840)
      • Skype.exe (PID: 3500)
      • Skype.exe (PID: 6864)
      • TextInputHost.exe (PID: 6544)

    • Creates files or folders in the user directory

      • Skype.exe (PID: 7000)
      • Skype.exe (PID: 5752)
      • Skype.exe (PID: 6288)

    • Reads Environment values

      • Skype.exe (PID: 7000)
      • Skype.exe (PID: 5752)

    • Reads the computer name

      • Skype.exe (PID: 7000)
      • Skype.exe (PID: 6264)
      • Skype.exe (PID: 6288)
      • Skype.exe (PID: 5752)
      • Skype.exe (PID: 6864)
      • TextInputHost.exe (PID: 6544)
      • Skype.exe (PID: 3500)

    • Reads CPU info

      • Skype.exe (PID: 7000)

    • Checks proxy server information

      • Skype.exe (PID: 7000)

    • Process checks computer location settings

      • Skype.exe (PID: 5752)
      • Skype.exe (PID: 4344)
      • Skype.exe (PID: 6840)
      • Skype.exe (PID: 7000)

    • Create files in a temporary directory

      • Skype.exe (PID: 7000)

    • Reads the software policy settings

      • Skype.exe (PID: 7000)

    • Reads the machine GUID from the registry

      • Skype.exe (PID: 7000)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 6904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.reg | Windows Registry Data (Ver. 5.0 - UTF16) (96.9)
.txt | Text - UTF-16 (LE) encoded (2)
.mp3 | MP3 audio (1)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
31
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start regedit.exe regedit.exe no specs regedit.exe skype.exe skype.exe no specs skype.exe no specs skype.exe reg.exe conhost.exe no specs skype.exe no specs reg.exe no specs conhost.exe no specs skype.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs mspaint.exe no specs skype.exe no specs taskmgr.exe no specs taskmgr.exe skype.exe no specs skype.exe no specs textinputhost.exe no specs regedit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
364"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
1012"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\chapteroutside.png"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3500"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=2400 --field-trial-handle=2128,i,14685141575143512965,5819081520253026996,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
3652\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3712C:\WINDOWS\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgIdC:\Windows\SysWOW64\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4264C:\WINDOWS\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgIdC:\Windows\SysWOW64\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4344"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3548 --field-trial-handle=2128,i,14685141575143512965,5819081520253026996,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
4960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5752"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2928 --field-trial-handle=2128,i,14685141575143512965,5819081520253026996,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --skype-process-type=Main --skype-window-id=__MAIN_ROOT_VIEW_ID__ /prefetch:1C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
13 083
Read events
13 023
Write events
36
Delete events
24

