masslogger | 37e17b0957c9b4b93bb5e72fa3a91ddd36524f1dd1d21b04dbc564649078bc79

Analysis

max time kernel
955s
max time network
961s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2022 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skype.exe
Size

66.8MB
MD5

c098d8d920dafe67045eb2dfbc366ed0
SHA1

1f577c4495b36350f2c69639d652f991e752b912
SHA256

37e17b0957c9b4b93bb5e72fa3a91ddd36524f1dd1d21b04dbc564649078bc79
SHA512

2789c1fdc40123a0de3b3109078b2ba3c69943c6732322fc62382e6a022b0dbbc269b139b752f37072514fb8e857f6338945fe581fc8220087d8dee96a7dbb8a

Score

10^/10

masslogger discovery persistence spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

Vidar log file 1 IoCs

Detects a log file produced by Vidar.

resource	yara_rule
behavioral2/files/0x0006000000022eb9-168.dat	vidar_log_file

Executes dropped EXE 28 IoCs

pid	Process
4892	Skype.tmp
2676	downloader.exe
5056	fe0cfee13347c6b80085.exe
1184	fe0cfee13347c6b80085.tmp
2148	Skype.exe
4300	Skype.exe
1680	Skype.exe
4684	Skype.exe
920	Skype.exe
2580	Skype.exe
2660	Skype.exe
1816	Skype.exe
3444	Skype.exe
2160	Skype.exe
2232	Skype.exe
1876	Skype.exe
2560	Skype.exe
4292	Skype.exe
2468	Skype.exe
4836	Skype.exe
3388	Skype.exe
2904	Skype.exe
3872	Skype.exe
1992	Skype.exe
4888	Skype.exe
4712	Skype.exe
4844	Skype.exe
4868	Skype.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Skype.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fe0cfee13347c6b80085.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Skype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Skype.exe

Loads dropped DLL 52 IoCs

pid	Process
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
4300	Skype.exe
1680	Skype.exe
4684	Skype.exe
1680	Skype.exe
1680	Skype.exe
1680	Skype.exe
920	Skype.exe
4684	Skype.exe
4684	Skype.exe
2580	Skype.exe
2660	Skype.exe
4684	Skype.exe
4684	Skype.exe
2148	Skype.exe
2148	Skype.exe
1816	Skype.exe
3444	Skype.exe
2160	Skype.exe
2232	Skype.exe
1876	Skype.exe
2560	Skype.exe
4292	Skype.exe
2468	Skype.exe
2468	Skype.exe
2468	Skype.exe
2468	Skype.exe
2468	Skype.exe
4836	Skype.exe
3388	Skype.exe
3388	Skype.exe
3388	Skype.exe
3388	Skype.exe
2904	Skype.exe
2904	Skype.exe
2904	Skype.exe
2904	Skype.exe
2904	Skype.exe
3872	Skype.exe
4888	Skype.exe
4712	Skype.exe
4844	Skype.exe
4868	Skype.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype for Desktop = "C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe"	reg.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast\Version	Skype.tmp
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVG\AV\Dir	Skype.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-UR3TF.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-TP7LN.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\is-EMU82.tmp	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-runtime-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-VIRM6.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-FF74K.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\keyboard-layout\build\Release\is-65VDE.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\skype-location\lib\ia32\is-2MRJI.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\is-I9TUE.tmp	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\unins000.dat	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-conio-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-9KB47.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-L7NSM.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-MP207.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-MGKL8.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-OBM21.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-I5QHK.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\is-KG0DI.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-M6ML2.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-22VR8.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-OB9JC.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-I5RBG.tmp	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-errorhandling-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-2M3H0.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-IL62M.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-TJAOI.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-FI5FF.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-PRQ5H.tmp	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-profile-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-util-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-multibyte-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-SUOF7.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-B6EG8.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-SVCIU.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-JJ6E1.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-6O79A.tmp	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-file-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-processenvironment-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-5H23L.tmp	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-heap-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-4B5IU.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-4A1VK.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\is-LCKSK.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\swiftshader\is-U4FIH.tmp	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-datetime-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-file-l1-2-0.dll	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-39H9K.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-RMUC2.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-25SJU.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\sqlite3\lib\binding\is-M170N.tmp	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-string-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-processthreads-l1-1-1.dll	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-9J703.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-GN1AO.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-LTDA6.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-TSQOQ.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-TN95V.tmp	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-file-l2-1-0.dll	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\msvcp140.dll	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-JMCF5.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\@felixrieseberg\spellchecker\build\Release\is-G8Q3Q.tmp	fe0cfee13347c6b80085.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\is-SDBNI.tmp	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-processthreads-l1-1-0.dll	fe0cfee13347c6b80085.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmMediaManager.dll	fe0cfee13347c6b80085.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Skype.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3084	taskkill.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\skype\shell\open\command	Skype.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\skype\shell	Skype.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\skype\shell\open	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\skype\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe\" -- \"%1\""	Skype.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\skype	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\skype\URL Protocol	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\skype\ = "URL:skype"	Skype.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1896	reg.exe
3892	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4892	Skype.tmp
4892	Skype.tmp
1184	fe0cfee13347c6b80085.tmp
1184	fe0cfee13347c6b80085.tmp

