zloader | bd4ed965fbab660df571953482137e91a5af1a23c8a471b583d87e65266f64b2

Analysis

max time kernel
22s
max time network
63s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-09-2022 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skype-8.88.0.401.exe
Size

84.6MB
MD5

a354d5d832f5a63c996be3ba24f3793c
SHA1

0eeabbd3654bcb95615ede909eca7f1d8cb1465e
SHA256

bd4ed965fbab660df571953482137e91a5af1a23c8a471b583d87e65266f64b2
SHA512

f745d04cae393227b344c4fe4ba1d9bdc36058527c1621fd38d19ccc6bdeb15dd4251e66e6db9a88ec41dd59ddf3de357920e58980ca089119416d92c9fc90fc
SSDEEP

1572864:KuEsMZ2eMCgMHNRZzU9P9X6TalSU3OTW+CnamF+U4wYVcnywmh0yyHXFK9auqj:KeM0MNQ6Ty3a3CT+amdwq0yyHXFoqj

Score

10^/10

zloader botnet discovery trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Executes dropped EXE 3 IoCs

Processes:

Skype-8.88.0.401.tmpSkype.exeSkype.exe

pid process

1256 Skype-8.88.0.401.tmp
1924 Skype.exe
840 Skype.exe

pid	process
1256	Skype-8.88.0.401.tmp
1924	Skype.exe
840	Skype.exe

Loads dropped DLL 16 IoCs

Processes:

Skype-8.88.0.401.exeSkype-8.88.0.401.tmpSkype.exeSkype.exe

pid	process
1356	Skype-8.88.0.401.exe
1256	Skype-8.88.0.401.tmp
1256	Skype-8.88.0.401.tmp
1924	Skype.exe
1924	Skype.exe
1924	Skype.exe
1924	Skype.exe
1924	Skype.exe
1924	Skype.exe
1924	Skype.exe
1924	Skype.exe
1924	Skype.exe
1924	Skype.exe
1924	Skype.exe
1924	Skype.exe
840	Skype.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

Skype-8.88.0.401.tmp

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-ADPE3.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-8M43M.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-KJV71.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-9LK6G.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-KLKED.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\d3dcompiler_47.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-0EQKH.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-FN3CR.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\is-KFPA4.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-0H3SL.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-GECHS.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\vcomp140.dll	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-string-l1-1-0.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-NBMBJ.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-LTKMQ.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-RNSJS.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\unins000.dat	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-string-l1-1-0.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-EKVS8.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-L3RMC.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-GH6NM.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-OFIPC.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-QMA5B.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\vccorlib140.dll	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-private-l1-1-0.dll	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\libGLESv2.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-82AF5.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-0DPUP.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-560A6.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-32H0U.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-70QJV.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\vulkan-1.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-4G3OS.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-4NB1L.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-DNO2P.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-timezone-l1-1-0.dll	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\skypert.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-MGS7M.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-KJMHM.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-93ATM.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-V0MB6.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-J2GLA.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-27LGU.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\is-FC93B.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\is-L9HMO.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-utility-l1-1-0.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-S867B.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-ODR70.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-IE63D.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-BA2DO.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-math-l1-1-0.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-TKIM0.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-87H0U.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-D0NLD.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-environment-l1-1-0.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-73VPS.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-VEEVV.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-B2DBC.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-NR95G.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-7TSO1.tmp	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-8D1PC.tmp	Skype-8.88.0.401.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\ucrtbase.dll	Skype-8.88.0.401.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-NJEQ8.tmp	Skype-8.88.0.401.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Skype.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Skype.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2000 taskkill.exe

pid	process
2000	taskkill.exe

Modifies registry class 27 IoCs

Processes:

Skype-8.88.0.401.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\skype	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tel\ = "URL:tel"	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tel\URL Protocol	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\callto\ = "URL:callto"	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\command	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\callto\URL Protocol	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe\" --share-file=\"%V\""	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\SkypeURL	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe\" \"%1\""	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\callto	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\tel	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\icon = "C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe"	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\SkypeURL\DefaultIcon	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell\open	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skype-meetnow\URL Protocol	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\MUIVerb = "@C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\SkypeContext.dll,-101"	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\DefaultIcon\ = "\"C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe\""	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skype\ = "URL:skype"	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\skype-meetnow	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skype-meetnow\ = "URL:skype-meetnow"	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skype\URL Protocol	Skype-8.88.0.401.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\SkypeURL\shell\open\command	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL	Skype-8.88.0.401.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell\open\command	Skype-8.88.0.401.tmp