Modification events

(PID) Process:(6548) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoRebootWithLoggedOnUsers
Value:
0
(PID) Process:(6944) regedit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoRebootWithLoggedOnUsers
Value:
0
(PID) Process:(6368) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Skype for Desktop
Value:
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
(PID) Process:(7000) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en-US
Value:
(PID) Process:(7000) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:en
Value:
(PID) Process:(7000) Skype.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries
Operation:delete valueName:_Global_
Value:
(PID) Process:(1012) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:WindowPlacement
Value:
2C00000000000000010000000000000000000000FFFFFFFFFFFFFFFF7F000000470000007F04000087020000
(PID) Process:(1012) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ShowThumbnail
Value:
0
(PID) Process:(1012) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:BMPWidth
Value:
0
(PID) Process:(1012) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:BMPHeight
Value:
0
Executable files
0
Suspicious files
40
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
7000Skype.exeC:\USERS\ADMIN\APPDATA\ROAMING\MICROSOFT\SPELLING\EN-US\DEFAULT.DICtext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
7000Skype.exeC:\USERS\ADMIN\APPDATA\ROAMING\MICROSOFT\SKYPE FOR DESKTOP\SETTINGS.JSONbinary
MD5:95D3A9F5B2C5989A3E6A174FB3E21820
SHA256:5961A7DCBB98937F89DA58A47266F3E90DF340B8D255050312EB98356A006E70
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.oldtext
MD5:D9CF6AAE805A20C96EF6414D030D6CE8
SHA256:6AFE86308EA331969317D933883AAB0D08EF96B7F14F54E45C0145D4D757DCD5
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\9216c76f-cd17-413a-97da-dd0b75bcfeb2\Code Cache\js\index-dir\the-real-indexbinary
MD5:6D5E0C05361FA580D592F4A56D56D29B
SHA256:E4140C7ED0F2ADFE0FFD5F6C758CE9BA6AECD4BC1ABFE035C293FAB398DF245E
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\9216c76f-cd17-413a-97da-dd0b75bcfeb2\Local Storage\leveldb\CURRENTtext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\9216c76f-cd17-413a-97da-dd0b75bcfeb2\Code Cache\wasm\indexbinary
MD5:54CB446F628B2EA4A5BCE5769910512E
SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\9216c76f-cd17-413a-97da-dd0b75bcfeb2\Code Cache\wasm\index-dir\temp-indexbinary
MD5:6D5E0C05361FA580D592F4A56D56D29B
SHA256:E4140C7ED0F2ADFE0FFD5F6C758CE9BA6AECD4BC1ABFE035C293FAB398DF245E
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\9216c76f-cd17-413a-97da-dd0b75bcfeb2\Code Cache\js\index-dir\temp-indexbinary
MD5:6D5E0C05361FA580D592F4A56D56D29B
SHA256:E4140C7ED0F2ADFE0FFD5F6C758CE9BA6AECD4BC1ABFE035C293FAB398DF245E
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\9216c76f-cd17-413a-97da-dd0b75bcfeb2\Code Cache\wasm\index-dir\the-real-indexbinary
MD5:6D5E0C05361FA580D592F4A56D56D29B
SHA256:E4140C7ED0F2ADFE0FFD5F6C758CE9BA6AECD4BC1ABFE035C293FAB398DF245E
7000Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\9216c76f-cd17-413a-97da-dd0b75bcfeb2\Local Storage\leveldb\000001.dbtmptext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
49
DNS requests
15
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
40.126.32.138:443
https://login.live.com/oauth20_authorize.srf?app_version=8.104.0.207&client_flight=ReservedFlight33,suhs&client_id=00000000480BC46C&cobrandid=6e63daac-8dfe-43f6-b70e-deacb69a89d6&display=touch&fl=phone2&lw=1&mkt=en-US&nopa=2&psi=skype&uaid=14ab70d7ebc745ce994ffd209083668b&coa=1&scope=service::lw.skype.com::MBI_SSL&response_type=token&redirect_uri=https%3A%2F%2Flogin.live.com%2Foauth20_desktop.srf
unknown
GET
2.19.176.88:443
https://r.bing.com/rb/1a/cir3,ortl,cc,nc/oT6Um3bDKq3bSDJ4e0e-YJ5MXCI.css?bu=B68CP54ChwFZWbkC&or=w
unknown
POST
200
2.19.176.88:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
POST
200
23.216.155.146:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
binary
15 b
POST
200
23.216.155.146:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
binary
15 b
POST
200
23.216.155.145:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
binary
15 b
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Skype/1433_8.104.0.207?OSVer=10.0.19045&ClientID=868d4f0bb29b967461d2a3581a095530&Manufacturer=19.1.8&Model=Electron-ia32&Language=en&Locale=en-US
unknown
jspf
169 Kb
POST
200
23.216.155.168:443
https://gateway.bingviz.microsoftapp.net/receive?app=skype
unknown
15 b
POST
204
23.216.155.162:443
https://www.bing.com/threshold/xls.aspx
unknown
POST
200
52.168.117.175:443
https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-JS-1.8.3&x-apikey=412067e7f99b4d5485bd95f98e2bdbfe-5b5e945b-a981-4c87-963f-cd6fe0410029-7280&client-time-epoch-millis=1718030614439&time-delta-to-apply-millis=use-collector-delta
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5448
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5576
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5456
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7000
Skype.exe
52.113.194.133:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
7000
Skype.exe
13.107.42.16:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7000
Skype.exe
20.42.73.25:443
pipe.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
pipe.skype.com
  • 20.42.73.25
  • 20.50.73.10
whitelisted
b.config.skype.com
  • 13.107.42.16
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
gateway.bingviz.microsoftapp.net
  • 13.107.246.67
unknown
login.live.com
  • 40.126.32.134
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.74
  • 40.126.32.140
  • 40.126.32.138
whitelisted
browser.pipe.aria.microsoft.com
  • 13.89.179.13
whitelisted
self.events.data.microsoft.com
  • 104.46.162.226
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
Potential Corporate Privacy Violation
ET CHAT Skype User-Agent detected
No debug info