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	taskkill.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	4320	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe
Token: SeDebugPrivilege	2644	whoami.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
4892	Skype.tmp
1184	fe0cfee13347c6b80085.tmp
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe
2148	Skype.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 4892	3472	Skype.exe	81
PID 3472 wrote to memory of 4892	3472	Skype.exe	81
PID 3472 wrote to memory of 4892	3472	Skype.exe	81
PID 4892 wrote to memory of 2676	4892	Skype.tmp	86
PID 4892 wrote to memory of 2676	4892	Skype.tmp	86
PID 4892 wrote to memory of 2676	4892	Skype.tmp	86
PID 4892 wrote to memory of 5056	4892	Skype.tmp	87
PID 4892 wrote to memory of 5056	4892	Skype.tmp	87
PID 4892 wrote to memory of 5056	4892	Skype.tmp	87
PID 5056 wrote to memory of 1184	5056	fe0cfee13347c6b80085.exe	88
PID 5056 wrote to memory of 1184	5056	fe0cfee13347c6b80085.exe	88
PID 5056 wrote to memory of 1184	5056	fe0cfee13347c6b80085.exe	88
PID 1184 wrote to memory of 3084	1184	fe0cfee13347c6b80085.tmp	90
PID 1184 wrote to memory of 3084	1184	fe0cfee13347c6b80085.tmp	90
PID 1184 wrote to memory of 3084	1184	fe0cfee13347c6b80085.tmp	90
PID 1184 wrote to memory of 2148	1184	fe0cfee13347c6b80085.tmp	92
PID 1184 wrote to memory of 2148	1184	fe0cfee13347c6b80085.tmp	92
PID 1184 wrote to memory of 2148	1184	fe0cfee13347c6b80085.tmp	92
PID 2148 wrote to memory of 4300	2148	Skype.exe	93
PID 2148 wrote to memory of 4300	2148	Skype.exe	93
PID 2148 wrote to memory of 4300	2148	Skype.exe	93
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94
PID 2148 wrote to memory of 1680	2148	Skype.exe	94

C:\Users\Admin\AppData\Local\Temp\Skype.exe
"C:\Users\Admin\AppData\Local\Temp\Skype.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\is-LI94F.tmp\Skype.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LI94F.tmp\Skype.tmp" /SL5="$B006E,69621230,488960,C:\Users\Admin\AppData\Local\Temp\Skype.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\downloader.exe" --partner 7983 --noaction 1
    3⤵
    - Executes dropped EXE
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\is-5USHL.tmp\fe0cfee13347c6b80085.exe
    "C:\Users\Admin\AppData\Local\Temp\is-5USHL.tmp\fe0cfee13347c6b80085.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\is-NKQV8.tmp\fe0cfee13347c6b80085.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NKQV8.tmp\fe0cfee13347c6b80085.tmp" /SL5="$4002A,67984506,404480,C:\Users\Admin\AppData\Local\Temp\is-5USHL.tmp\fe0cfee13347c6b80085.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im Skype.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
    - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\Admin\AppData\Local\Temp\skype-preview Crashes" --v=1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4300
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=17616694027333467631 --mojo-platform-channel-handle=2268 --ignored=" --type=renderer " /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1680
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1896
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --service-pipe-token=15363421515570890604 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --webview-tag --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --background-color=#fff --node-integration-in-subframes --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=15363421515570890604 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1 --skype-process-type=Main
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        
        PID:4684
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate
        6⤵
        Modifies registry key
        
        PID:3892
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\Admin\AppData\Local\Temp\skype-preview Crashes" --v=1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:920
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=709937320764081630 --mojo-platform-channel-handle=2872 /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2580
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --service-pipe-token=1352623981694600575 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=1352623981694600575 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2660
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=9186023500037611215 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=1 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=9186023500037611215 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1544 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1816
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=9119957253188459380 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=1 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=9119957253188459380 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3444
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=11686087155279890722 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=1 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=11686087155279890722 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2160
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=13228244204595239453 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=1 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=13228244204595239453 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2232
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=7468565838685298132 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=7468565838685298132 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1876
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=13630694000593341916 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=13630694000593341916 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2560
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=5902440895836538491 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=5902440895836538491 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4292
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=11746925876476104948 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=11746925876476104948 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4888
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=1373917873332735731 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=3 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=1373917873332735731 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4712
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=5858789580594926992 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=3 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=5858789580594926992 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4844
      - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
        
        "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --autoplay-policy=no-user-gesture-required --ms-disable-indexeddb-transaction-timeout --disable-features=SpareRendererForSitePerProcess --disable-databases --disable-gpu-compositing --service-pipe-token=1121404769757172874 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --native-window-open --preload="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar\WebViewPreload.js" --background-color=#fff --guest-instance-id=3 --enable-blink-features --disable-blink-features --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=1121404769757172874 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2232

C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2468
- C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
  "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\Admin\AppData\Local\Temp\skype-preview Crashes" --v=1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "whoami /groups /fo csv"
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\whoami.exe
    whoami /groups /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
  "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=5252982084401044627 --mojo-platform-channel-handle=2200 --ignored=" --type=renderer " /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3388

C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2904
- C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
  "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\Admin\AppData\Local\Temp\skype-preview Crashes" --v=1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "whoami /groups /fo csv"
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\whoami.exe
    whoami /groups /fo csv
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
  "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7125913275172187518 --mojo-platform-channel-handle=2284 --ignored=" --type=renderer " /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Skype for Desktop\D3DCompiler_47.dll