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1476 reg.exe
1296 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Skype-8.88.0.401.tmp

pid process

1256 Skype-8.88.0.401.tmp
1256 Skype-8.88.0.401.tmp

pid	process
1476	reg.exe
1296	reg.exe

pid	process
1256	Skype-8.88.0.401.tmp
1256	Skype-8.88.0.401.tmp

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exeSkype.exe

description	pid	process
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeShutdownPrivilege	1924	Skype.exe
Token: SeShutdownPrivilege	1924	Skype.exe
Token: SeShutdownPrivilege	1924	Skype.exe
Token: SeShutdownPrivilege	1924	Skype.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Skype-8.88.0.401.tmpSkype.exe

pid process

1256 Skype-8.88.0.401.tmp
1924 Skype.exe
1924 Skype.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Skype.exe

pid process

1924 Skype.exe
1924 Skype.exe

pid	process
1256	Skype-8.88.0.401.tmp
1924	Skype.exe
1924	Skype.exe

pid	process
1924	Skype.exe
1924	Skype.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

Skype-8.88.0.401.exeSkype-8.88.0.401.tmpSkype.exe

description	pid	process	target process
PID 1356 wrote to memory of 1256	1356	Skype-8.88.0.401.exe	Skype-8.88.0.401.tmp
PID 1356 wrote to memory of 1256	1356	Skype-8.88.0.401.exe	Skype-8.88.0.401.tmp
PID 1356 wrote to memory of 1256	1356	Skype-8.88.0.401.exe	Skype-8.88.0.401.tmp
PID 1356 wrote to memory of 1256	1356	Skype-8.88.0.401.exe	Skype-8.88.0.401.tmp
PID 1356 wrote to memory of 1256	1356	Skype-8.88.0.401.exe	Skype-8.88.0.401.tmp
PID 1356 wrote to memory of 1256	1356	Skype-8.88.0.401.exe	Skype-8.88.0.401.tmp
PID 1356 wrote to memory of 1256	1356	Skype-8.88.0.401.exe	Skype-8.88.0.401.tmp
PID 1256 wrote to memory of 2000	1256	Skype-8.88.0.401.tmp	taskkill.exe
PID 1256 wrote to memory of 2000	1256	Skype-8.88.0.401.tmp	taskkill.exe
PID 1256 wrote to memory of 2000	1256	Skype-8.88.0.401.tmp	taskkill.exe
PID 1256 wrote to memory of 2000	1256	Skype-8.88.0.401.tmp	taskkill.exe
PID 1256 wrote to memory of 1924	1256	Skype-8.88.0.401.tmp	Skype.exe
PID 1256 wrote to memory of 1924	1256	Skype-8.88.0.401.tmp	Skype.exe
PID 1256 wrote to memory of 1924	1256	Skype-8.88.0.401.tmp	Skype.exe
PID 1256 wrote to memory of 1924	1256	Skype-8.88.0.401.tmp	Skype.exe
PID 1924 wrote to memory of 840	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 840	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 840	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 840	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 1476	1924	Skype.exe	reg.exe
PID 1924 wrote to memory of 1476	1924	Skype.exe	reg.exe
PID 1924 wrote to memory of 1476	1924	Skype.exe	reg.exe
PID 1924 wrote to memory of 1476	1924	Skype.exe	reg.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe
PID 1924 wrote to memory of 744	1924	Skype.exe	Skype.exe

C:\Users\Admin\AppData\Local\Temp\Skype-8.88.0.401.exe
"C:\Users\Admin\AppData\Local\Temp\Skype-8.88.0.401.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\is-QLE8I.tmp\Skype-8.88.0.401.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QLE8I.tmp\Skype-8.88.0.401.tmp" /SL5="$60126,88056815,404480,C:\Users\Admin\AppData\Local\Temp\Skype-8.88.0.401.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Skype.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1924