Filesize
3.5MB

MD5
587a415cd5ac2069813adef5f7685021

SHA1
ca0e2fe1922b3cdc9e96e636a73e5c85a838e863

SHA256
2ad0d4987fc4624566b190e747c9d95038443956ed816abfd1e2d389b5ec0851

SHA512
0fa0e89ea1c1cb27ac7f621feb484438e378a8f5675eca7a91f24e0569174bd848d470d6b3e237fe6ab27ca1eb1ecc09b5f044e53a6d98bf908e77ac511183e2

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
79.7MB

MD5
67055506ca43e8cbb494a3c6b4ca47c5

SHA1
20268800367c815d85315e1632e6b32c4c0e5f50

SHA256
ad7e672c799f0c19ef78aace88d71fa5bcbdef61af0dccbbd81843d1a25c7490

SHA512
944fe12fdabd53f0b176d1f964d2672d140c881c9c6facb60f0011b7905c94cc6171faa495da8bfca1a36aadfa3e5bbe3b1b8bfe16c0cfcf30d514641d03d613

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
79.7MB

MD5
67055506ca43e8cbb494a3c6b4ca47c5

SHA1
20268800367c815d85315e1632e6b32c4c0e5f50

SHA256
ad7e672c799f0c19ef78aace88d71fa5bcbdef61af0dccbbd81843d1a25c7490

SHA512
944fe12fdabd53f0b176d1f964d2672d140c881c9c6facb60f0011b7905c94cc6171faa495da8bfca1a36aadfa3e5bbe3b1b8bfe16c0cfcf30d514641d03d613

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
79.7MB

MD5
67055506ca43e8cbb494a3c6b4ca47c5

SHA1
20268800367c815d85315e1632e6b32c4c0e5f50

SHA256
ad7e672c799f0c19ef78aace88d71fa5bcbdef61af0dccbbd81843d1a25c7490

SHA512
944fe12fdabd53f0b176d1f964d2672d140c881c9c6facb60f0011b7905c94cc6171faa495da8bfca1a36aadfa3e5bbe3b1b8bfe16c0cfcf30d514641d03d613

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
79.7MB

MD5
67055506ca43e8cbb494a3c6b4ca47c5

SHA1
20268800367c815d85315e1632e6b32c4c0e5f50

SHA256
ad7e672c799f0c19ef78aace88d71fa5bcbdef61af0dccbbd81843d1a25c7490

SHA512
944fe12fdabd53f0b176d1f964d2672d140c881c9c6facb60f0011b7905c94cc6171faa495da8bfca1a36aadfa3e5bbe3b1b8bfe16c0cfcf30d514641d03d613

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
79.7MB

MD5
67055506ca43e8cbb494a3c6b4ca47c5

SHA1
20268800367c815d85315e1632e6b32c4c0e5f50

SHA256
ad7e672c799f0c19ef78aace88d71fa5bcbdef61af0dccbbd81843d1a25c7490

SHA512
944fe12fdabd53f0b176d1f964d2672d140c881c9c6facb60f0011b7905c94cc6171faa495da8bfca1a36aadfa3e5bbe3b1b8bfe16c0cfcf30d514641d03d613

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
79.7MB

MD5
67055506ca43e8cbb494a3c6b4ca47c5

SHA1
20268800367c815d85315e1632e6b32c4c0e5f50

SHA256
ad7e672c799f0c19ef78aace88d71fa5bcbdef61af0dccbbd81843d1a25c7490

SHA512
944fe12fdabd53f0b176d1f964d2672d140c881c9c6facb60f0011b7905c94cc6171faa495da8bfca1a36aadfa3e5bbe3b1b8bfe16c0cfcf30d514641d03d613

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
79.7MB

MD5
67055506ca43e8cbb494a3c6b4ca47c5

SHA1
20268800367c815d85315e1632e6b32c4c0e5f50

SHA256
ad7e672c799f0c19ef78aace88d71fa5bcbdef61af0dccbbd81843d1a25c7490

SHA512
944fe12fdabd53f0b176d1f964d2672d140c881c9c6facb60f0011b7905c94cc6171faa495da8bfca1a36aadfa3e5bbe3b1b8bfe16c0cfcf30d514641d03d613

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
79.7MB

MD5
67055506ca43e8cbb494a3c6b4ca47c5

SHA1
20268800367c815d85315e1632e6b32c4c0e5f50

SHA256
ad7e672c799f0c19ef78aace88d71fa5bcbdef61af0dccbbd81843d1a25c7490

SHA512
944fe12fdabd53f0b176d1f964d2672d140c881c9c6facb60f0011b7905c94cc6171faa495da8bfca1a36aadfa3e5bbe3b1b8bfe16c0cfcf30d514641d03d613

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\chrome_100_percent.pak

Filesize
176KB

MD5
6bc3c299d9e24718c066edad063619b8

SHA1
65ae83f994992d032fbdd7544280f5cd5e240103

SHA256
971698362570b8e7dd79e9eed8aeb28443535053787e7b5e8bbf0cb477b5f99d

SHA512
99ddd1af09588b8bac7c293e3598db498f7279711ad691c80072987d55cfbe53651458a61e820d75f3bec04f119aab0f0e700a52c4b56cca2c0e3bacac19da90

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\chrome_200_percent.pak

Filesize
287KB

MD5
1cc200bc1a1c416a0f5b34d138c49d85

SHA1
777a70499eb27bda881104b581de1a242caf49b2

SHA256
7afe6e166dc44329e99c218b3f783c14ff0c67b036806d6a5247dbae694a649a

SHA512
31c4f06814ef4361a72e7bae264e754d4398d92ed5b2306ebed8625118655e8feda1df2f40c2f1a630ca2b62ee7fd34f3373203265835e791ebb90e0f979e0b1