C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad" --url=appcenter://generic?aid=a7417433-29d9-4bc0-8826-af367733939d&iid=d6095a54-a64d-4425-8bdc-081eb0e93638&uid=d6095a54-a64d-4425-8bdc-081eb0e93638<##>aria://?_event=main_crashed&_token=a173030604a34bdcbf21ca59134c7430-2a34e3b5-60e1-4a11-ad6d-2e9eac9ac07c-6614&CrashType=native_crash&DeviceInfo.Id=d6095a54a64d4258bdc081eb0e936387&DeviceInfo.OsName=Windows_NT&DeviceInfo.OsVersion=6.1.7601&Platform_Id=1433&Platform_Uiversion=1433/8.88.0.401/ --annotation=_companyName=Skype --annotation=_productName=skype-preview --annotation=_version=8.88.0.401 --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=19.0.9 --initial-client-data=0x340,0x344,0x348,0x33c,0x34c,0x7259358,0x7259368,0x7259374
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840

C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1228 --field-trial-handle=1388,i,8117244603261835245,15925950071843772342,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:744

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" /f
4⤵
- Modifies registry key
PID:1476

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate
4⤵
- Modifies registry key
PID:1296

C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=1472 --field-trial-handle=1388,i,8117244603261835245,15925950071843772342,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:1800

C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=1820 --field-trial-handle=1388,i,8117244603261835245,15925950071843772342,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --skype-process-type=Main --skype-window-id=__MAIN_ROOT_VIEW_ID__ /prefetch:1
4⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Filesize
83.6MB

MD5
ef060369bdf011f902feb2b1add5a4c7

SHA1
256dc84571532f846b4e55e12be01a3999ca1f20

SHA256
40a16c202cb52a6a06338ba2127ad39f93761c8f83025486f3042e73e00cfbca

SHA512
d7a2cf5ce8c1c165a358e0c6cfcb4aeffe6e51ae5b3f988ec5b3585893966c1332332c7c221890fe83361a32dc3591a72cc0958cbd094ef485673fa0c710c14a

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Filesize
71.5MB

MD5
004cc0d27c7b9e3a98071e630c931c12

SHA1
e375f9d1afe64ebcc835b51dd86e199508660b69

SHA256
b0b17ec797a10b17468a413359e1263d1f81991ea7dcc5a4bb29dab7468819bd

SHA512
2a562d233fb35a884fe0f3fd424dc2dc09a5dce3778cd6de4954575ee8ca9b651dd5154473be8aa040629d881cf8bcf6dc812933b56a02a5b68b53cea5869d59

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Filesize
35.2MB

MD5
c97b2d4fb441776ab6f1084fbced705c

SHA1
9d16164b61ae52c0fc33b610f6beece2027e2a60

SHA256
94bb40bedb79d56b46a07bd5f1a1871ffd0d7fc2e2c5118acf99cb7656193b2a

SHA512
260374b109e31142d8055215ada37debfa7bd84f0143217b657a96b8756228f10de27a3718b291812ffe756304196a7f3aedecc03e04800cb87310630912c9bf

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Filesize
39.8MB

MD5
0aded56eb5e92427f6bf43d7e1e52969

SHA1
7593a10a2d4078be988b44b32cfb1c11b405d914

SHA256
8285f15ff06cbc2cd000066e326bb2a62eebfb895d1d336b35784d4820d17605

SHA512
f98a3326ed64196a2d1b5e7471196fdb453394d2017f30b50e46821fd834568b9e3706356c07d3114f1c0a8d09e77325dfc73cbcc78d3937a977fb205b582736

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Filesize
63.4MB

MD5
4b2620d17a57823a8217cfccb681ec14

SHA1
b7ca565e6faea7cf1ff3a6765b386fff0e4efe8e

SHA256
c52d03520537fcdd0efec47992bf948d945f50fd4c8b9d08949b8b46cf62b183

SHA512
97a2a2a817dab63f2d0f4d0c83c8860b06ad20b8614afbbe8d4b7d0d75cf8b2c2cfbea6b3ab582a6a7d7f40ef17bea0fe31a921f884cdc8d6e367594940c723d

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Filesize
80.9MB

MD5
f7af232ba84eaa93aaf7aa13b1bfb71c

SHA1
17e4a5e2d31195006e5d1cdab8530f077bbbf016

SHA256
9cd4aa165cb8600266ac00fb23797b2ddd4da5ba04d4e7f7b9114fe92f288437

SHA512
9976250fcdfcb47ed882f38681e20e8b03955f87dc9887a05a45669e8c7d8528b6c37d3af9211a91162d0a317731b4f34ffb845ba24c17cfc451971136edc9a1

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-file-l1-2-0.dll
Filesize
17KB

MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-file-l2-1-0.dll
Filesize
17KB

MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-localization-l1-2-0.dll
Filesize
20KB

MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
18KB

MD5
95c5b49af7f2c7d3cd0bc14b1e9efacb

SHA1
c400205c81140e60dffa8811c1906ce87c58971e

SHA256
ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1

SHA512
f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-timezone-l1-1-0.dll
Filesize
18KB

MD5
c9a55de62e53d747c5a7fddedef874f9

SHA1
c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad

SHA256
b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b

SHA512
adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\chrome_100_percent.pak
Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\chrome_200_percent.pak
Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll
Filesize
2.4MB

MD5
56e7b0b0be922c473f0c4016a133f5f4

SHA1
1a6b850d8fef00b477e63638ea0bbaf841697fca

SHA256
8c54b5d78d6a00f6f108d247849ae9a38e03132968688ee090343cde6ddaac76

SHA512
0c353180001cb5cb1a17bcff10b38a004b59b1afb2a292de453e5f36479d76707ca0c70b145d38cd92b166ac8d107740a26e9b733f9970f0a7819b99925e5b2c

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\icudtl.dat
Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\en-US.pak
Filesize
112KB

MD5
a85c703969e69a5a6f7e379635fa42a5

SHA1
8c765404e54070c14ab49d2d1ef54d2a3a2f7ea6

SHA256
a9c5b333440a42b95b2ef043fecb95a2d2f4b2d0601be639643d01d86be3ba83

SHA512
8ab1106fd6f410164dece0e4f6cc67e57b8bfc72864b47a665f81d67d4028464e69f7c7f4e283956fe0556f71779cceb66466b0cd37f434dbdcb7d4f59492b82

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources.pak
Filesize
4.7MB

MD5
df68fa2bad8bc5d34aea8373122c2175

SHA1
084ff957974ec41b78069448851e8745bce8fbe2

SHA256
040683716db4a5cbff94493df6ec50f690eb5d37769028835ee5127f9aa4608f

SHA512
54e752893ab4f7c8f80b7272f97ac60c8762e8818ea4379e0713e3088fe56c63712fb9b2023782b0e717b8e7b85cd0e5c0c211aa458f0c74e5b0ae0ee81169a3

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar
Filesize
45.8MB

MD5
58072f60597f28ba8e85942e1f266796

SHA1
fed2a0e89c803032d3ab6987981cb4bf4cd3dbd7

SHA256
403d9b457fc84adc5989d993f3a5a0e3d196667f0fc2493f89be65329385bd6c

SHA512
b467ecd7596e937d2bc1224bbc4dca099c8918752495ccedddaaf6a193d21949b3f19a4ba9a81dd4b499b73df39156c992cc3df253264d0a4b29f3daac10011c

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-away.png
Filesize
294B

MD5
9834fdf81fe65f1c19f9997c47b080cb

SHA1
629b1977648b6407632eebed3ff19f3f1520f305

SHA256
5f01da2a9b135f1c8879419874f87c2a662342188cfa836556f25c9557ca07d0

SHA512
0ccc33f143faf24f81cb079acb0ca7b6803ef88e6563c2acecbbeba9242ecf1853bed7a9e54196f0ad7c973ad2616e51ca271b298fb07c51b0dd31a7e61036ca

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-away@2x.png
Filesize
562B

MD5
767336bb72d1ee7103b8695e9fad1bd9

SHA1
0af45423d7e86a5ed09e0a64d82387af0d8fb397

SHA256
1b5ba46a18edce48949b08882036fbf6176cfaaec41e7ecf7b9a4cb8366db809

SHA512
39d93ba8e5bab26844ff379d16975813e598349d11e4271355e251f3f43cc1b513a2fbcd51c09f4e4c09ed5cd09a18e5123e7623feb950668af8cf8182842057

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-donotdisturb.png
Filesize
359B

MD5
324a5cab7741d3ec7fca3f6163be9bf8

SHA1
9d47b2078cc870efad4c208dedb6bd9fb127b0c7

SHA256
ba4ac732fa5011992fe17fe0e01e217f2ba92d3cd27c9b5d8139bada160f898b

SHA512
967cc72663b8fd9531f5708786ed2afeec702c01751f99407c4b8ae860a3b13467f2e187769ea632c160f2899efdea87719e5665f26c44adc52edbe64e669b8b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-donotdisturb@2x.png
Filesize
685B