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\d3dcompiler_47.dll

Filesize
3.5MB

MD5
587a415cd5ac2069813adef5f7685021

SHA1
ca0e2fe1922b3cdc9e96e636a73e5c85a838e863

SHA256
2ad0d4987fc4624566b190e747c9d95038443956ed816abfd1e2d389b5ec0851

SHA512
0fa0e89ea1c1cb27ac7f621feb484438e378a8f5675eca7a91f24e0569174bd848d470d6b3e237fe6ab27ca1eb1ecc09b5f044e53a6d98bf908e77ac511183e2

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
1.8MB

MD5
67068eeffdbea1702fe19c462c0d6a8b

SHA1
eb16f57900bb02569a62ee40600bd1c98b027675

SHA256
a8c078aef94bc1a90382a134bf8581c2d50624e51cba51bd90a76ea13b38b47a

SHA512
9329c4b64817bf8f72ccc5b913547121f9a4f303af9425bda3c2498e6bc4817257b881d08f8ae2e6f035a91bb368832d7970af610b345a69d6bb7ca2b662b231

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
1.8MB

MD5
67068eeffdbea1702fe19c462c0d6a8b

SHA1
eb16f57900bb02569a62ee40600bd1c98b027675

SHA256
a8c078aef94bc1a90382a134bf8581c2d50624e51cba51bd90a76ea13b38b47a

SHA512
9329c4b64817bf8f72ccc5b913547121f9a4f303af9425bda3c2498e6bc4817257b881d08f8ae2e6f035a91bb368832d7970af610b345a69d6bb7ca2b662b231

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
1.8MB

MD5
67068eeffdbea1702fe19c462c0d6a8b

SHA1
eb16f57900bb02569a62ee40600bd1c98b027675

SHA256
a8c078aef94bc1a90382a134bf8581c2d50624e51cba51bd90a76ea13b38b47a

SHA512
9329c4b64817bf8f72ccc5b913547121f9a4f303af9425bda3c2498e6bc4817257b881d08f8ae2e6f035a91bb368832d7970af610b345a69d6bb7ca2b662b231

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
1.8MB

MD5
67068eeffdbea1702fe19c462c0d6a8b

SHA1
eb16f57900bb02569a62ee40600bd1c98b027675

SHA256
a8c078aef94bc1a90382a134bf8581c2d50624e51cba51bd90a76ea13b38b47a

SHA512
9329c4b64817bf8f72ccc5b913547121f9a4f303af9425bda3c2498e6bc4817257b881d08f8ae2e6f035a91bb368832d7970af610b345a69d6bb7ca2b662b231

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
1.8MB

MD5
67068eeffdbea1702fe19c462c0d6a8b

SHA1
eb16f57900bb02569a62ee40600bd1c98b027675

SHA256
a8c078aef94bc1a90382a134bf8581c2d50624e51cba51bd90a76ea13b38b47a

SHA512
9329c4b64817bf8f72ccc5b913547121f9a4f303af9425bda3c2498e6bc4817257b881d08f8ae2e6f035a91bb368832d7970af610b345a69d6bb7ca2b662b231

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
1.8MB

MD5
67068eeffdbea1702fe19c462c0d6a8b

SHA1
eb16f57900bb02569a62ee40600bd1c98b027675

SHA256
a8c078aef94bc1a90382a134bf8581c2d50624e51cba51bd90a76ea13b38b47a

SHA512
9329c4b64817bf8f72ccc5b913547121f9a4f303af9425bda3c2498e6bc4817257b881d08f8ae2e6f035a91bb368832d7970af610b345a69d6bb7ca2b662b231

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
1.8MB

MD5
67068eeffdbea1702fe19c462c0d6a8b

SHA1
eb16f57900bb02569a62ee40600bd1c98b027675

SHA256
a8c078aef94bc1a90382a134bf8581c2d50624e51cba51bd90a76ea13b38b47a

SHA512
9329c4b64817bf8f72ccc5b913547121f9a4f303af9425bda3c2498e6bc4817257b881d08f8ae2e6f035a91bb368832d7970af610b345a69d6bb7ca2b662b231

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
1.8MB

MD5
67068eeffdbea1702fe19c462c0d6a8b

SHA1
eb16f57900bb02569a62ee40600bd1c98b027675

SHA256
a8c078aef94bc1a90382a134bf8581c2d50624e51cba51bd90a76ea13b38b47a

SHA512
9329c4b64817bf8f72ccc5b913547121f9a4f303af9425bda3c2498e6bc4817257b881d08f8ae2e6f035a91bb368832d7970af610b345a69d6bb7ca2b662b231

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\icudtl.dat

Filesize
9.8MB

MD5
65c6337820fbe9bf2498a9395e3b20f2

SHA1
5cc62646e6c73b4be276d08719bc5e257af972bb

SHA256
33da1cdda18eaea52011d40ae9a610cac9f6466156e9803891ee77294607aee4

SHA512
4800f03577a46a98a4bd786dc37a380f4169540e243fdb7835e3146fba0d0e1d07a7e3ec8cd23566feb00d204d582d678698ae61db156339fe56229de0b267c9