MD5
5da369f999ec7bb6f670fdba2f074422

SHA1
097620c947736f83744065a58ecda8aa3b0fbe07

SHA256
bff494b55ff74602fbb7181847035f22a82d30ac2a92a6a42dc6449ea6015066

SHA512
7a89b30d42f98f814e025668ec0247703c3e402aa7c14b1cf818912cc3a74166d0cc662b418cadb82e922db6f61925b39163dc86012f174b63a8cc730ed7e4aa

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-hidden.png
Filesize
398B

MD5
f847bc40a4769792230765fd101b715e

SHA1
9753ce33252a0b6ca23f36a9d6f53202d148b900

SHA256
a8be87fc996f60e0c6a9b2991e7cd757198e4ac0db80132bf4eecaea626861ae

SHA512
ff7c9950324f0c7203312f28ddca26a490877ddd1453975c083b49d088abff5f8b7fe49e1460731a7ff5ebe650d059d9eeac067ca3c10c4dbb8eee3fe458f15b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-hidden@2x.png
Filesize
872B

MD5
5b1c0544d938f7b90d02430c91776c4b

SHA1
b508a3f8dabe5d8071b5be41bbb628785dd0f6d6

SHA256
d666683821c01485b2a46cc40a9b6956903c12d8bf344224263005589fedf330

SHA512
a3e6b6fe5fe0922c20d11897b35ea2d17b8f18425f5d5d8b753e41d097413cc33aba68a243d1bc7af25435f2256a3f2bab8817ffc3ba4af9a102875fe4bb628d

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-online.png
Filesize
331B

MD5
b6f201d0aa98781ed3c62d21f5180c2b

SHA1
8fae0048e6d699e0a8bbb411e553a91721712d6b

SHA256
532b6a446404d7bc0eaf25159099f070f13149c074dc96f5dfb5609a3025277b

SHA512
24e5f1996999ebe99693be2afebb89927c94dda7ec7d3bc40376e48de5a6a086d521eb0883712493c7c2b7798d3ae82f9d85311425b5e391818f2f27991c1cdf

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-online@2x.png
Filesize
629B

MD5
6fe4b2fae57b1d4c0417745fab16f96a

SHA1
a8c8057a4090f65d82e18624be751d2f2e6d552c

SHA256
e540a9dd19c7e999e8a0614dcc1c01b47542bfb1c45f4944f1748cce28e187f7

SHA512
f2be6edd9e4889948c04c250e72fa4e74a5544b8d3a848ccee2b70fb7b7dab68fadbcec343dd9d4032c4550116f6dfd104ccf8c1805cef87c38f4d300e39c77f

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\win\tray-offlineTemplate.ico
Filesize
104KB

MD5
6829d32c8496b84cefa32e6030e356da

SHA1
5f2b0331147da4185ee21ac62b890c36c48329bf

SHA256
e437c7e735977ad406d9df0c9e1a956cd7a9f98f7b387a21b39d67447ad55b04

SHA512
e85b18790a8b521476b0610358c055f54e5c12b48687946df569eec0b5237a39dca3f3b4eecc44da2a17c4187ef3279b3087e2fa40357ce9bd311c5ab4de3bd2

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\RtmControl.dll
Filesize
115KB

MD5
9b6668f114410369cacb58f8feee0955

SHA1
b2d1e31e598ff4cfbff1d4a83fc88e408ab60d46

SHA256
b1eb94be95d9d9528e5eec0c57ae023ac6e76b6aa2a4c5b2c6d22649c091f2cf

SHA512
c429a55bb6b522d24cb1e1c8e3f5cdaf1189946107358177e30444051858bd0ef1975a737ed3061343d75fd09ef6b0f5dadd193c42bae65da2ef68286e00f70d

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\RtmPal.dll
Filesize
810KB

MD5
ba19390901659c6b16cdf63982c32270

SHA1
f425c25105890c483b2aeb2434cde64afe2689a6

SHA256
820d129d40a792c3545c12d27f6ad86b712a2c2589b2a119938f4f27dc58c6ec

SHA512
74f7b6c8558623fc81148a738ee71bf3426b94bde53695abd4b41cc08729a3b70c419dbc1424dbc2f066a75206df1b16c2b5c80c3a66cd850474d0cc7f3346a3

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\electron_utility.node
Filesize
825KB