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\en-US.pak

Filesize
63KB

MD5
542df8e581c306511d5f8a9463724b84

SHA1
f0a0f22300151cd39f67e17043ef9f79ba57faa2

SHA256
52ece805cf288fdb16b60cf30ee0604583c1859d5986a7f5e42846eb5b83a7c2

SHA512
8577a4e2ee2078941816c816573bc1cfc296eaaa39ecb625783074bac47827fab3d2d0f757f528d1d556724388b15f0e10f1efb7ca1619db84fceca0471b41ef

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\natives_blob.bin

Filesize
81KB

MD5
e350965916554e65a47305a6ab27c2ba

SHA1
9d60e499a907811a3155e9a07f8645d6c83cb909

SHA256
1cae202ada016cf455abf69d583524a1d37a1371ad4efdfac4baed07c6402bdd

SHA512
c6044b769a00f887b573ad35a7f5b71f6134d2d596a54effa50710be2f528acefea53ae4a2847e16c1b4e56962d8b0fe24f1ea4a04bfe167514b0abddb4fb5a8

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources.pak

Filesize
8.1MB

MD5
18601c14d596f2fe31e8b86fa38b0123

SHA1
316a6d4f01ea7fcbb0913a8c311a6354c6e4b4e0

SHA256
69f3d8af0c82346cfb89f7b94c9c89a399aecf730318849f54fcd82145146e40

SHA512
343eb068b1b023ed10f0d882d921c063ecb565662cf03d84a0ceed24dd7808d1c436f6c256b24edc04fc414eabdae12af7b075a15ebfedc820e00126bf0bc8c7

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar

Filesize
46.7MB

MD5
6a085dc46915be920607b93b15e5e9b1

SHA1
9ba74f96bd9150ce8eccd3fdf3cdbb87f6799f44

SHA256
e629a54da4ae5d350779902014bc96d2d7829cc06c9b4edf3450c31306d812ab

SHA512
b3301802e918d8e7332c07f43e9536c341c4afb8d27cef19df3e4ecd67b09c2ee4f3c974303a8d954206e3e4e35c88a1305283a23b4c28ba96db971f8a9a8115

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\@felixrieseberg\spellchecker\build\Release\spellchecker.node

Filesize
770KB

MD5
bd8c2b5bd758d214cfebaef40b75829a

SHA1
b32375704a0b3b930d0279726775170682953aa8

SHA256
2da2fdfb00fb37a72b1ede41b7438aaf97449f106b40aafa7b50948eb5c61f96

SHA512
6c715605b0d74fa0d570639eb58964d270614cfa490a987c2224fb327c603667d242b895d9f06167669a534a905a66851e4a16610bfb6ef650f6485804ac2aba

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\@felixrieseberg\spellchecker\build\Release\spellchecker.node

Filesize
770KB

MD5
bd8c2b5bd758d214cfebaef40b75829a

SHA1
b32375704a0b3b930d0279726775170682953aa8

SHA256
2da2fdfb00fb37a72b1ede41b7438aaf97449f106b40aafa7b50948eb5c61f96

SHA512
6c715605b0d74fa0d570639eb58964d270614cfa490a987c2224fb327c603667d242b895d9f06167669a534a905a66851e4a16610bfb6ef650f6485804ac2aba

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\desktop-idle\build\Release\desktopIdle.node

Filesize
405KB

MD5
46e55017c7a5bd8ebe93134e7d11c4a4

SHA1
1968fb93779527cff59917af3f0d89846a230fb4

SHA256
05380e426ed65eb7b9cd3fcacc05dbf1e4144590f757905f0618ad917020556b

SHA512
c53ffbac37d51d018c560e7e599a6d0b0523d66f6d438dd459b5edd6e8780416f7d70dec07c9b4a507a879bb2d4faac07e5d8d079f72132d06649b8eda1e4b4a

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\desktop-idle\build\Release\desktopIdle.node

Filesize
405KB

MD5
46e55017c7a5bd8ebe93134e7d11c4a4

SHA1
1968fb93779527cff59917af3f0d89846a230fb4

SHA256
05380e426ed65eb7b9cd3fcacc05dbf1e4144590f757905f0618ad917020556b

SHA512
c53ffbac37d51d018c560e7e599a6d0b0523d66f6d438dd459b5edd6e8780416f7d70dec07c9b4a507a879bb2d4faac07e5d8d079f72132d06649b8eda1e4b4a

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.node

Filesize
453KB

MD5
bc6eb0065099f64dba988ec458a22195

SHA1
f885a480bbedaf1dbd08be895c9842a32eb6ff84

SHA256
e22a7a8f4298ff2f0e0008c5d0fc722caaf37d79f8a5a78c2b4521cb26e936c0

SHA512
1fac5c1cb9b23179ecd6968dc251ad99db3a2ea0aa0ddf0ad3875c23addc1c0fbc8d923e052ae0cf5f6633582ac36e05bd0d76619cbc788195bcccda4b69e6fc

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.node

Filesize
453KB

MD5
bc6eb0065099f64dba988ec458a22195

SHA1
f885a480bbedaf1dbd08be895c9842a32eb6ff84

SHA256
e22a7a8f4298ff2f0e0008c5d0fc722caaf37d79f8a5a78c2b4521cb26e936c0

SHA512
1fac5c1cb9b23179ecd6968dc251ad99db3a2ea0aa0ddf0ad3875c23addc1c0fbc8d923e052ae0cf5f6633582ac36e05bd0d76619cbc788195bcccda4b69e6fc