MD5
072a51c6af202698ed8d6f048b983302

SHA1
746f49ba9e3b9f1894d25b3ed4e608b9d6417690

SHA256
e5a551fe3ce173d0d960b2188c6918a69caad5cd555eb7c6bff4295f68247e7f

SHA512
5f1fcc7acaa0d653923748b4792b1fda978bd023290c71377c0edf4b2e99d853e4206392fae22989d32ab8f4fdc1b097836ee1d4798da9d360dd37d9ca9e39e1

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\sharing-indicator.node
Filesize
104KB

MD5
9e05fd03af1d0d866814005b1eaa9ef1

SHA1
3924c9687e17e51491fc8e1fb0ba78b254c634a5

SHA256
8d6811a9ba1d1284fcb91909e43072767a0c49006bab6d6e0ee309384e5fb053

SHA512
d4164b50fba3ab2b9bfa13d775748f38f12d2abb9776c0dad102f4fffeb9aa550bee98f8d1d256be51504b67116f1cf4567bde70591eb9e1c4ddd1a41f9dc97a

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\skypert.dll
Filesize
2.9MB

MD5
15df8a9ab82d8f7228dc1c15800ee95b

SHA1
07448c1fbacd3590c8c50c6a8ed9922db2a5c8dd

SHA256
a9d037467736c81fc7d14f8104f88b9bb97791c91525f87ef80f71fd512f5a1b

SHA512
1bdd6081302780e73906b4f88c108e778e799cfb69c5b88a608ad3da6ff208078a893e59d0ba09e27783e37f952f05fe6ec2092da255e2fe94b7bc8a886ef69f

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ucrtbase.DLL
Filesize
1.1MB

MD5
6343ff7874ba03f78bb0dfe20b45f817

SHA1
82221a9ac1c1b8006f3f5e8539e74e3308f10bcb

SHA256
6f8f05993b8a25cadf5e301e58194c4d23402e467229b12e40956e4f128588b3

SHA512
63c3d3207577d4761103daf3f9901dd0a0ae8a89694ad1128fd7e054627cdd930d1020049317c5a898411735e2f75e2103ae303e7e514b6387a3c8463a4fb994

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\v8_context_snapshot.bin
Filesize
596KB

MD5
9cf618687bbd261c2027bf10671a7b73

SHA1
c0231f7fd1fb116067478338c9d69bbe0ec57d0d

SHA256
9cd23cfe0e627d930127cf27442be319a5548aa4f039d04a9216371236fede9f

SHA512
eceb31bd6974d2c16b3cabbf821c058845ca8c02f1482caa95bf3c5acd41c6a25c3d7940dd8f0ff510c05b41d7b8e2246e3e9e9a17e84d31e504104a2a9c4239

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QLE8I.tmp\Skype-8.88.0.401.tmp
Filesize
1.4MB

MD5
42d7f6491cb9a07c4e25cac42a3b395b

SHA1
75b5c00ab9277bbe578502bfbef743e7c04564c1

SHA256
f58a9f68802fbc1cacdb07cc357136fb217ad47897355dac962a1e239fe9591d

SHA512
f9df478b4d2076a1ea2b09f711afb7425d0b9ea57c06d90749ca20ec9c4c110720061b62d9fff047d69e7214deb239673be3b33df77742bc64fbfce2014f3750

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QLE8I.tmp\Skype-8.88.0.401.tmp
Filesize
1.4MB

MD5
42d7f6491cb9a07c4e25cac42a3b395b

SHA1
75b5c00ab9277bbe578502bfbef743e7c04564c1

SHA256
f58a9f68802fbc1cacdb07cc357136fb217ad47897355dac962a1e239fe9591d

SHA512
f9df478b4d2076a1ea2b09f711afb7425d0b9ea57c06d90749ca20ec9c4c110720061b62d9fff047d69e7214deb239673be3b33df77742bc64fbfce2014f3750

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.dat
Filesize
40B

MD5
eae1d4db2656695750eb7ffc27defdf0

SHA1
d8cb48eb30c2e6898e6f009e56f264969bb11fa3

SHA256
d5ebb3debb8cf3b52f6cec489748ef2ed7cbd1336483fa56f149ddfc8413d74e

SHA512
9224b3686e79d04a6d04996d7ac86c9cc1cd5cfaaa3b2d07cd90b9674f6415a88ec5a152b7b4ee43ff866b85afb5556b8467a4edd2c5086781bc18404ab6a1a0