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node

Filesize
448KB

MD5
2dd026b850de29c9ab7de1af8463d635

SHA1
06947e1f0a130f96f704d6ad55874140094392e9

SHA256
4e0d89faf67b4e21eccc6ba6bc4c3f9b461848f238bbbfc8985010f221e4e7f6

SHA512
73e0a3d68b47f11e1f3e1b2e266bec46f081e48fb2eaffbef3f67b5f97aefc88ea47e64fc1db5b21b6fa2f250c4a03c23a341f6d621d9de6c1de2456546fcb50

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node

Filesize
448KB

MD5
2dd026b850de29c9ab7de1af8463d635

SHA1
06947e1f0a130f96f704d6ad55874140094392e9

SHA256
4e0d89faf67b4e21eccc6ba6bc4c3f9b461848f238bbbfc8985010f221e4e7f6

SHA512
73e0a3d68b47f11e1f3e1b2e266bec46f081e48fb2eaffbef3f67b5f97aefc88ea47e64fc1db5b21b6fa2f250c4a03c23a341f6d621d9de6c1de2456546fcb50

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmControl.dll

Filesize
124KB

MD5
1e6d54fc9620b58f9e5011ae4cccb31d

SHA1
10778a0b318796220c2b8a0c361f113f93a1d68d

SHA256
e5aebdb0b542bd67113d9db7c88260a3fe988dd581601ec62a932707514570d4

SHA512
f24f4efce0d880764eb341e4062a7601aa03c7c9857e4f63e2b336dd0fc192e10530a2631ed4e5408df376b032af3d678626a7ed55a87df3b871cb22b965c02c

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmControl.dll

Filesize
124KB

MD5
1e6d54fc9620b58f9e5011ae4cccb31d

SHA1
10778a0b318796220c2b8a0c361f113f93a1d68d

SHA256
e5aebdb0b542bd67113d9db7c88260a3fe988dd581601ec62a932707514570d4

SHA512
f24f4efce0d880764eb341e4062a7601aa03c7c9857e4f63e2b336dd0fc192e10530a2631ed4e5408df376b032af3d678626a7ed55a87df3b871cb22b965c02c

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmPal.dll

Filesize
767KB

MD5
64915fac4464470c84e2126dcdbc3079

SHA1
4d324a2f569cea6a1fbed8d1ace4c145093f1119

SHA256
4f00afbbe4324e1f467f9031eb3ea1f5447d1aa264ea980b578f18b75e274128

SHA512
1311ffdb764b0fedc75f3ed9321588e8218c3dbc8c64cc1ee58df20d65a931e6dbf229e3f78d05249d48389e29f028670ec26159015dcd065f9c4b8c9f983611

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmPal.dll

Filesize
767KB

MD5
64915fac4464470c84e2126dcdbc3079

SHA1
4d324a2f569cea6a1fbed8d1ace4c145093f1119

SHA256
4f00afbbe4324e1f467f9031eb3ea1f5447d1aa264ea980b578f18b75e274128

SHA512
1311ffdb764b0fedc75f3ed9321588e8218c3dbc8c64cc1ee58df20d65a931e6dbf229e3f78d05249d48389e29f028670ec26159015dcd065f9c4b8c9f983611

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\sharing-indicator.node

Filesize
110KB

MD5
7fd80563c958df7994ec45189ef034fd

SHA1
05e00d1cb36c418badb0936fdb9e775de421b8f5

SHA256
d0675a07ecd93ad221cbefb91d095027864edd0f14d61bedf4b143e693a27338

SHA512
da32d68fcaa3db60ff4ff57794a02e80e117d47776e0bd6337aa42bf331338c403f80bb26dbffd401775cb2dcdbe29681deeb578da8151473a79a301db24063b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\sharing-indicator.node

Filesize
110KB

MD5
7fd80563c958df7994ec45189ef034fd

SHA1
05e00d1cb36c418badb0936fdb9e775de421b8f5

SHA256
d0675a07ecd93ad221cbefb91d095027864edd0f14d61bedf4b143e693a27338

SHA512
da32d68fcaa3db60ff4ff57794a02e80e117d47776e0bd6337aa42bf331338c403f80bb26dbffd401775cb2dcdbe29681deeb578da8151473a79a301db24063b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dll

Filesize
2.6MB

MD5
fa12654ae0506377c27d164180656d55

SHA1
cd08817c0646b6eb94573d27cb4506abbda93ea6

SHA256
77ae2bca39cc724ea6f351523a1198e9add0c2339642a4a34f190d69b13b2bd2

SHA512
805c57fea456a15012a2dc0603d0a5c1f70310758adf053117601ddaefeaa76287d15f3387977b701c6f5d1f7b07aeb576d6649af756d6afb94d226f7978af58

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dll

Filesize
2.6MB

MD5
fa12654ae0506377c27d164180656d55

SHA1
cd08817c0646b6eb94573d27cb4506abbda93ea6

SHA256
77ae2bca39cc724ea6f351523a1198e9add0c2339642a4a34f190d69b13b2bd2

SHA512
805c57fea456a15012a2dc0603d0a5c1f70310758adf053117601ddaefeaa76287d15f3387977b701c6f5d1f7b07aeb576d6649af756d6afb94d226f7978af58

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dll

Filesize
2.6MB

MD5
fa12654ae0506377c27d164180656d55

SHA1
cd08817c0646b6eb94573d27cb4506abbda93ea6

SHA256
77ae2bca39cc724ea6f351523a1198e9add0c2339642a4a34f190d69b13b2bd2

SHA512
805c57fea456a15012a2dc0603d0a5c1f70310758adf053117601ddaefeaa76287d15f3387977b701c6f5d1f7b07aeb576d6649af756d6afb94d226f7978af58