Download Submit
\??\pipe\crashpad_1924_JVTPUVOQDKGTKGEV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Filesize
55.6MB

MD5
89e757a0a837c70a55f96f35f505d454

SHA1
29def661731cbaccf2d0444b72fea27c2a78fef4

SHA256
c8a855fb19eda09310945e14208f16b4517a39ec2bf1a927cb04be9e74c5d52b

SHA512
42a8d6387bc9c201397ab34d2ab6a55c63ec2fbbbfa3544778664da799bef5710d1065586a3b4bb6fe733f9cc3455d0400099610ac622be78243f1cee6155092

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
Filesize
56.8MB

MD5
0faeeba6337a197694264e21a7ee80ad

SHA1
570205f6229f344e73be9a04f6afb6dcb6133170

SHA256
2319f924284f5138f8e6549a29b2d29ea2541bd2bd6f4d91ae182e2e4afa1957

SHA512
8210b86cef3fb7c93335acf2609fe31308ca175a087e7bba79892dcfb5a5a76d19c61dfa55527547b80fde97bbdbfabcc4c3e4af99cb02bce108ad539b1e90a2

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-file-l1-2-0.dll
Filesize
17KB

MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-file-l2-1-0.dll
Filesize
17KB

MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-localization-l1-2-0.dll
Filesize
20KB

MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
18KB

MD5
95c5b49af7f2c7d3cd0bc14b1e9efacb

SHA1
c400205c81140e60dffa8811c1906ce87c58971e

SHA256
ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1

SHA512
f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-timezone-l1-1-0.dll
Filesize
18KB

MD5
c9a55de62e53d747c5a7fddedef874f9

SHA1
c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad

SHA256
b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b

SHA512
adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll
Filesize
2.4MB

MD5
56e7b0b0be922c473f0c4016a133f5f4

SHA1
1a6b850d8fef00b477e63638ea0bbaf841697fca

SHA256
8c54b5d78d6a00f6f108d247849ae9a38e03132968688ee090343cde6ddaac76

SHA512
0c353180001cb5cb1a17bcff10b38a004b59b1afb2a292de453e5f36479d76707ca0c70b145d38cd92b166ac8d107740a26e9b733f9970f0a7819b99925e5b2c

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll
Filesize
2.4MB

MD5
56e7b0b0be922c473f0c4016a133f5f4

SHA1
1a6b850d8fef00b477e63638ea0bbaf841697fca

SHA256
8c54b5d78d6a00f6f108d247849ae9a38e03132968688ee090343cde6ddaac76

SHA512
0c353180001cb5cb1a17bcff10b38a004b59b1afb2a292de453e5f36479d76707ca0c70b145d38cd92b166ac8d107740a26e9b733f9970f0a7819b99925e5b2c

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll
Filesize
2.4MB

MD5
56e7b0b0be922c473f0c4016a133f5f4

SHA1
1a6b850d8fef00b477e63638ea0bbaf841697fca

SHA256
8c54b5d78d6a00f6f108d247849ae9a38e03132968688ee090343cde6ddaac76

SHA512
0c353180001cb5cb1a17bcff10b38a004b59b1afb2a292de453e5f36479d76707ca0c70b145d38cd92b166ac8d107740a26e9b733f9970f0a7819b99925e5b2c

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll
Filesize
2.4MB

MD5
56e7b0b0be922c473f0c4016a133f5f4

SHA1
1a6b850d8fef00b477e63638ea0bbaf841697fca

SHA256
8c54b5d78d6a00f6f108d247849ae9a38e03132968688ee090343cde6ddaac76

SHA512
0c353180001cb5cb1a17bcff10b38a004b59b1afb2a292de453e5f36479d76707ca0c70b145d38cd92b166ac8d107740a26e9b733f9970f0a7819b99925e5b2c

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\RtmControl.dll
Filesize
115KB

MD5
9b6668f114410369cacb58f8feee0955

SHA1
b2d1e31e598ff4cfbff1d4a83fc88e408ab60d46

SHA256
b1eb94be95d9d9528e5eec0c57ae023ac6e76b6aa2a4c5b2c6d22649c091f2cf

SHA512
c429a55bb6b522d24cb1e1c8e3f5cdaf1189946107358177e30444051858bd0ef1975a737ed3061343d75fd09ef6b0f5dadd193c42bae65da2ef68286e00f70d