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dll

Filesize
2.6MB

MD5
fa12654ae0506377c27d164180656d55

SHA1
cd08817c0646b6eb94573d27cb4506abbda93ea6

SHA256
77ae2bca39cc724ea6f351523a1198e9add0c2339642a4a34f190d69b13b2bd2

SHA512
805c57fea456a15012a2dc0603d0a5c1f70310758adf053117601ddaefeaa76287d15f3387977b701c6f5d1f7b07aeb576d6649af756d6afb94d226f7978af58

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dll

Filesize
2.6MB

MD5
fa12654ae0506377c27d164180656d55

SHA1
cd08817c0646b6eb94573d27cb4506abbda93ea6

SHA256
77ae2bca39cc724ea6f351523a1198e9add0c2339642a4a34f190d69b13b2bd2

SHA512
805c57fea456a15012a2dc0603d0a5c1f70310758adf053117601ddaefeaa76287d15f3387977b701c6f5d1f7b07aeb576d6649af756d6afb94d226f7978af58

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\slimcore.node

Filesize
9.1MB

MD5
fcaa173a16138b5913c2e633a97cafad

SHA1
93367daf63cdafc57f5afc7ad79502d1ba482155

SHA256
173b4a836677560d0380172c94b2df1d476d7fb9b6684569398c089e56b16010

SHA512
cb4e9b0bba4bc1696b1c137e73d7e77388d970f39d46c309ceaa8168977bd6eb5680212d6722a0027079eb73423a5e0ae49b3180c83cee9a9e5a4d476bf7fb75

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\node_modules\slimcore\bin\slimcore.node

Filesize
9.1MB

MD5
fcaa173a16138b5913c2e633a97cafad

SHA1
93367daf63cdafc57f5afc7ad79502d1ba482155

SHA256
173b4a836677560d0380172c94b2df1d476d7fb9b6684569398c089e56b16010

SHA512
cb4e9b0bba4bc1696b1c137e73d7e77388d970f39d46c309ceaa8168977bd6eb5680212d6722a0027079eb73423a5e0ae49b3180c83cee9a9e5a4d476bf7fb75

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\electron.asar

Filesize
295KB

MD5
e9ef64a670eb4b1e460f2a590e298834

SHA1
5d5c0dee68f457771e6735a6ad9add3d3b185645

SHA256
524d09256f2a3314cc3799f1f953b19dea55155c2647ec8713c3856999ef0290

SHA512
b2c15fc7e419a4e2a1b90ead874a42c558ec850a7e13811074f71a1f4179c3afe21c888446fc5d767ed4d36b07ec5003ab4e35cd2dfdefcd561fe10322a69ac3

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\swiftshader\libEGL.dll

Filesize
118KB

MD5
fa31d43f2aaf8056e47679203f0cf36d

SHA1
4c86467b3cc896c0eb472e8de9d52985a7f7216c

SHA256
7eaa1a8547471439185d4497d2d31fcd198a70fe86ee19cbcee8593023644687

SHA512
8492c9b1c8b405c7710bc2200babd5062225691199009de44883e37e8437f04650fee81d6e4609024c097d524e7d545c0059585876b8add7b7a5f8cd0edcf55b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\swiftshader\libGLESv2.dll

Filesize
2.2MB

MD5
ac24514ccff1428a733e4f891fd58e85

SHA1
5c0be9010e21366761ed298484f15b143585ea3b

SHA256
04a0ee1b256b9f2c50c24a7205873daf81a7df0c673a84086eefc49f51a5df85

SHA512
496392c5c3decf14e363d480b20aa159ae09c62eb7b539240f576705ce37645a642a5f5c4b8009c4a2db0660da3735b4f937abaef3c08d63fad62e08f5a4d5be

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\swiftshader\libegl.dll

Filesize
118KB

MD5
fa31d43f2aaf8056e47679203f0cf36d

SHA1
4c86467b3cc896c0eb472e8de9d52985a7f7216c

SHA256
7eaa1a8547471439185d4497d2d31fcd198a70fe86ee19cbcee8593023644687

SHA512
8492c9b1c8b405c7710bc2200babd5062225691199009de44883e37e8437f04650fee81d6e4609024c097d524e7d545c0059585876b8add7b7a5f8cd0edcf55b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\swiftshader\libglesv2.dll

Filesize
2.2MB

MD5
ac24514ccff1428a733e4f891fd58e85

SHA1
5c0be9010e21366761ed298484f15b143585ea3b

SHA256
04a0ee1b256b9f2c50c24a7205873daf81a7df0c673a84086eefc49f51a5df85

SHA512
496392c5c3decf14e363d480b20aa159ae09c62eb7b539240f576705ce37645a642a5f5c4b8009c4a2db0660da3735b4f937abaef3c08d63fad62e08f5a4d5be

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\v8_context_snapshot.bin

Filesize
591KB

MD5
7c374281b8d3c0b7d2c899b5fae34344

SHA1
3c2690cc9cdefd3411e26ef34048500df56c5e56

SHA256
17d02ce9c3c0757083fcd7807f70a94a48b1311483da0051aa405d21333ae6c0

SHA512
2e7d57192ba342bc1e8c0bbcf8e807078854eb3089371e001d8d1e91a4546f056419363a399344eeb74a198357b167f6db3baa1121a0acb875795da40690c2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader.exe