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\RtmPal.dll
Filesize
810KB

MD5
ba19390901659c6b16cdf63982c32270

SHA1
f425c25105890c483b2aeb2434cde64afe2689a6

SHA256
820d129d40a792c3545c12d27f6ad86b712a2c2589b2a119938f4f27dc58c6ec

SHA512
74f7b6c8558623fc81148a738ee71bf3426b94bde53695abd4b41cc08729a3b70c419dbc1424dbc2f066a75206df1b16c2b5c80c3a66cd850474d0cc7f3346a3

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\electron_utility.node
Filesize
825KB

MD5
072a51c6af202698ed8d6f048b983302

SHA1
746f49ba9e3b9f1894d25b3ed4e608b9d6417690

SHA256
e5a551fe3ce173d0d960b2188c6918a69caad5cd555eb7c6bff4295f68247e7f

SHA512
5f1fcc7acaa0d653923748b4792b1fda978bd023290c71377c0edf4b2e99d853e4206392fae22989d32ab8f4fdc1b097836ee1d4798da9d360dd37d9ca9e39e1

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\sharing-indicator.node
Filesize
104KB

MD5
9e05fd03af1d0d866814005b1eaa9ef1

SHA1
3924c9687e17e51491fc8e1fb0ba78b254c634a5

SHA256
8d6811a9ba1d1284fcb91909e43072767a0c49006bab6d6e0ee309384e5fb053

SHA512
d4164b50fba3ab2b9bfa13d775748f38f12d2abb9776c0dad102f4fffeb9aa550bee98f8d1d256be51504b67116f1cf4567bde70591eb9e1c4ddd1a41f9dc97a

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\skypert.dll
Filesize
2.9MB

MD5
15df8a9ab82d8f7228dc1c15800ee95b

SHA1
07448c1fbacd3590c8c50c6a8ed9922db2a5c8dd

SHA256
a9d037467736c81fc7d14f8104f88b9bb97791c91525f87ef80f71fd512f5a1b

SHA512
1bdd6081302780e73906b4f88c108e778e799cfb69c5b88a608ad3da6ff208078a893e59d0ba09e27783e37f952f05fe6ec2092da255e2fe94b7bc8a886ef69f

Download Submit
\Program Files (x86)\Microsoft\Skype for Desktop\ucrtbase.dll
Filesize
1.1MB

MD5
6343ff7874ba03f78bb0dfe20b45f817

SHA1
82221a9ac1c1b8006f3f5e8539e74e3308f10bcb

SHA256
6f8f05993b8a25cadf5e301e58194c4d23402e467229b12e40956e4f128588b3

SHA512
63c3d3207577d4761103daf3f9901dd0a0ae8a89694ad1128fd7e054627cdd930d1020049317c5a898411735e2f75e2103ae303e7e514b6387a3c8463a4fb994

Download Submit
\Users\Admin\AppData\Local\Temp\is-QLE8I.tmp\Skype-8.88.0.401.tmp
Filesize
1.4MB

MD5
42d7f6491cb9a07c4e25cac42a3b395b

SHA1
75b5c00ab9277bbe578502bfbef743e7c04564c1

SHA256
f58a9f68802fbc1cacdb07cc357136fb217ad47897355dac962a1e239fe9591d

SHA512
f9df478b4d2076a1ea2b09f711afb7425d0b9ea57c06d90749ca20ec9c4c110720061b62d9fff047d69e7214deb239673be3b33df77742bc64fbfce2014f3750

Download Submit
memory/744-154-0x0000000000000000-mapping.dmp

Download
memory/840-98-0x0000000000000000-mapping.dmp

Download
memory/1196-158-0x0000000000000000-mapping.dmp

Download
memory/1256-58-0x0000000000000000-mapping.dmp

Download
memory/1256-63-0x0000000074A21000-0x0000000074A23000-memory.dmp

Filesize
8KB

Download
memory/1296-143-0x0000000000000000-mapping.dmp

Download
memory/1356-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1356-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1356-55-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1356-102-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1476-124-0x0000000000000000-mapping.dmp

Download
memory/1800-155-0x0000000000000000-mapping.dmp

Download
memory/1924-67-0x0000000000000000-mapping.dmp

Download
memory/2000-62-0x0000000000000000-mapping.dmp

Download