Filesize
183KB

MD5
7df933c48f70841613a9f0092b5e4a31

SHA1
2c64c8627fc179cb76b0533552ca6ae74a6234cb

SHA256
8e553e9aa721db167bdeaf7748bb09d4f497e3a469fd09b6a995ea25d378f1fb

SHA512
33d6a428ee974be9ef1f51ae4a9980fe61e75a5a63e9b5810419eeb7eb5a53da4fcc6028503d766a266b7a2420fe0be6cd96c8a3329bfdd423e78df71c011ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5USHL.tmp\NativeUID.dll

Filesize
86KB

MD5
d47e7649fc7b9bd91c7d091fde71b889

SHA1
19f11f2135982df97b9fda8fa5c9ce7813c99b1e

SHA256
a2583dbfd24d9061954dc185d1d5e43cff71ccc1342c6e87d7c349b70e8fa9ab

SHA512
262510f7ced40dc69e804a2b675b71a2ca25e9195428a55537c6dc3a7845bdcc8a8273e83a439bac05bc15bb4d194810cdda2b08678a6a9cd8a0b5eb628f1017

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5USHL.tmp\botva2.dll

Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5USHL.tmp\botva2.dll

Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5USHL.tmp\fe0cfee13347c6b80085.exe

Filesize
65.4MB

MD5
dd980a253b65acaf78c731c12500d077

SHA1
66326eef904a8575598b937e2320f6105d9afec3

SHA256
2bfd7e9c1d110c1b0d258bee5cb5371ea326546f167d91457ae8e3dd22510255

SHA512
6892142fe664d8b4b982cf00f1ea4750bc54ea5d75bd90f0e65c69d80fd9b4455fc66971d081c551693bf2fd2820d27dadaade40450b1d1c3c296698d99feec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5USHL.tmp\fe0cfee13347c6b80085.exe

Filesize
65.4MB

MD5
dd980a253b65acaf78c731c12500d077

SHA1
66326eef904a8575598b937e2320f6105d9afec3

SHA256
2bfd7e9c1d110c1b0d258bee5cb5371ea326546f167d91457ae8e3dd22510255

SHA512
6892142fe664d8b4b982cf00f1ea4750bc54ea5d75bd90f0e65c69d80fd9b4455fc66971d081c551693bf2fd2820d27dadaade40450b1d1c3c296698d99feec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LI94F.tmp\Skype.tmp

Filesize
1.5MB

MD5
789fa963c8b4ea28f5c000fc02bcdcd1

SHA1
2b2c2731a02c75fcb4b229d17866319cbe9c709d

SHA256
823faf9171969b0572853dd345963717e17288a469c202cd64ee2370d3672278

SHA512
dbb7352aaedfba5eed90df36c0f800cfa55ee08eed3559ad76e27edb67c07b400b7ae18a262c2fbcaf0cfbfcac496a0bbba3d8dd9a939446042aced08fe9a393

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NKQV8.tmp\fe0cfee13347c6b80085.tmp

Filesize
1.4MB

MD5
c635ebd76d6edbc5217e6b8af374c735

SHA1
1f6ce32287857eddb7265520359003148f9b3e2b

SHA256
84715cac2c883f061765e11d8fb236fd07e14cb10cd48ee12a35d57292bfe44b

SHA512
c3695583d96ad7809ac8dad93c8b20685ec7ac13703a365daf300151c2cc1be06fa7d737ef1191a70fd7940cb6132a13ea60b3c7d2c2db8a01b9b99eaf972ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NKQV8.tmp\fe0cfee13347c6b80085.tmp

Filesize
1.4MB

MD5
c635ebd76d6edbc5217e6b8af374c735

SHA1
1f6ce32287857eddb7265520359003148f9b3e2b

SHA256
84715cac2c883f061765e11d8fb236fd07e14cb10cd48ee12a35d57292bfe44b

SHA512
c3695583d96ad7809ac8dad93c8b20685ec7ac13703a365daf300151c2cc1be06fa7d737ef1191a70fd7940cb6132a13ea60b3c7d2c2db8a01b9b99eaf972ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\skype-preview Crashes\operation_log.txt

Filesize
2KB

MD5
7721d22f247b3c3382784cd0ca126b26

SHA1
59e3b7cdb42f6d8c7f0efaaa1c34701f8aeb2b03

SHA256
5f7e5d8b2327fee408dbe608629015ef462409a4da04131f313300816cdc9306

SHA512
0bbc7dddf01287caa9b1dabab6c562419490d4b8e76d08acedf4c976b5dc4c38a169c0153dd30f620e0551c5197f4e9208f1c41e3a1c8f4bab385fc98ad2c401

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic

Filesize
435KB

MD5
58f403a216e2c3c0e21e74a7b98fb720

SHA1
8b6f56b56c2139e704ef7844a0eafbfe960ff0ef

SHA256
6f3a0cd803bc7cabf54d1842981f5f78c89fda657b31f04911532a764061df0c

SHA512
cd05afedc5291b971ec659b6aefedd09f9b03d299540df30695bce586049bc5c7b44d71c08a264b1842b2a4427cf484eaab82f82f9ba9079909ddd2de94cda58

Download Submit
memory/3472-152-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3472-138-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3472-136-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3472-132-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4892-141-0x00000000060B0000-0x00000000060BF000-memory.dmp

Filesize
60KB

Download
memory/5056-146-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5056-169-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5056-151-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download